Cloud Foundry Logo
blog single gear
Security Advisory

CVE-2015-1855 Ruby OpenSSL Hostname Verification

CVE-2015-1855 Ruby OpenSSL Hostname Verification





Versions Affected

  • Ruby OpenSSL Hostname Verification


Ruby’s OpenSSL extension suffers a vulnerability through overly permissive matching of hostnames, which can lead to similar bugs such as CVE-2014-1492.

This vulnerability affects the following Ruby versions:

  • All ruby 2.0 versions prior to ruby 2.0.0 patchlevel 645
  • All ruby 2.1 versions prior to ruby 2.1.6
  • All ruby 2.2 versions prior to ruby 2.2.2
  • Ruby trunk prior to revision 50292

Affected Products and Versions

Severity is moderate unless otherwise noted.

  • Ruby Cloud Foundry buildpack versions prior to 1.3.1.


Users of affected versions should apply the following mitigation:

  • Ruby’s OpenSSL extension was enhanced to provide a string-based matching algorithm which follows more strict behavior, as recommended by relevant RFCs. In particular, matching of more than one wildcard per subject/SAN is no-longer allowed. Also, comparison of these values are now case-insensitive.
  • This change affects Ruby’s OpenSSL::SSL#verify_certificate_identity behavior.
  • Specifically:
    • Only one wildcard character in the left-most part of the hostname is allowed.
    • IDNA names can now only be matched by a simple wildcard (e.g. ‘*.domain’).
    • Subject/SAN should be limited to ASCII characters only.
  • This vulnerability is addressed in Cloud Foundry ruby-buildpack v1.3.1 and later, which is available at
    • Applications that specify a vulnerable version of ruby should update that dependency to require “2.2.2”, “2.1.6”, or “2.0.0.p645”.


Tony Arcieri, Jeffrey Walton and Steffan Ullrich


Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR