---
engine: ruby
cve: 2018-16395
url: https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/
title: Incorrect equality check in OpenSSL::X509::Name
date: 2018-10-17
description: |
  The equality check of `OpenSSL::X509::Name` is not correctly in openssl
  extension library bundled with Ruby.

  An instance of `OpenSSL::X509::Name` contains entities such as `CN`, `C`
  and so on. Some two instances of `OpenSSL::X509::Name` are equal only when
  all entities are exactly equal. However, there is a bug that the equality
  check is not correct if the value of an entity of the argument (right-hand
  side) starts with the value of the receiver (left-hand side). So, if a
  malicious X.509 certificate is passed to compare with an existing
  certificate, there is a possibility to be judged incorrectly that they are
  equal.

  It is strongly recommended for Ruby users to upgrade your Ruby installation
  or take one of the following workarounds as soon as possible.

  `openssl` gem 2.1.2 or later includes the fix for the vulnerability, so
  upgrade `openssl` gem to the latest version if you are using Ruby 2.4 or
  later series.

  `gem install openssl -v ">= 2.1.2"`

  However, in Ruby 2.3 series, you cannot override bundled version of openssl
  with `openssl` gem. Please upgrade your Ruby installation to the latest
  version.
patched_versions:
  - "~> 2.3.8"
  - "~> 2.4.5"
  - "~> 2.5.2"
  - ">= 2.6.0-preview3"