Описание
The openssl gem for Ruby uses the same initialization vector (IV) in GCM Mode (aes-*-gcm) when the IV is set before the key, which makes it easier for context-dependent attackers to bypass the encryption protection mechanism.
Меры по смягчению последствий
A possible workaround to this flaw is, when using aes-256-gcm mode, always set the key first and then the iv. For example when setting random keys and iv use the following code segment: key = cipher.random_key iv = cipher.random_iv
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| CloudForms Management Engine 5 | rh-ruby22-ruby | Will not fix | ||
| CloudForms Management Engine 5 | ruby-200-ruby | Will not fix | ||
| Red Hat Enterprise Linux 5 | ruby | Will not fix | ||
| Red Hat Enterprise Linux 6 | ruby | Will not fix | ||
| Red Hat Enterprise Linux 7 | ruby | Will not fix | ||
| Red Hat Software Collections | rh-ruby22-ruby | Will not fix | ||
| Red Hat Software Collections | rh-ruby23-ruby | Will not fix | ||
| Red Hat Software Collections | ruby200-ruby | Will not fix |
Показывать по
Дополнительная информация
Статус:
EPSS
3.7 Low
CVSS3
4.3 Medium
CVSS2
Связанные уязвимости
The openssl gem for Ruby uses the same initialization vector (IV) in GCM Mode (aes-*-gcm) when the IV is set before the key, which makes it easier for context-dependent attackers to bypass the encryption protection mechanism.
The openssl gem for Ruby uses the same initialization vector (IV) in GCM Mode (aes-*-gcm) when the IV is set before the key, which makes it easier for context-dependent attackers to bypass the encryption protection mechanism.
The openssl gem for Ruby uses the same initialization vector (IV) in G ...
OpenSSL gem for Ruby using inadequate encryption strength
EPSS
3.7 Low
CVSS3
4.3 Medium
CVSS2