CVE-2015-2774
published 2016-04-07CVE-2015-2774: Erlang/OTP before 18.0-rc1 does not properly check CBC padding bytes when terminating connections, which makes it easier for man-in-the-middle attackers to…
PriorityP430medium5.9CVSS 3.0
AVNACHPRNUINSUCHINAN
EPSS
1.90%
77.1th percentile
Erlang/OTP before 18.0-rc1 does not properly check CBC padding bytes when terminating connections, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, a variant of CVE-2014-3566 (aka POODLE).
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | erlang | < erlang 1:17.3-dfsg-4 (bookworm) | erlang 1:17.3-dfsg-4 (bookworm) |
| erlang | erlang_otp | <= 18.0 | — |
| erlang | erlang_otp | >= 0 < 1:17.3-dfsg-4 | 1:17.3-dfsg-4 |
| erlang | erlang_otp | >= 0 < 1:17.3-dfsg-4 | 1:17.3-dfsg-4 |
| erlang | erlang_otp | >= 0 < 1:17.3-dfsg-4 | 1:17.3-dfsg-4 |
| erlang | erlang_otp | >= 0 < 1:17.3-dfsg-4 | 1:17.3-dfsg-4 |
| erlang | erlang_otp | >= 0 < 1:16.b.3-dfsg-1ubuntu2.2 | 1:16.b.3-dfsg-1ubuntu2.2 |
| erlang | erlang_otp | >= 0 < 1:18.3-dfsg-1ubuntu3.1 | 1:18.3-dfsg-1ubuntu3.1 |
| opensuse | opensuse | — | — |
| oracle | solaris | — | — |
CVSS provenance
nvdv3.05.9MEDIUMCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
osv7.5HIGH
vendor_ubuntu7.5HIGH
vendor_debian3.4LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-x7g5-r7mw-4gvx: Erlang/OTP before 18
ghsa_unreviewed·2022-05-14·CVSS 3.4
CVE-2015-2774 [LOW] CWE-200 GHSA-x7g5-r7mw-4gvx: Erlang/OTP before 18
Erlang/OTP before 18.0-rc1 does not properly check CBC padding bytes when terminating connections, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, a variant of CVE-2014-3566 (aka POODLE).
OSV
erlang vulnerabilities
osv·2018-02-14·CVSS 7.5
CVE-2014-1693 [HIGH] erlang vulnerabilities
erlang vulnerabilities
It was discovered that the Erlang FTP module incorrectly handled certain
CRLF sequences. A remote attacker could possibly use this issue to inject
arbitrary FTP commands. This issue only affected Ubuntu 14.04 LTS.
(CVE-2014-1693)
It was discovered that Erlang incorrectly checked CBC padding bytes. A
remote attacker could possibly use this issue to perform a padding oracle
attack and decrypt traffic. This issue only affected Ubuntu 14.04 LTS.
(CVE-2015-2774)
It was discovered that Erlang incorrectly handled certain regular
expressions. A remote attacker could possibly use this issue to cause
Erlang to crash, resulting in a denial of service, or execute arbitrary
code. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-10253)
Hanno Böck, Juraj Somorovsky and Crai
OSV
CVE-2015-2774: Erlang/OTP before 18
osv·2016-04-07·CVSS 3.4
CVE-2015-2774 [LOW] CVE-2015-2774: Erlang/OTP before 18
Erlang/OTP before 18.0-rc1 does not properly check CBC padding bytes when terminating connections, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, a variant of CVE-2014-3566 (aka POODLE).
Ubuntu
Erlang vulnerabilities
vendor_ubuntu·2018-02-14·CVSS 7.5
CVE-2014-1693 [HIGH] Erlang vulnerabilities
Title: Erlang vulnerabilities
Summary: Several security issues were fixed in Erlang.
It was discovered that the Erlang FTP module incorrectly handled certain
CRLF sequences. A remote attacker could possibly use this issue to inject
arbitrary FTP commands. This issue only affected Ubuntu 14.04 LTS.
(CVE-2014-1693)
It was discovered that Erlang incorrectly checked CBC padding bytes. A
remote attacker could possibly use this issue to perform a padding oracle
attack and decrypt traffic. This issue only affected Ubuntu 14.04 LTS.
