---
engine: ruby
cve: 2017-14033
url: https://www.ruby-lang.org/en/news/2017/09/14/openssl-asn1-buffer-underrun-cve-2017-14033/
title: Buffer underrun vulnerability in OpenSSL ASN1 decode
date: 2017-09-14
description: |
  There is a buffer underrun vulnerability in OpenSSL bundled by Ruby.

  If a malicious string is passed to the decode method of OpenSSL::ASN1,
  buffer underrun may be caused and the Ruby interpreter may crash.
  All users running an affected release should either upgrade or use one of
  the workarounds immediately.

  The OpenSSL library is also distributed as a gem. If you can’t upgrade Ruby
  itself, install OpenSSL gem newer than version 2.0.0. But this workaround is
  only available with Ruby 2.4 series. When using Ruby 2.2 series or 2.3
  series, the gem does not override the bundled version of OpenSSL.
patched_versions:
  - "~> 2.2.8"
  - "~> 2.3.5"
  - ">= 2.4.2"