CVE-2017-1000385
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2017-1000385
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-1000385.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2017-1000385
- Related
- Published
- 2017-12-12T21:29:00Z
- Modified
- 2025-01-14T06:58:20.017999Z
- Severity
-
- 5.9 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
The Erlang otp TLS server answers with different TLS alerts to different error types in the RSA PKCS #1 1.5 padding. This allows an attacker to decrypt content or sign messages with the server's private key (this is a variation of the Bleichenbacher attack).
- References
-
- http://erlang.org/pipermail/erlang-questions/2017-November/094255.html
- http://erlang.org/pipermail/erlang-questions/2017-November/094256.html
- http://erlang.org/pipermail/erlang-questions/2017-November/094257.html
- http://www.securityfocus.com/bid/102197
- https://access.redhat.com/errata/RHSA-2018:0242
- https://access.redhat.com/errata/RHSA-2018:0303
- https://access.redhat.com/errata/RHSA-2018:0368
- https://access.redhat.com/errata/RHSA-2018:0528
- https://www.debian.org/security/2017/dsa-4057
- https://robotattack.org/
- https://www.kb.cert.org/vuls/id/144389
- https://lists.debian.org/debian-lts-announce/2017/12/msg00010.html
- https://usn.ubuntu.com/3571-1/
- https://security-tracker.debian.org/tracker/CVE-2017-1000385
Affected packages
Debian:11 / erlang
Package
- Name
- erlang
- Purl
- pkg:deb/debian/erlang?arch=source
Debian:12 / erlang
Package
- Name
- erlang
- Purl
- pkg:deb/debian/erlang?arch=source
Debian:13 / erlang
Package
- Name
- erlang
- Purl
- pkg:deb/debian/erlang?arch=source
Git / github.com/erlang/otp
Affected ranges
- Type
- GIT
- Repo
- https://github.com/erlang/otp
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affectedLast affectedLast affected
Affected versions
OTP-17.*
OTP-17.0
OTP-17.0.1
OTP-17.0.2
OTP-17.1
OTP-17.1.1
OTP-17.1.2
OTP-17.2
OTP-17.2.1
OTP-17.2.2
OTP-17.3
OTP-17.3.1
OTP-17.3.2
OTP-17.3.3
OTP-17.3.4
OTP-17.4
OTP-17.4.1
OTP-17.5
OTP-17.5.1
OTP-17.5.2
OTP-17.5.3
OTP-17.5.4
OTP-17.5.5
OTP-17.5.6
OTP-17.5.6.1
OTP-17.5.6.2
OTP-17.5.6.3
OTP-17.5.6.4
OTP-17.5.6.5
OTP-17.5.6.6
OTP-17.5.6.7
OTP-17.5.6.8
OTP-17.5.6.9
OTP-18.*
OTP-18.0
OTP-18.0-rc1
OTP-18.0-rc2
OTP-18.0.1
OTP-18.0.2
OTP-18.0.3
OTP-18.1
OTP-18.1.1
OTP-18.1.2
OTP-18.1.3
OTP-18.1.4
OTP-18.1.5
OTP-18.2
OTP-18.2.1
OTP-18.2.2
OTP-18.2.3
OTP-18.2.4
OTP-18.2.4.0.1
OTP-18.2.4.1
OTP-18.3
OTP-18.3.1
OTP-18.3.2
OTP-18.3.3
OTP-18.3.4
OTP-18.3.4.1
OTP-18.3.4.2
OTP-18.3.4.3
OTP-18.3.4.4
OTP-18.3.4.5
OTP-18.3.4.6
OTP-18.3.4.7
OTP-19.*
OTP-19.0
OTP-19.0-rc1
OTP-19.0-rc2
OTP-19.0.1
OTP-19.0.2
OTP-19.0.3
OTP-19.0.4
OTP-19.0.5
OTP-19.0.6
OTP-19.0.7
OTP-19.1
OTP-19.1.1
OTP-19.1.2
OTP-19.1.3
OTP-19.1.4
OTP-19.1.5
OTP-19.1.6
OTP-19.1.6.1
OTP-19.2
OTP-19.2.1
OTP-19.2.2
OTP-19.2.3
OTP-19.3
OTP-19.3.1
OTP-19.3.2
OTP-19.3.3
OTP-19.3.4
OTP-19.3.5
OTP-19.3.6
OTP-19.3.6.1
OTP-19.3.6.2
OTP-19.3.6.3
OTP-19.3.6.4
OTP-20.*
OTP-20.0
OTP-20.0-rc1
OTP-20.0-rc2
OTP-20.0.1
OTP-20.0.2
OTP-20.0.3
OTP-20.0.4
OTP-20.0.5
OTP-20.1
OTP-20.1.1
OTP-20.1.2
OTP-20.1.3
OTP-20.1.4
OTP-20.1.5
OTP-20.1.6
OTP-20.1.7
OTP_17.*
OTP_17.0-rc1
OTP_17.0-rc2
Other
OTP_R13B03
OTP_R13B04
OTP_R14A
OTP_R14B
OTP_R14B01
OTP_R14B02
OTP_R14B03
OTP_R14B04
OTP_R15A
OTP_R15B
OTP_R15B01
OTP_R15B02
OTP_R15B03
OTP_R15B03-1
OTP_R16A_RELEASE_CANDIDATE
OTP_R16B
OTP_R16B01
OTP_R16B01_RC1
OTP_R16B02
OTP_R16B03
OTP_R16B03-1
OTP_R16B03_yielding_binary_to_term
R16B02_yielding_binary_to_term