CVE-2015-3900

Impact:: Important
Public Date:: 2015-05-14
CWE:: CWE-20->CWE-345

Bugzilla:: 1236116: CVE-2015-3900 rubygems: DNS hijacking vulnerability in api_endpoint()

A flaw was found in a way rubygems verified the API endpoint hostname retrieved through a DNS SRV record. A man-in-the-middle attacker could use this flaw to force a client to download content from an untrusted domain.

Find out more about CVE-2015-3900 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

This issue did not affect the versions of rubygems as shipped with Red Hat Enterprise Linux 6, Red Hat Enterprise MRG 2.5, Red Hat Satellite 6, Red Hat Openstack 5, Red Hat Openshift Enterprise 2 as they did not include support for getting API endpoint using SRV DNS records.

This issue did not affect the versions of ruby as shipped with Red Hat Enterprise Linux 5 and 6 as they did not include support for getting API endpoint using SRV DNS records. The issue did not affect version of ruby as shipped with Red Hat Enterprise Linux 7, as the support for getting API endpoint using SRV DNS records is included, but inactive.

This issue did not affect the versions of ruby193-ruby as shipped with Red Hat Subscription Asset Manager and Red Hat Software Collections as they did not include support for getting API endpoint using SRV DNS records.

The issue did not affect version of ruby200-ruby as shipped with Red Hat Software Collections, as the support for getting API endpoint using SRV DNS records is included, but inactive.

CVSS v2 metrics

Base Score	7.9
Base Metrics	AV:A/AC:M/Au:N/C:C/I:C/A:C
Access Vector	Adjacent Network
Access Complexity	Medium
Authentication	None
Confidentiality Impact	Complete
Integrity Impact	Complete
Availability Impact	Complete

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform	Errata	Release Date
Red Hat Software Collections for Red Hat Enterprise Linux 6 (rh-ruby22-ruby)	RHSA-2015:1657	2015-08-24
Red Hat Software Collections for Red Hat Enterprise Linux 7 (rh-ruby22-ruby)	RHSA-2015:1657	2015-08-24

Affected Packages State

Platform	Package	State
Red Hat Subscription Asset Manager 1	ruby193-ruby	Not affected
Red Hat Software Collections for Red Hat Enterprise Linux	ruby200-ruby	Will not fix
Red Hat Software Collections for Red Hat Enterprise Linux	ruby193-ruby	Not affected
Red Hat Satellite 6	rubygems	Not affected
Red Hat OpenShift Enterprise 2	rubygems	Not affected
Red Hat Enterprise MRG 2	rubygems	Not affected
Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse)	rubygems	Not affected
Red Hat Enterprise Linux 7	ruby	Will not fix
Red Hat Enterprise Linux 6	rubygems	Not affected
Red Hat Enterprise Linux 6	ruby	Not affected
Red Hat Enterprise Linux 5	ruby	Not affected

External References

http://blog.rubygems.org/2015/05/14/CVE-2015-3900.html

Last Modified 2018-05-01T10:55:02+00:00

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories