If you find a vulnerability in TruffleRuby, please report it to chris.seaton@oracle.com and CC kevin.menard@oracle.com.
Vulnerabilities reported against MRI may apply to the design of Ruby, or to code that we share with MRI, so we list reported MRI vulnerabilities here and documented, how MRI has mitigated the vulnerability, if the mitigation is tested by anything, and how TruffleRuby has mitigated.
Note that todo means we just haven't researched and filled the details in yet - not that we either believe TruffleRuby is vulnerable or not.
Cross-reference with the details on the MRI website https://www.ruby-lang.org/en/security/.
| Number | Description | Their Mitigation | Test | Our Mitigation |
|---|---|---|---|---|
| CVE-2017-17405 | Command injection vulnerability in Net::FTP | todo | todo | todo |
| CVE-2017-10784 | Escape sequence injection vulnerability in the Basic authentication of WEBrick | todo | todo | todo |
| CVE-2017-0898 | Buffer underrun vulnerability in Kernel.sprintf | todo | todo | todo |
| CVE-2017-14033 | Buffer underrun vulnerability in OpenSSL ASN1 decode | todo | todo | todo |
| CVE-2017-14064 | Heap exposure vulnerability in generating JSON | todo | todo | todo |
| CVE-2017-0902, CVE-2017-0899, CVE-2017-0900, CVE-2017-0901 | Multiple vulnerabilities in RubyGems | todo | todo | todo |
| CVE-2015-7551 | Unsafe tainted string usage in Fiddle and DL | todo | todo | todo |
| CVE-2015-1855 | Ruby OpenSSL Hostname Verification | todo | todo | todo |
| CVE-2014-8090 | Another Denial of Service XML Expansion | todo | todo | todo |
| CVE-2014-8080 | Denial of Service XML Expansion | todo | Tested in ruby/spec :security |
todo |
| None | Changed default settings of ext/openssl | todo | todo | todo |
| CVE-2014-2734 | Dispute of Vulnerability | todo | todo | todo |
| CVE-2014-0160 | OpenSSL Severe Vulnerability in TLS Heartbeat Extension | todo | todo | todo |
| CVE-2014-2525 | Heap Overflow in YAML URI Escape Parsing | todo | todo | todo |
| CVE-2013-4164 | Heap Overflow in Floating Point Parsing | todo | Tested in ruby/spec :security |
todo |
| CVE-2013-4073 | Hostname check bypassing vulnerability in SSL client | todo | todo | todo |
| CVE-2013-2065 | Object taint bypassing in DL and Fiddle in Ruby | todo | todo | todo |
| CVE-2013-1821 | Entity expansion DoS vulnerability in REXML | todo | todo | todo |
| CVE-2013-0269 | Denial of Service and Unsafe Object Creation Vulnerability in JSON | todo | todo | todo |
| CVE-2013-0256 | XSS exploit of RDoc documentation generated by rdoc | todo | todo | todo |
| CVE-2012-5371 | Hash-flooding DoS vulnerability for ruby 1.9 | todo | todo | todo |
| CVE-2012-4522 | Unintentional file creation caused by inserting a illegal NUL character | todo | todo | todo |
| CVE-2012-4464, CVE-2012-4466 | $SAFE escaping vulnerability about Exception#to_s / NameError#to_s | todo | todo | todo |
| None | Security Fix for RubyGems: SSL server verification failure for remote repository | todo | todo | todo |
| CVE-2011-3389 | Security Fix for Ruby OpenSSL module: Allow 0/n splitting as a prevention for the TLS BEAST attack | todo | todo | todo |
| CVE-2011-4815 | Denial of service attack was found for Ruby's Hash algorithm (cross-reference CVE-2011-4838, CVE-2012-5370, CVE-2012-5372) | Hashes are made non-deterministic by incorporating process start time | Tested in ruby/spec :security |
Hashes are made non-deterministic by incorporating a seed from /dev/random |
| None | Exception methods can bypass $SAFE | todo | todo | todo |
