CVE-2022-37026

Publication date 21 September 2022

Last updated 24 July 2024

Ubuntu priority

Cvss 3 Severity Score

In Erlang/OTP before 23.3.4.15, 24.x before 24.3.4.2, and 25.x before 25.0.2, there is a Client Authentication Bypass in certain client-certification situations for SSL, TLS, and DTLS.

From the Ubuntu Security Team

It was discovered that Erlang did not properly implement TLS client certificate validation during the TLS handshake. A remote attacker could use this issue to bypass client authentication.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
erlang	24.10 oracular	Fixed 1:24.3.4.5+dfsg-1
	24.04 LTS noble	Fixed 1:24.3.4.5+dfsg-1
	23.10 mantic	Fixed 1:24.3.4.5+dfsg-1
	23.04 lunar	Fixed 1:24.3.4.5+dfsg-1
	22.10 kinetic	Fixed 1:24.3.4.1+dfsg-1ubuntu0.1
	22.04 LTS jammy	Fixed 1:24.2.1+dfsg-1ubuntu0.1
	20.04 LTS focal	Fixed 1:22.2.7+dfsg-1ubuntu0.2
	18.04 LTS bionic	Needs evaluation
	16.04 LTS xenial	Needs evaluation
	14.04 LTS trusty	Ignored end of ESM support, was needs-triage

Notes

mdeslaur

only an issue when client certificates are used

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
erlang	Upstream: cd50248 Upstream: 6a1baa3 Upstream: 254f272 Upstream: 33e7570 Opensuse: https://build.opensuse.org/package/view_file/SUSE:SLE-15-SP3:Update/erlang/CVE-2022-37026-client-auth-bypass.patch?expand=1

Severity score breakdown

Parameter	Value
Base score	9.8 · Critical
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Related Ubuntu Security Notices (USN)

USN-6059-1
Erlang vulnerability
8 May 2023