(CVE-2015-2774)
It was discovered that Erlang incorrectly handled certain regular
expressions. A remote attacker could possibly use this issue to cause
Erlang to crash, resulting in a denial of service, or execute arbitrary
code. This issue only affected Ubuntu 16.
Debian
CVE-2015-2774: erlang - Erlang/OTP before 18.0-rc1 does not properly check CBC padding bytes when termin...
vendor_debian·2015·CVSS 3.4
CVE-2015-2774 [LOW] CVE-2015-2774: erlang - Erlang/OTP before 18.0-rc1 does not properly check CBC padding bytes when termin...
Erlang/OTP before 18.0-rc1 does not properly check CBC padding bytes when terminating connections, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, a variant of CVE-2014-3566 (aka POODLE).
Scope: local
bookworm: resolved (fixed in 1:17.3-dfsg-4)
bullseye: resolved (fixed in 1:17.3-dfsg-4)
forky: resolved (fixed in 1:17.3-dfsg-4)
sid: resolved (fixed in 1:17.3-dfsg-4)
trixie: resolved (fixed in 1:17.3-dfsg-4)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2015-2774 Erlang/OTP is vulnerable to Poodle in its TLS-1.0 implementation
bugzilla·2015-03-27·CVSS 5.9
CVE-2015-2774 [MEDIUM] CVE-2015-2774 Erlang/OTP is vulnerable to Poodle in its TLS-1.0 implementation
CVE-2015-2774 Erlang/OTP is vulnerable to Poodle in its TLS-1.0 implementation
It was reported upstream that Erlang/OTP is vulnerable to Poodle in its TLS-1.0
implementation. This vulnerability was assigned CVE-2015-2774.
References:
http://www.erlang.org/news/85
http://openwall.com/lists/oss-security/2015/03/27/9
Discussion:
Created erlang tracking bugs for this issue:
Affects: fedora-all [bug 1206713]
Affects: epel-all [bug 1206714]
---
Adding Rabbit maintainer just FYI.
---
erlang-17.4-4.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
---
erlang-17.4-4.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
---
erlang-17.4-5.f
Bugzilla
CVE-2015-2774 erlang: Erlang/OTP is vulnerable to Poodle in its TLS-1.0 implementation [fedora-all]
bugzilla·2015-03-27·CVSS 5.9
CVE-2015-2774 [MEDIUM] CVE-2015-2774 erlang: Erlang/OTP is vulnerable to Poodle in its TLS-1.0 implementation [fedora-all]
CVE-2015-2774 erlang: Erlang/OTP is vulnerable to Poodle in its TLS-1.0 implementation [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple
Bugzilla
CVE-2015-2774 erlang: Erlang/OTP is vulnerable to Poodle in its TLS-1.0 implementation [epel-all]
bugzilla·2015-03-27·CVSS 5.9
CVE-2015-2774 [MEDIUM] CVE-2015-2774 erlang: Erlang/OTP is vulnerable to Poodle in its TLS-1.0 implementation [epel-all]
CVE-2015-2774 erlang: Erlang/OTP is vulnerable to Poodle in its TLS-1.0 implementation [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multip
http://lists.opensuse.org/opensuse-updates/2016-02/msg00124.htmlhttp://openwall.com/lists/oss-security/2015/03/27/6http://openwall.com/lists/oss-security/2015/03/27/9http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.htmlhttp://www.securityfocus.com/bid/73398https://usn.ubuntu.com/3571-1/https://web.archive.org/web/20150905124006/http://www.erlang.org/news/85https://www.imperialviolet.org/2014/12/08/poodleagain.htmlhttp://lists.opensuse.org/opensuse-updates/2016-02/msg00124.htmlhttp://openwall.com/lists/oss-security/2015/03/27/6http://openwall.com/lists/oss-security/2015/03/27/9http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.htmlhttp://www.securityfocus.com/bid/73398https://usn.ubuntu.com/3571-1/https://web.archive.org/web/20150905124006/http://www.erlang.org/news/85https://www.imperialviolet.org/2014/12/08/poodleagain.html
2016-04-07
Published