CVE-2022-37026
published 2022-09-21CVE-2022-37026: In Erlang/OTP before 23.3.4.15, 24.x before 24.3.4.2, and 25.x before 25.0.2, there is a Client Authentication Bypass in certain client-certification…
PriorityP355critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.14%
62.5th percentile
In Erlang/OTP before 23.3.4.15, 24.x before 24.3.4.2, and 25.x before 25.0.2, there is a Client Authentication Bypass in certain client-certification situations for SSL, TLS, and DTLS.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | erlang | < erlang 1:24.3.4.5+dfsg-1 (bookworm) | erlang 1:24.3.4.5+dfsg-1 (bookworm) |
| erlang | erlang_otp | < 23.3.4.15 | 23.3.4.15 |
| erlang | erlang_otp | >= 0 < 1:23.2.6+dfsg-1+deb11u1 | 1:23.2.6+dfsg-1+deb11u1 |
| erlang | erlang_otp | >= 0 < 1:24.3.4.5+dfsg-1 | 1:24.3.4.5+dfsg-1 |
| erlang | erlang_otp | >= 0 < 1:24.3.4.5+dfsg-1 | 1:24.3.4.5+dfsg-1 |
| erlang | erlang_otp | >= 0 < 1:24.3.4.5+dfsg-1 | 1:24.3.4.5+dfsg-1 |
| erlang | erlang_otp | >= 24.0 < 24.3.4.2 | 24.3.4.2 |
| erlang | erlang_otp | >= 25.0 < 25.0.2 | 25.0.2 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-f399-ff4w-62fm: In Erlang/OTP before 23
ghsa_unreviewed·2022-09-22
CVE-2022-37026 [CRITICAL] CWE-287 GHSA-f399-ff4w-62fm: In Erlang/OTP before 23
In Erlang/OTP before 23.3.4.15, 24.x before 24.3.4.2, and 25.x before 25.0.2, there is a Client Authentication Bypass in certain client-certification situations for SSL, TLS, and DTLS.
OSV
CVE-2022-37026: In Erlang/OTP before 23
osv·2022-09-21·CVSS 9.8
CVE-2022-37026 [CRITICAL] CVE-2022-37026: In Erlang/OTP before 23
In Erlang/OTP before 23.3.4.15, 24.x before 24.3.4.2, and 25.x before 25.0.2, there is a Client Authentication Bypass in certain client-certification situations for SSL, TLS, and DTLS.
Ubuntu
Erlang vulnerability
vendor_ubuntu·2023-05-08
CVE-2022-37026 Erlang vulnerability
Title: Erlang vulnerability
Summary: Erlang could allow unintended access to network services.
It was discovered that Erlang did not properly implement TLS client
certificate validation during the TLS handshake. A remote attacker could
use this issue to bypass client authentication.
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
Red Hat
erlang/otp: Client Authentication Bypass
vendor_redhat·2022-09-21·CVSS 9.8
CVE-2022-37026 [CRITICAL] CWE-305 erlang/otp: Client Authentication Bypass
erlang/otp: Client Authentication Bypass
In Erlang/OTP before 23.3.4.15, 24.x before 24.3.4.2, and 25.x before 25.0.2, there is a Client Authentication Bypass in certain client-certification situations for SSL, TLS, and DTLS.
A Client Authentication Bypass was found in Erlang/OTP. This issue occurs in certain client-certification situations for SSL, TLS, and DTLS.
Statement: Some releases of Red Hat OpenStack Platform ship an affected version of the Erlang libraries, however RHOSP is configured to use application-level shared secret authentication during TLS sessions. This makes it unlikely to be exploitable as none of the vulnerable codepaths are exposed and no client certificate is used for authentication. For this reason the impact to Red Hat OpenStack Platform has been downgraded to
Debian
CVE-2022-37026: erlang - In Erlang/OTP before 23.3.4.15, 24.x before 24.3.4.2, and 25.x before 25.0.2, th...
vendor_debian·2022·CVSS 9.8
CVE-2022-37026 [CRITICAL] CVE-2022-37026: erlang - In Erlang/OTP before 23.3.4.15, 24.x before 24.3.4.2, and 25.x before 25.0.2, th...
In Erlang/OTP before 23.3.4.15, 24.x before 24.3.4.2, and 25.x before 25.0.2, there is a Client Authentication Bypass in certain client-certification situations for SSL, TLS, and DTLS.
Scope: local
bookworm: resolved (fixed in 1:24.3.4.5+dfsg-1)
bullseye: resolved (fixed in 1:23.2.6+dfsg-1+deb11u1)
forky: resolved (fixed in 1:24.3.4.5+dfsg-1)
sid: resolved (fixed in 1:24.3.4.5+dfsg-1)
trixie: resolved (fixed in 1:24.3.4.5+dfsg-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://erlangforums.com/c/erlang-news-announcements/91https://erlangforums.com/t/otp-25-1-released/1854https://github.com/erlang/otp/compare/OTP-23.3.4.14...OTP-23.3.4.15https://lists.debian.org/debian-lts-announce/2023/07/msg00012.htmlhttps://erlangforums.com/c/erlang-news-announcements/91https://erlangforums.com/t/otp-25-1-released/1854https://github.com/erlang/otp/compare/OTP-23.3.4.14...OTP-23.3.4.15https://lists.debian.org/debian-lts-announce/2023/07/msg00012.html
2022-09-21
Published