CVE-2017-14033
published 2017-09-19CVE-2017-14033: The decode method in the OpenSSL::ASN1 module in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows attackers to cause a denial of service…
PriorityP337high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EPSS
7.73%
93.9th percentile
The decode method in the OpenSSL::ASN1 module in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows attackers to cause a denial of service (interpreter crash) via a crafted string.
Affected
39 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | macos_high_sierra_10.13.6_security_update_2018-004_sierra_security_update_2018-0 | — | — |
| apple | macos_mojave_10.14.1_security_update_2018-002_high_sierra_security_update_2018-0 | — | — |
| openssl | openssl | >= 0 < 2.0.0 | 2.0.0 |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | >= 0 < 2.4.2-r0 | 2.4.2-r0 |
| ruby-lang | ruby | >= 0 < 2.4.2-r0 | 2.4.2-r0 |
| ruby-lang | ruby | >= 0 < 2.4.2-r0 | 2.4.2-r0 |
| ruby-lang | ruby | >= 0 < 2.4.2-r0 | 2.4.2-r0 |
| ruby-lang | ruby | >= 0 < 2.4.2-r0 | 2.4.2-r0 |
| ruby-lang | ruby | >= 0 < 2.4.2-r0 | 2.4.2-r0 |
| ruby-lang | ruby | >= 0 < 2.4.2-r0 | 2.4.2-r0 |
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv9.1CRITICAL
vendor_ubuntu9.1CRITICAL
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Apple
CVE-2017-14033: macOS Mojave 10.14.1, Security Update 2018-002 High Sierra, Security Update 2018-005 Sierra
vendor_apple·2018-10-30·CVSS 7.5
CVE-2017-14033 [HIGH] CVE-2017-14033: macOS Mojave 10.14.1, Security Update 2018-002 High Sierra, Security Update 2018-005 Sierra
Apple Security Update: About the security content of macOS Mojave 10.14.1, Security Update 2018-002 High Sierra, Security Update 2018-005 Sierra
Product: macOS Mojave 10.14.1, Security Update 2018-002 High Sierra, Security Update 2018-005 Sierra
CVE: CVE-2017-14033
Component: CVE-2017-14033
Apple
CVE-2017-14033: macOS High Sierra 10.13.6, Security Update 2018-004 Sierra, Security Update 2018-004 El Capitan
vendor_apple·2018-07-09·CVSS 7.5
CVE-2017-14033 [HIGH] CVE-2017-14033: macOS High Sierra 10.13.6, Security Update 2018-004 Sierra, Security Update 2018-004 El Capitan
Apple Security Update: About the security content of macOS High Sierra 10.13.6, Security Update 2018-004 Sierra, Security Update 2018-004 El Capitan
Product: macOS High Sierra 10.13.6, Security Update 2018-004 Sierra, Security Update 2018-004 El Capitan
CVE: CVE-2017-14033
Component: CVE-2017-14033
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2018-01-10·CVSS 8.8
CVE-2017-10784 [HIGH] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Several security issues were fixed in Ruby.
It was discovered that Ruby incorrectly handled certain terminal emulator
escape sequences. An attacker could use this to execute arbitrary code via
a crafted user name. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.10.
(CVE-2017-10784)
It was discovered that Ruby incorrectly handled certain strings.
An attacker could use this to cause a denial of service. This issue
only affected Ubuntu 16.04 LTS and Ubuntu 17.10. (CVE-2017-14033)
It was discovered that Ruby incorrectly handled some generating JSON.
An attacker could use this to possible expose sensitive information.
This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.10.
(CVE-2017-14064)
It was discovered that Ruby incorrectly handled cert
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2017-10-05·CVSS 9.1
CVE-2017-0898 [CRITICAL] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Several security issues were fixed in Ruby.
It was discovered that Ruby incorrectly handled certain inputs.
An attacker could use this to cause a buffer overrun.
(CVE-2017-0898)
Yusuke Endoh discovered that Ruby incorrectly handled certain files.
An attacker could use this to execute terminal escape sequences.
(CVE-2017-0899)
Yusuke Endoh discovered that Ruby incorrectly handled certain inputs.
An attacker could use this to cause a denial of service.
(CVE-2017-0900)
It was discovered that Ruby incorrectly handled certain files.
An attacker could use this to overwrite any file on the filesystem.
(CVE-2017-0901)
It was discovered that Ruby incorrectly handled certain inputs.
An attacker could use this to execute arbitrary code.
(CVE-2017-10784)
It
Red Hat
ruby: Buffer underrun in OpenSSL ASN1 decode
vendor_redhat·2017-09-14·CVSS 7.5
CVE-2017-14033 [HIGH] CWE-119 ruby: Buffer underrun in OpenSSL ASN1 decode
ruby: Buffer underrun in OpenSSL ASN1 decode
The decode method in the OpenSSL::ASN1 module in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows attackers to cause a denial of service (interpreter crash) via a crafted string.
It was found that the decode method of the OpenSSL::ASN1 module was vulnerable to buffer underrun. An attacker could pass a specially crafted string to the application in order to crash the ruby interpreter, causing a denial of service.
Statement: This issue did not affect the versions of ruby as shipped with Red Hat Enterprise Linux 5 and 6, and the versions of rh-ruby24-ruby.
This issue affects the versions of ruby as shipped with Red Hat Enterprise Linux 7 and the versions of rh-ruby22-ruby and rh-ruby23-ruby as shipped with Red Hat Software C
OSV
Ruby OpenSSL DoS Vulnerability
osv·2022-05-14
CVE-2017-14033 [HIGH] Ruby OpenSSL DoS Vulnerability
Ruby OpenSSL DoS Vulnerability
The decode method in the `OpenSSL::ASN1` module in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows attackers to cause a denial of service (interpreter crash) via a crafted string. The `openssl` gem that contains this module is patched in version 2.0.0.
