| CARVIEW |
Select Language
HTTP/2 200
server: GitHub.com
content-type: text/html; charset=utf-8
x-origin-cache: HIT
last-modified: Wed, 16 Jul 2025 15:35:29 GMT
access-control-allow-origin: *
etag: W/"6877c6c1-1a43"
expires: Thu, 17 Jul 2025 04:57:26 GMT
cache-control: max-age=600
content-encoding: gzip
x-proxy-cache: MISS
x-github-request-id: 1FA8:3F3770:484CAD:48C96D:6878805E
accept-ranges: bytes
age: 0
date: Thu, 17 Jul 2025 04:47:26 GMT
via: 1.1 varnish
x-served-by: cache-bom4731-BOM
x-cache: MISS
x-cache-hits: 0
x-timer: S1752727647.541836,VS0,VE298
vary: Accept-Encoding
x-fastly-request-id: d2f230e6ed9456b68e8457a85942d93b306356f1
content-length: 2510
CVE-2017-14033: Buffer underrun vulnerability in OpenSSL ASN1 decode
CVE-2017-14033: Buffer underrun vulnerability in OpenSSL ASN1 decode
Posted by usa on 14 Sep 2017
There is a buffer underrun vulnerability in OpenSSL bundled by Ruby. This vulnerability has been assigned the CVE identifier CVE-2017-14033.
Details
If a malicious string is passed to the decode method of OpenSSL::ASN1, buffer underrun may be caused and the Ruby interpreter may crash.
All users running an affected release should either upgrade or use one of the workarounds immediately.
Affected Versions
- Ruby 2.2 series: 2.2.7 and earlier
- Ruby 2.3 series: 2.3.4 and earlier
- Ruby 2.4 series: 2.4.1 and earlier
- prior to trunk revision 56946
Workaround
The OpenSSL library is also distributed as a gem. If you can’t upgrade Ruby itself, install OpenSSL gem newer than version 2.0.0. But this workaround is only available with Ruby 2.4 series. When using Ruby 2.2 series or 2.3 series, the gem does not override the bundled version of OpenSSL.
Credit
Thanks to asac for reporting this issue.
History
- Originally published at 2017-09-14 12:00:00 (UTC)