Ruby Random Number Values Information Disclosure Vulnerability Network Vulnerability

Summary

This host is installed with Ruby and is prone to information disclosure vulnerability.

Impact

Successful exploits may allow attackers to predict random number values. Impact Level: Application

Solution

Upgrade to Ruby version 1.8.7-p352, 1.9.2-p290 or later For updates refer to http://rubyforge.org/frs/?group_id=167

Insight

The flaw exists because the SecureRandom.random_bytes function in lib/securerandom.rb relies on PID values for initialization, which makes it easier for context-dependent attackers to predict the result string by leveraging knowledge of random strings obtained in an earlier process with the same PID.

Affected

Ruby versions before 1.8.7-p352 and 1.9.x before 1.9.2-p290

References

http://www.ruby-lang.org/en/news/2011/07/02/ruby-1-8-7-p352-released/
http://www.ruby-lang.org/en/news/2011/07/15/ruby-1-9-2-p290-is-released/
https://bugzilla.redhat.com/show_bug.cgi?id=722415

Updated on 2015-03-25

Severity

Classification

CVE CVE-2011-2705

CVSS	Base Score: 5.0 AV:N/AC:L/Au:N/C:P/I:N/A:N

Related Vulnerabilities

Asterisk Missing ACL Check Remote Security Bypass Vulnerability
Asterisk SIP Response Username Enumeration Remote Information Disclosure Vulnerability
Apple Safari 'Webkit' Information Disclosure Vulnerability (Win)
Apache Tomcat Multiple Vulnerabilities - 03 Mar14
Apple Mac OS X Denial of Service Vulnerability

Take action and discover your vulnerabilities