CVE-2015-2774 — Sensitive Information Exposure in OTP

CWE-200 — Sensitive Information Exposure10 documents7 sources

Severity

5.9MEDIUMNVD

CNA3.4OSV7.5OSV3.4

EPSS

0.5%

top 32.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Erlang OTP Opensuse Oracle Solaris

Timeline

PublishedApr 7

Latest updateMay 14

Description

Erlang/OTP before 18.0-rc1 does not properly check CBC padding bytes when terminating connections, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, a variant of CVE-2014-3566 (aka POODLE).

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages5 packages

▶Debianerlang/erlang_otp< 1:17.3-dfsg-4+3

▶Ubuntuerlang/erlang_otp< 1:16.b.3-dfsg-1ubuntu2.2+1

▶NVDerlang/erlang_otp18.0

▶NVDoracle/solaris11.2

▶NVDopensuse/opensuse13.2

🔴Vulnerability Details

GHSA

GHSA-x7g5-r7mw-4gvx: Erlang/OTP before 18↗2022-05-14

▶

OSV

erlang vulnerabilities↗2018-02-14

▶

OSV

CVE-2015-2774: Erlang/OTP before 18↗2016-04-07

▶

CVEList

CVE-2015-2774: Erlang/OTP before 18↗2016-04-07

▶

📋Vendor Advisories

Ubuntu

Erlang vulnerabilities↗2018-02-14

▶

Debian

CVE-2015-2774: erlang - Erlang/OTP before 18.0-rc1 does not properly check CBC padding bytes when termin...↗2015

▶

💬Community

Bugzilla

CVE-2015-2774 Erlang/OTP is vulnerable to Poodle in its TLS-1.0 implementation↗2015-03-27

▶

Bugzilla

CVE-2015-2774 erlang: Erlang/OTP is vulnerable to Poodle in its TLS-1.0 implementation [fedora-all]↗2015-03-27

▶

Bugzilla

CVE-2015-2774 erlang: Erlang/OTP is vulnerable to Poodle in its TLS-1.0 implementation [epel-all]↗2015-03-27

▶