Описание
A vulnerability was found in Ruby. The Ruby interpreter is vulnerable to the Marvin Attack. This attack allows the attacker to decrypt previously encrypted messages or forge signatures by exchanging a large number of messages with the vulnerable service.
Отчет
More information about the Marvin Attack may be found at https://www.redhat.com/en/blog/marvin-attack.
Меры по смягчению последствий
See the following possible mitigations for this flaw:
- Do not use the methods with PKCS#1v1.5 padding in network contexts. Make sure that any calls that happen, will perform OAEP decryption only. Do not support PKCS#1v1.5 encryption padding at all.
- Use Ruby with a version of OpenSSL that has the implicit rejection mechanism implemented.(https://github.com/openssl/openssl/pull/13817, https://github.com/openssl/openssl/commit/7fc67e0a33102aa47bbaa56533eeecb98c0450f7 included in 3.2.0, backported to RHEL-8)
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | ruby | Out of support scope | ||
| Red Hat Enterprise Linux 7 | ruby | Out of support scope | ||
| Red Hat Enterprise Linux 8 | ruby:2.5/ruby | Out of support scope | ||
| Red Hat Enterprise Linux 8 | ruby:3.1/ruby | Out of support scope | ||
| Red Hat Enterprise Linux 8 | ruby:3.3/ruby | Not affected | ||
| Red Hat Enterprise Linux 9 | ruby | Will not fix | ||
| Red Hat Enterprise Linux 9 | ruby:3.1/ruby | Will not fix | ||
| Red Hat Enterprise Linux 9 | ruby:3.3/ruby | Will not fix | ||
| Red Hat Storage 3 | ruby | Affected |
Показывать по
Дополнительная информация
Статус:
7.4 High
CVSS3
Связанные уязвимости
A vulnerability was found in Ruby. The Ruby interpreter is vulnerable to the Marvin Attack. This attack allows the attacker to decrypt previously encrypted messages or forge signatures by exchanging a large number of messages with the vulnerable service.
A vulnerability was found in Ruby. The Ruby interpreter is vulnerable to the Marvin Attack. This attack allows the attacker to decrypt previously encrypted messages or forge signatures by exchanging a large number of messages with the vulnerable service.
A vulnerability was found in Ruby. The Ruby interpreter is vulnerable ...
A vulnerability was found in Ruby. The Ruby interpreter is vulnerable to the Marvin Attack. This attack allows the attacker to decrypt previously encrypted messages or forge signatures by exchanging a large number of messages with the vulnerable service.
Уязвимость интерпретатора Ruby, связанная с использованием скрытых временных каналов для передачи данных, позволяющая нарушителю реализовать атаку Marvin
7.4 High
CVSS3