CVE-2016-7798: OpenSSL gem for Ruby using inadequate encryption strength
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.41878%
CWE
Published
10/24/2017
Updated
7/3/2023
KEV Status
No
Technology
Ruby
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
openssl | rubygems | < 2.0.0 | 2.0.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from the OpenSSL gem's cipher initialization logic. The function ossl_cipher_initialize
in ext/openssl/ossl_cipher.c
explicitly set a dummy key (all zeros) via EVP_CipherInit_ex(ctx, cipher, NULL, dummy_key, NULL, -1)
. This dummy key initialization was a workaround for a segfault issue in older OpenSSL versions. However, in AES-GCM mode, setting the IV before the real key after this dummy initialization would cause the IV to be reset to zero when the real key was later applied (due to OpenSSL's internal reinitialization behavior). The commit 8108e0a removed this dummy key initialization, fixing the IV retention issue. The presence of this dummy key setup directly enabled the IV reuse vulnerability.