| None | FileUtils is vulnerable to symlink race attacks | todo | todo | todo |
| CVE-2010-0541 | XSS in WEBrick | todo | todo | todo |
| None | Buffer over-run in ARGF.inplace_mode= | todo | todo | todo |
| None | WEBrick has an Escape Sequence Injection vulnerability | todo | todo | todo |
| CVE-2009-4124 | Heap overflow in String | todo | todo | todo |
| None | DoS vulnerability in BigDecimal | todo | todo | todo |
| None | DoS vulnerability in REXML | todo | todo | todo |
| CVE-2008-1447 | Multiple vulnerabilities in Ruby | todo | todo | todo |
| CVE-2008-2662, CVE-2008-2663, CVE-2008-2725, CVE-2008-2726, CVE-2008-2664, CVE-2008-1891 | Arbitrary code execution vulnerabilities | todo | todo | todo |
| None | File access vulnerability of WEBrick | todo | todo | todo |
| None | Net::HTTPS Vulnerability | todo | todo | todo |
| JVN#84798830 | Another DoS Vulnerability in CGI Library | todo | todo | todo |
| CVE-2006-5467 | DoS Vulnerability in CGI Library | todo | todo | todo |
| VU#160012 | Ruby vulnerability in the safe level settings | todo | todo | todo |
TruffleRuby uses code from JRuby, so vulnerabilities reported against JRuby may apply to TruffleRuby.
| Number | Description | Their Mitigation | Test | Our Mitigation |
|---|---|---|---|---|
| CVE-2012-5370 | JRuby computes hash values without properly restricting the ability to trigger hash collisions predictably (cross-reference CVE-2011-4815, CVE-2011-4838, CVE-2012-5372) | Hashes are made non-deterministic by incorporating process start time | Tested in ruby/spec :security |
Hashes are made non-deterministic by incorporating a seed from /dev/random |
| CVE-2011-4838 | JRuby before 1.6.5.1 computes hash values without restricting the ability to trigger hash collisions predictably (cross-reference CVE-2011-4815, CVE-2012-5370, CVE-2012-5372) | Hashes are made non-deterministic by incorporating process start time | Tested in ruby/spec :security |
Hashes are made non-deterministic by incorporating a seed from /dev/random |
| CVE-2010-1330 | The regular expression engine in JRuby before 1.4.1, when $KCODE is set to 'u', does not properly handle characters immediately after a UTF-8 character | todo | todo | todo |
TruffleRuby uses code from Rubinius, so vulnerabilities reported against Rubinius may apply to TruffleRuby.
| Number | Description | Their Mitigation | Test | Our Mitigation |
|---|---|---|---|---|
| CVE-2012-5372 | Rubinius computes hash values without properly restricting the ability to trigger hash collisions predictably (cross-reference CVE-2011-4815, CVE-2011-4838, CVE-2012-5370) | Hashes are made non-deterministic by incorporating output from /dev/urandom |
Tested in ruby/spec :security |
Hashes are made non-deterministic by incorporating a seed from /dev/random |
| Number | Description | Their Mitigation | Test | Our Mitigation |
|---|---|---|---|---|
| CVE-2016-8744 | SnakeYAML allows the use of YAML tags to indicate that SnakeYAML should unmarshal data to a Java type | todo | todo | todo |
We are not aware of any known vulnerabilities.
We are not aware of any known vulnerabilities.
We are not aware of any known vulnerabilities, but consider potential
vulnerabilities in your system zlib.
Consider potential vulnerabilities in your system libssl.
We are not aware of any known vulnerabilities.
TruffleRuby uses MurmurHash2 hashing with a seed from Java's SecureRandom
(probably /dev/random) - it cannot be configured to use any other hashing
algorithm. For hashing strings we use Java's hash algorithm (and then
MurmurHash2 on top).