Ruby Random Number Values Information Disclosure Vulnerability Network Vulnerability

Summary

This host is installed with Ruby and is prone to information disclosure vulnerability.

Impact

Successful exploits may allow attackers to predict random number values. Impact Level: Application

Solution

Upgrade to Ruby version 1.8.7-p352, 1.9.2-p290 or later For updates refer to http://rubyforge.org/frs/?group_id=167

Insight

The flaw exists because the SecureRandom.random_bytes function in lib/securerandom.rb relies on PID values for initialization, which makes it easier for context-dependent attackers to predict the result string by leveraging knowledge of random strings obtained in an earlier process with the same PID.

Affected

Ruby versions before 1.8.7-p352 and 1.9.x before 1.9.2-p290

References

http://www.ruby-lang.org/en/news/2011/07/02/ruby-1-8-7-p352-released/
http://www.ruby-lang.org/en/news/2011/07/15/ruby-1-9-2-p290-is-released/
https://bugzilla.redhat.com/show_bug.cgi?id=722415

Updated on 2015-03-25

Severity

Classification

CVE CVE-2011-2705

CVSS	Base Score: 5.0 AV:N/AC:L/Au:N/C:P/I:N/A:N

Related Vulnerabilities

Apple Safari 'Webkit' Information Disclosure Vulnerability (Win)
Apache Tomcat XML External Entity Information Disclosure Vulnerability
Aardvark Topsites Multiple Vulnerabilities
Adobe Flash Player/Air Multiple Vulnerabilities -feb10 (Linux)
Apache Traffic Server Remote DNS Cache Poisoning Vulnerability

Take action and discover your vulnerabilities