Amazon Linux AMI update for ruby20

1) Out-of-bounds read

EUVDB-ID: #VU7345

Risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-9224

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The weakness exists in the mbstring due to stack out-of-bounds read in match_at() during regular expression searching. A remote attacker can trigger a logical error involving order of validation and access in match_at() and read arbitrary files on the system.

Successful exploitation of the vulnerability results in information disclosure.

Mitigation

Update the affected packages:

i686:
    ruby20-2.0.0.648-2.42.amzn1.i686
    rubygem20-io-console-0.4.2-2.42.amzn1.i686
    rubygem20-psych-2.0.0-2.42.amzn1.i686
    ruby20-devel-2.0.0.648-2.42.amzn1.i686
    rubygem20-bigdecimal-1.2.0-2.42.amzn1.i686
    ruby20-libs-2.0.0.648-2.42.amzn1.i686
    ruby20-debuginfo-2.0.0.648-2.42.amzn1.i686

noarch:
    ruby20-irb-2.0.0.648-2.42.amzn1.noarch
    rubygems20-devel-2.0.14.1-2.42.amzn1.noarch
    ruby20-doc-2.0.0.648-2.42.amzn1.noarch
    rubygems20-2.0.14.1-2.42.amzn1.noarch

src:
    ruby20-2.0.0.648-2.42.amzn1.src

x86_64:
    rubygem20-io-console-0.4.2-2.42.amzn1.x86_64
    rubygem20-psych-2.0.0-2.42.amzn1.x86_64
    ruby20-2.0.0.648-2.42.amzn1.x86_64
    ruby20-libs-2.0.0.648-2.42.amzn1.x86_64
    ruby20-debuginfo-2.0.0.648-2.42.amzn1.x86_64
    ruby20-devel-2.0.0.648-2.42.amzn1.x86_64
    rubygem20-bigdecimal-1.2.0-2.42.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ruby20: before 2.0.0.648-2.42

External links

http://alas.aws.amazon.com/ALAS-2023-1824.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.