Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 2 |
CVE-ID | CVE-2014-1492 CVE-2015-1855 |
CWE-ID | CWE-20 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
Amazon Linux AMI Operating systems & Components / Operating system |
Vendor | Amazon Web Services |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
EUVDB-ID: #VU32555
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2014-1492
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
The cert_TestHostName function in lib/certdb/certdb.c in the certificate-checking implementation in Mozilla Network Security Services (NSS) before 3.16 accepts a wildcard character that is embedded in an internationalized domain name's U-label, which might allow man-in-the-middle attackers to spoof SSL servers via a crafted certificate.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
ruby18-static-1.8.7.374-2.42.4.amzn1.i686
ruby18-libs-1.8.7.374-2.42.4.amzn1.i686
ruby18-ri-1.8.7.374-2.42.4.amzn1.i686
ruby18-debuginfo-1.8.7.374-2.42.4.amzn1.i686
ruby18-devel-1.8.7.374-2.42.4.amzn1.i686
ruby18-1.8.7.374-2.42.4.amzn1.i686
noarch:
ruby18-irb-0.9.5-2.42.4.amzn1.noarch
ruby18-rdoc-1.0.1-2.42.4.amzn1.noarch
src:
ruby18-1.8.7.374-2.42.4.amzn1.src
x86_64:
ruby18-debuginfo-1.8.7.374-2.42.4.amzn1.x86_64
ruby18-static-1.8.7.374-2.42.4.amzn1.x86_64
ruby18-1.8.7.374-2.42.4.amzn1.x86_64
ruby18-devel-1.8.7.374-2.42.4.amzn1.x86_64
ruby18-libs-1.8.7.374-2.42.4.amzn1.x86_64
ruby18-ri-1.8.7.374-2.42.4.amzn1.x86_64
Amazon Linux AMI: All versions
External linkshttp://alas.aws.amazon.com/ALAS-2015-529.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU35016
Risk: Medium
CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2015-1855
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
ruby18-static-1.8.7.374-2.42.4.amzn1.i686
ruby18-libs-1.8.7.374-2.42.4.amzn1.i686
ruby18-ri-1.8.7.374-2.42.4.amzn1.i686
ruby18-debuginfo-1.8.7.374-2.42.4.amzn1.i686
ruby18-devel-1.8.7.374-2.42.4.amzn1.i686
ruby18-1.8.7.374-2.42.4.amzn1.i686
noarch:
ruby18-irb-0.9.5-2.42.4.amzn1.noarch
ruby18-rdoc-1.0.1-2.42.4.amzn1.noarch
src:
ruby18-1.8.7.374-2.42.4.amzn1.src
x86_64:
ruby18-debuginfo-1.8.7.374-2.42.4.amzn1.x86_64
ruby18-static-1.8.7.374-2.42.4.amzn1.x86_64
ruby18-1.8.7.374-2.42.4.amzn1.x86_64
ruby18-devel-1.8.7.374-2.42.4.amzn1.x86_64
ruby18-libs-1.8.7.374-2.42.4.amzn1.x86_64
ruby18-ri-1.8.7.374-2.42.4.amzn1.x86_64
Amazon Linux AMI: All versions
External linkshttp://alas.aws.amazon.com/ALAS-2015-529.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.