CVE-2015-1855

Summary

verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters.

Impact & exploitability

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Affected products we track (1)

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Additional information

• NVD record
• https://www.ruby-lang.org/en/news/2015/04/13/ruby-openssl-hostname-matching-vulnerability/Advisory
• http://www.debian.org/security/2015/dsa-3245Advisory
• http://www.debian.org/security/2015/dsa-3246Advisory
• http://www.debian.org/security/2015/dsa-3247Advisory
• https://bugs.ruby-lang.org/issues/9644Advisory
• https://puppetlabs.com/security/cve/cve-2015-1855Advisory