Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2015-0292 #89

Closed
samdai opened this issue Mar 30, 2016 · 3 comments
Closed

CVE-2015-0292 #89

samdai opened this issue Mar 30, 2016 · 3 comments

Comments

@samdai
Copy link

samdai commented Mar 30, 2016

I used the latest version 0.9.16-java of jruby-openssl gem in my project, but when I use sonarqube to scan my code, it reports many ""Using Components with Known Vulnerabilities.". issues caused by jruby-openssl, for example CVE-2015-0292, I want to ask if jruby-openssl 0.9.16-java version subject to the CVE-2015-0292, CVE-2014-3567,.. vulnerability? which open-ssl version does our jruby-openssl 0.9.16 map to?
Filename: jopenssl.jar | Reference: CVE-2015-0292 | CVSS Score: 7.5 | Category: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer | Integer underflow in the EVP_DecodeUpdate function in crypto/evp/encode.c in the base64-decoding implementation in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted base64 data that triggers a buffer overflow.

@mkristian
Copy link
Member

not sure what kind of checking this sonarqube does, but the quote references "crypto/evp/encode.c" - there is no C-code in jopenssl.jar. parts of jopenssl is a re-implementation of openssl in java, others parts use bouncy castle libraries.

how does sonarqube thinks the jar is openssl ?

@kares
Copy link
Member

kares commented Mar 30, 2016

maybe they're just checking our emulated OpenSSL::VERSION constants (please confirm is possible) :
... implementation in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h

JRuby-OpenSSL should not be subject to any of those issues.

@samdai
Copy link
Author

samdai commented Mar 31, 2016

@mkristian, @kares : thanks your reply. I have confirmed with guys of sonarqube, the rule "Using Components with Known Vulnerabilities." is not from sonarqube plugin, is from a third-party plugin, I will post this issue to the provider of this plugin.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants