Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2018-16395

An issue was discovered in the OpenSSL library in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. When two OpenSSL::X509::Name objects are compared using ==, depending on the ordering, non-equal objects may return true. When the first argument is one character longer than the second, or the second argument contains a character that is one less than a character in the same position of the first argument, the result of == will be true. This could be leveraged to create an illegitimate certificate that may be accepted as legitimate and then used in signing or encryption operations.

Source

The MITRE CVE dictionary describes this issue as:

An issue was discovered in the OpenSSL library in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. When two OpenSSL::X509::Name objects are compared using ==, depending on the ordering, non-equal objects may return true. When the first argument is one character longer than the second, or the second argument contains a character that is one less than a character in the same position of the first argument, the result of == will be true. This could be leveraged to create an illegitimate certificate that may be accepted as legitimate and then used in signing or encryption operations.

Find out more about CVE-2018-16395 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

Subscription Asset Manager is now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having a security impact of Important, and is not currently planned to be addressed in future updates.

Red Hat Virtualization includes a vulnerable version of ruby, however the affected functionality is not used in Red Hat Virtualization or any of its dependencies. A future update may address this issue.

CVSS v3 metrics

CVSS3 Base Score	7.5
CVSS3 Base Metrics	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User Interaction	None
Scope	Unchanged
Confidentiality	None
Integrity Impact	High
Availability Impact	None

Red Hat Security Errata

Platform	Errata	Release Date
Red Hat Software Collections for Red Hat Enterprise Linux 6 (rh-ruby24-ruby)	RHSA-2018:3730	2018-11-29
Red Hat Software Collections for Red Hat Enterprise Linux 6 (rh-ruby23-ruby)	RHSA-2018:3729	2018-11-29
Red Hat Software Collections for Red Hat Enterprise Linux 7 (rh-ruby23-ruby)	RHSA-2018:3729	2018-11-29
Red Hat Enterprise Linux 7 (ruby)	RHSA-2018:3738	2018-11-29
Red Hat Software Collections for Red Hat Enterprise Linux 7 (rh-ruby24-ruby)	RHSA-2018:3730	2018-11-29
Red Hat Software Collections for Red Hat Enterprise Linux 7 (rh-ruby25-ruby)	RHSA-2018:3731	2018-11-29

Affected Packages State

Platform	Package	State
Red Hat Virtualization 4	ruby	Will not fix
Red Hat Subscription Asset Manager 1	ruby193	Will not fix
Red Hat Enterprise Linux 6	ruby	Will not fix
Red Hat Enterprise Linux 5	ruby	Will not fix

External References

https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2018-16395

Statement

CVSS v3 metrics

Red Hat Security Errata

Affected Packages State

External References

Vulmon Search

About

Products

Connect