Vulnerabilities > CVE-2014-2734 - Resource Management Errors vulnerability in Ruby-Lang Ruby
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
The openssl extension in Ruby 2.x does not properly maintain the state of process memory after a file is reopened, which allows remote attackers to spoof signatures within the context of a Ruby script that attempts signature verification after performing a certain sequence of filesystem operations. NOTE: this issue has been disputed by the Ruby OpenSSL team and third parties, who state that the original demonstration PoC contains errors and redundant or unnecessarily-complex code that does not appear to be related to a demonstration of the issue. As of 20140502, CVE is not aware of any public comment by the original researcher
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 12 |
Common Weakness Enumeration (CWE)
Seebug
| bulletinFamily | exploit |
| description | Bugtraq ID:66956 CVE ID:CVE-2014-2734 Yukihiro Matsumoto Ruby是一款功能强大的面向对象的脚本语言。 Yukihiro Matsumoto Ruby OpenSSL存在一个安全漏洞,允许攻击者利用漏洞伪造CA私钥。 0 Ruby 目前没有详细解决方案: http://www.ruby-lang.org/ |
| id | SSV:62243 |
| last seen | 2017-11-19 |
| modified | 2014-04-21 |
| published | 2014-04-21 |
| reporter | Root |
| source | https://www.seebug.org/vuldb/ssvid-62243 |
| title | Ruby OpenSSL CA私钥伪造漏洞 |
References
- http://packetstormsecurity.com/files/126218/Ruby-OpenSSL-Private-Key-Spoofing.html
- http://packetstormsecurity.com/files/126218/Ruby-OpenSSL-Private-Key-Spoofing.html
- http://seclists.org/fulldisclosure/2014/Apr/231
- http://seclists.org/fulldisclosure/2014/Apr/231
- http://seclists.org/fulldisclosure/2014/May/13
- http://seclists.org/fulldisclosure/2014/May/13
- http://www.osvdb.org/106006
- http://www.osvdb.org/106006
- http://www.securityfocus.com/bid/66956
- http://www.securityfocus.com/bid/66956
- https://gist.github.com/10446549
- https://gist.github.com/10446549
- https://gist.github.com/emboss/91696b56cd227c8a0c13
- https://gist.github.com/emboss/91696b56cd227c8a0c13
- https://github.com/adrienthebo/cve-2014-2734/
- https://github.com/adrienthebo/cve-2014-2734/
- https://news.ycombinator.com/item?id=7601973
- https://news.ycombinator.com/item?id=7601973
- https://www.ruby-lang.org/en/news/2014/05/09/dispute-of-vulnerability-cve-2014-2734/
- https://www.ruby-lang.org/en/news/2014/05/09/dispute-of-vulnerability-cve-2014-2734/