GHSA
Ruby OpenSSL DoS Vulnerability
ghsa·2022-05-14
CVE-2017-14033 [HIGH] CWE-119 Ruby OpenSSL DoS Vulnerability
Ruby OpenSSL DoS Vulnerability
The decode method in the `OpenSSL::ASN1` module in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows attackers to cause a denial of service (interpreter crash) via a crafted string. The `openssl` gem that contains this module is patched in version 2.0.0.
OSV
ruby1.9.1, ruby2.3 vulnerabilities
osv·2018-01-10·CVSS 8.8
CVE-2017-10784 [HIGH] ruby1.9.1, ruby2.3 vulnerabilities
ruby1.9.1, ruby2.3 vulnerabilities
It was discovered that Ruby incorrectly handled certain terminal emulator
escape sequences. An attacker could use this to execute arbitrary code via
a crafted user name. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.10.
(CVE-2017-10784)
It was discovered that Ruby incorrectly handled certain strings.
An attacker could use this to cause a denial of service. This issue
only affected Ubuntu 16.04 LTS and Ubuntu 17.10. (CVE-2017-14033)
It was discovered that Ruby incorrectly handled some generating JSON.
An attacker could use this to possible expose sensitive information.
This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.10.
(CVE-2017-14064)
It was discovered that Ruby incorrectly handled certain inputs.
An attacker could use this to execu
OSV
ruby1.9.1 vulnerabilities
osv·2017-10-05·CVSS 9.1
CVE-2017-0898 [CRITICAL] ruby1.9.1 vulnerabilities
ruby1.9.1 vulnerabilities
It was discovered that Ruby incorrectly handled certain inputs.
An attacker could use this to cause a buffer overrun.
(CVE-2017-0898)
Yusuke Endoh discovered that Ruby incorrectly handled certain files.
An attacker could use this to execute terminal escape sequences.
(CVE-2017-0899)
Yusuke Endoh discovered that Ruby incorrectly handled certain inputs.
An attacker could use this to cause a denial of service.
(CVE-2017-0900)
It was discovered that Ruby incorrectly handled certain files.
An attacker could use this to overwrite any file on the filesystem.
(CVE-2017-0901)
It was discovered that Ruby incorrectly handled certain inputs.
An attacker could use this to execute arbitrary code.
(CVE-2017-10784)
It was discovered that Ruby incorrectly handled certain inp
OSV
CVE-2017-14033: The decode method in the OpenSSL::ASN1 module in Ruby before 2
osv·2017-09-19·CVSS 7.5
CVE-2017-14033 [HIGH] CVE-2017-14033: The decode method in the OpenSSL::ASN1 module in Ruby before 2
The decode method in the OpenSSL::ASN1 module in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows attackers to cause a denial of service (interpreter crash) via a crafted string.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-0898 CVE-2017-10784 CVE-2017-14033 ruby: various flaws [fedora-all]
bugzilla·2017-09-15·CVSS 9.1
CVE-2017-0898 [CRITICAL] CVE-2017-0898 CVE-2017-10784 CVE-2017-14033 ruby: various flaws [fedora-all]
CVE-2017-0898 CVE-2017-10784 CVE-2017-14033 ruby: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions
Bugzilla
CVE-2017-14033 ruby: Buffer underrun in OpenSSL ASN1 decode
bugzilla·2017-09-14·CVSS 7.5
CVE-2017-14033 [HIGH] CVE-2017-14033 ruby: Buffer underrun in OpenSSL ASN1 decode
CVE-2017-14033 ruby: Buffer underrun in OpenSSL ASN1 decode
There is a buffer underrun vulnerability in OpenSSL bundled by Ruby. If a malicious string is passed to the decode method of OpenSSL::ASN1, buffer underrun may be caused and the Ruby interpreter may crash.
References:
https://bugzilla.novell.com/show_bug.cgi?id=1058757
https://www.ruby-lang.org/en/news/2017/09/14/openssl-asn1-buffer-underrun-cve-2017-14033/
Discussion:
Created ruby tracking bugs for this issue:
Affects: fedora-all [bug 1492016]
Created ruby193-ruby tracking bugs for this issue:
Affects: openshift-1 [bug 1492017]
---
ruby-2.4.2-84.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
---
It appears that CVE-2017-14033 corresponds
http://www.securityfocus.com/bid/100868http://www.securitytracker.com/id/1039363http://www.securitytracker.com/id/1042004https://access.redhat.com/errata/RHSA-2018:0378https://access.redhat.com/errata/RHSA-2018:0583https://access.redhat.com/errata/RHSA-2018:0585https://lists.debian.org/debian-lts-announce/2018/07/msg00012.htmlhttps://security.gentoo.org/glsa/201710-18https://www.debian.org/security/2017/dsa-4031https://www.ruby-lang.org/en/news/2017/09/14/openssl-asn1-buffer-underrun-cve-2017-14033/https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-2-8-released/https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-3-5-released/http://www.securityfocus.com/bid/100868http://www.securitytracker.com/id/1039363http://www.securitytracker.com/id/1042004https://access.redhat.com/errata/RHSA-2018:0378https://access.redhat.com/errata/RHSA-2018:0583https://access.redhat.com/errata/RHSA-2018:0585https://lists.debian.org/debian-lts-announce/2018/07/msg00012.htmlhttps://security.gentoo.org/glsa/201710-18https://www.debian.org/security/2017/dsa-4031https://www.ruby-lang.org/en/news/2017/09/14/openssl-asn1-buffer-underrun-cve-2017-14033/https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-2-8-released/https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-3-5-released/
2017-09-19
Published