Headline
Ubuntu Security Notice USN-6059-1
Ubuntu Security Notice 6059-1 - It was discovered that Erlang did not properly implement TLS client certificate validation during the TLS handshake. A remote attacker could use this issue to bypass client authentication.
==========================================================================
Ubuntu Security Notice USN-6059-1
May 08, 2023
erlang vulnerability
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Erlang could allow unintended access to network services.
Software Description:
- erlang: Concurrent, real-time, distributed functional language
Details:
It was discovered that Erlang did not properly implement TLS client
certificate validation during the TLS handshake. A remote attacker could
use this issue to bypass client authentication.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.10:
erlang 1:24.3.4.1+dfsg-1ubuntu0.1
erlang-ssl 1:24.3.4.1+dfsg-1ubuntu0.1
Ubuntu 22.04 LTS:
erlang 1:24.2.1+dfsg-1ubuntu0.1
erlang-ssl 1:24.2.1+dfsg-1ubuntu0.1
Ubuntu 20.04 LTS:
erlang 1:22.2.7+dfsg-1ubuntu0.2
erlang-ssl 1:22.2.7+dfsg-1ubuntu0.2
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6059-1
CVE-2022-37026
Package Information:
https://launchpad.net/ubuntu/+source/erlang/1:24.3.4.1+dfsg-1ubuntu0.1
https://launchpad.net/ubuntu/+source/erlang/1:24.2.1+dfsg-1ubuntu0.1
https://launchpad.net/ubuntu/+source/erlang/1:22.2.7+dfsg-1ubuntu0.2
Related news
Dell VxRail versions earlier than 7.0.450, contain(s) an OS command injection vulnerability in VxRail Manager. A local authenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker.
An issue was discovered in Couchbase Server 7.x before 7.0.5 and 7.1.x before 7.1.2. A crafted HTTP REST request from an administrator account to the Couchbase Server Backup Service can exhaust memory resources, causing the process to be killed, which can be used for denial of service.
Red Hat Security Advisory 2022-8857-01 - Erlang is a general-purpose programming language and runtime environment. Erlang has built-in support for concurrency, distribution and fault tolerance. Erlang is used in several large telecommunication systems from Ericsson. Issues addressed include a bypass vulnerability.
An update for erlang is now available for Red Hat OpenStack Platform 16.2.4 (Train) on Red Hat Enterprise Linux (RHEL) 8.4. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-37026: erlang/otp: Client Authentication Bypass
In Erlang/OTP before 23.3.4.15, 24.x before 24.3.4.2, and 25.x before 25.0.2, there is a Client Authentication Bypass in certain client-certification situations for SSL, TLS, and DTLS.