Vulnerability in jruby-openssl < 0.6 - Recommended Upgrade
Monday, December 07 2009
A security problem involving peer certificate verification was found
where failed verification silently did nothing, making affected
applications vulnerable to attackers. Attackers could lead a client
application to believe that a secure connection to a rogue SSL server
is legitimate. Attackers could also penetrate client-validated SSL
server applications with a dummy certificate.
Common Vulnerabilities and Exposures
The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CVE-2009-4123 to this issue. This is a candidate for
inclusion in the CVE list, which standardizes
names for security problems.
Impact
Your application would be vulnerable if you’re using the
OpenSSL::SSL::VERIFY_PEER mode on an OpenSSL-enabled socket (client or
server) and any version of jruby-openssl prior to 0.6. An example
using client-side validated SSL with the ‘net/https’ library is shown
below.
Release and Patch
- The 0.6 release has the fix for the certificate validation
vulnerability. Install the upgrade in the usual fashion by running
jruby -S gem install jruby-openssl
and ensuring that you get
version 0.6 or greater.
- A patch is available which should apply cleanly to the
jruby-openssl 0.5.2 source. Ensure the code builds cleanly and
passes tests by running
jruby -S rake clean default
.
- Please contact security@jruby.org if
you are unable to upgrade or use the 0.5.2 patch and require a
backport. Let us know what version of jruby-openssl you’re using and
help us understand how you’re using the library so we can determine
whether you’re affected by the vulnerability.
Workarounds
No known workarounds exist, other than rewriting application code to
use a different library to establish validated SSL connections.
Thanks
Thanks to NaHi (NAKAMURA Hiroshi - nahi at ruby-lang.org) for finding
the problem and providing the fix.
A security problem involving peer certificate verification was found where failed verification silently did nothing, making affected applications vulnerable to attackers. Attackers could lead a client application to believe that a secure connection to a rogue SSL server is legitimate. Attackers could also penetrate client-validated SSL server applications with a dummy certificate.
Common Vulnerabilities and Exposures
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2009-4123 to this issue. This is a candidate for inclusion in the CVE list, which standardizes names for security problems.
Impact
Your application would be vulnerable if you’re using the OpenSSL::SSL::VERIFY_PEER mode on an OpenSSL-enabled socket (client or server) and any version of jruby-openssl prior to 0.6. An example using client-side validated SSL with the ‘net/https’ library is shown below.
Release and Patch
- The 0.6 release has the fix for the certificate validation
vulnerability. Install the upgrade in the usual fashion by running
jruby -S gem install jruby-openssl
and ensuring that you get version 0.6 or greater. - A patch is available which should apply cleanly to the
jruby-openssl 0.5.2 source. Ensure the code builds cleanly and
passes tests by running
jruby -S rake clean default
. - Please contact security@jruby.org if you are unable to upgrade or use the 0.5.2 patch and require a backport. Let us know what version of jruby-openssl you’re using and help us understand how you’re using the library so we can determine whether you’re affected by the vulnerability.
Workarounds
No known workarounds exist, other than rewriting application code to use a different library to establish validated SSL connections.
Thanks
Thanks to NaHi (NAKAMURA Hiroshi - nahi at ruby-lang.org) for finding the problem and providing the fix.