CVE-2015-3900

Impact:
Important
Public Date:
2015-05-14
CWE:
CWE-20->CWE-345
Bugzilla:
1236116: CVE-2015-3900 rubygems: DNS hijacking vulnerability in api_endpoint()
A flaw was found in a way rubygems verified the API endpoint hostname retrieved through a DNS SRV record. A man-in-the-middle attacker could use this flaw to force a client to download content from an untrusted domain.

Find out more about CVE-2015-3900 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

This issue did not affect the versions of rubygems as shipped with Red Hat Enterprise Linux 6, Red Hat Enterprise MRG 2.5, Red Hat Satellite 6, Red Hat Openstack 5, Red Hat Openshift Enterprise 2 as they did not include support for getting API endpoint using SRV DNS records.

This issue did not affect the versions of ruby as shipped with Red Hat Enterprise Linux 5 and 6 as they did not include support for getting API endpoint using SRV DNS records. The issue did not affect version of ruby as shipped with Red Hat Enterprise Linux 7, as the support for getting API endpoint using SRV DNS records is included, but inactive.

This issue did not affect the versions of ruby193-ruby as shipped with Red Hat Subscription Asset Manager and Red Hat Software Collections as they did not include support for getting API endpoint using SRV DNS records.

The issue did not affect version of ruby200-ruby as shipped with Red Hat Software Collections, as the support for getting API endpoint using SRV DNS records is included, but inactive.

CVSS v2 metrics

Base Score 7.9
Base Metrics AV:A/AC:M/Au:N/C:C/I:C/A:C
Access Vector Adjacent Network
Access Complexity Medium
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat Software Collections for Red Hat Enterprise Linux 6 (rh-ruby22-ruby) RHSA-2015:1657 2015-08-24
Red Hat Software Collections for Red Hat Enterprise Linux 7 (rh-ruby22-ruby) RHSA-2015:1657 2015-08-24

Affected Packages State

Platform Package State
Red Hat Subscription Asset Manager 1 ruby193-ruby Not affected
Red Hat Software Collections for Red Hat Enterprise Linux ruby200-ruby Will not fix
Red Hat Software Collections for Red Hat Enterprise Linux ruby193-ruby Not affected
Red Hat Satellite 6 rubygems Not affected
Red Hat OpenShift Enterprise 2 rubygems Not affected
Red Hat Enterprise MRG 2 rubygems Not affected
Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) rubygems Not affected
Red Hat Enterprise Linux 7 ruby Will not fix
Red Hat Enterprise Linux 6 rubygems Not affected
Red Hat Enterprise Linux 6 ruby Not affected
Red Hat Enterprise Linux 5 ruby Not affected
Unless explicitly stated as not affected, all previous versions of packages in any minor update stream of a product listed here should be assumed vulnerable, although may not have been subject to full analysis.

External References

Last Modified