RubySec

Providing security resources for the Ruby community

CVE-2009-4123 (jruby-openssl): jruby-openssl Gem for JRuby fails to do proper certificate validation

ADVISORIES

GEM

jruby-openssl

PLATFORM

jruby

PATCHED VERSIONS

  • >= 0.6

DESCRIPTION

A security problem involving peer certificate verification was found where failed verification silently did nothing, making affected applications vulnerable to attackers. Attackers could lead a client application to believe that a secure connection to a rogue SSL server is legitimate. Attackers could also penetrate client-validated SSL server applications with a dummy certificate.