Vulnerability in jruby-openssl < 0.6 - Recommended Upgrade

Monday, December 07 2009

A security problem involving peer certificate verification was found where failed verification silently did nothing, making affected applications vulnerable to attackers. Attackers could lead a client application to believe that a secure connection to a rogue SSL server is legitimate. Attackers could also penetrate client-validated SSL server applications with a dummy certificate.

Common Vulnerabilities and Exposures

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2009-4123 to this issue. This is a candidate for inclusion in the CVE list, which standardizes names for security problems.

Impact

Your application would be vulnerable if you’re using the OpenSSL::SSL::VERIFY_PEER mode on an OpenSSL-enabled socket (client or server) and any version of jruby-openssl prior to 0.6. An example using client-side validated SSL with the ‘net/https’ library is shown below.

  require 'net/https'
  uri = URI.parse('https://www.amazon.com/')
  http = Net::HTTP.new(uri.host, uri.port)
  http.use_ssl = true
  http.verify_mode = OpenSSL::SSL::VERIFY_PEER

  # This code should raise OpenSSL::SSL::SSLError
  # because it's not the correct trust anchor for
  # www.amazon.com.
  http.ca_file = 'test/fixture/verisign_c3.pem'
  response = http.start do |s|
    s.get(uri.request_uri)
  end

  # This code must fail as well because of an incorrect
  # trust anchor setting (no certs is the directory).
  http.ca_path = '/tmp'
  response = http.start do |s|
    s.get(uri.request_uri)
  end

  # verisign.pem is the correct trust anchor for www.amazon.com.
  # Only this request should be successful.
  http.ca_file = 'test/fixture/verisign.pem'
  response = http.start do |s|
    s.get(uri.request_uri)
  end


Release and Patch

  • The 0.6 release has the fix for the certificate validation vulnerability. Install the upgrade in the usual fashion by running jruby -S gem install jruby-openssl and ensuring that you get version 0.6 or greater.
  • A patch is available which should apply cleanly to the jruby-openssl 0.5.2 source. Ensure the code builds cleanly and passes tests by running jruby -S rake clean default.
  • Please contact security@jruby.org if you are unable to upgrade or use the 0.5.2 patch and require a backport. Let us know what version of jruby-openssl you’re using and help us understand how you’re using the library so we can determine whether you’re affected by the vulnerability.

Workarounds

No known workarounds exist, other than rewriting application code to use a different library to establish validated SSL connections.

Thanks

Thanks to NaHi (NAKAMURA Hiroshi - nahi at ruby-lang.org) for finding the problem and providing the fix.