Ruby Random Number Values Information Disclosure Vulnerability Network Vulnerability

Summary

This host is installed with Ruby and is prone to information disclosure vulnerability.

Impact

Successful exploits may allow attackers to predict random number values. Impact Level: Application

Solution

Upgrade to Ruby version 1.8.7-p352, 1.9.2-p290 or later For updates refer to http://rubyforge.org/frs/?group_id=167

Insight

The flaw exists because the SecureRandom.random_bytes function in lib/securerandom.rb relies on PID values for initialization, which makes it easier for context-dependent attackers to predict the result string by leveraging knowledge of random strings obtained in an earlier process with the same PID.

Affected

Ruby versions before 1.8.7-p352 and 1.9.x before 1.9.2-p290

References

http://www.ruby-lang.org/en/news/2011/07/02/ruby-1-8-7-p352-released/
http://www.ruby-lang.org/en/news/2011/07/15/ruby-1-9-2-p290-is-released/
https://bugzilla.redhat.com/show_bug.cgi?id=722415

Updated on 2015-03-25

Severity

Classification

CVE CVE-2011-2705
CVSS Base Score: 5.0
AV:N/AC:L/Au:N/C:P/I:N/A:N

Related Vulnerabilities

Adobe Reader 'file://' URL Information Disclosure Vulnerability Feb07 (Windows)
Apple Safari Webcore Webkit 'XSSAuditor.cpp' XSS Vulnerability (Windows)
aMSN session hijack vulnerability (Windows)
Apple Safari Multiple Memory Corruption Vulnerabilities-02 Apr14 (Mac OS X)
AOLserver Default Password

Take action and discover your vulnerabilities