{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-11-23T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "The Erlang otp TLS server answers with different TLS alerts to different error types in the RSA PKCS #1 1.5 padding. This allows an attacker to decrypt content or sign messages with the server's private key (this is a variation of the Bleichenbacher attack)."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-03-16T09:57:01.000Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "USN-3571-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/3571-1/"}, {"name": "RHSA-2018:0528", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:0528"}, {"name": "[erlang-questions] 20171123 Patch Package: OTP 18.3.4.7", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://erlang.org/pipermail/erlang-questions/2017-November/094257.html"}, {"name": "[debian-lts-announce] 20171215 [SECURITY] [DLA 1207-1] erlang security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00010.html"}, {"name": "RHSA-2018:0242", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:0242"}, {"tags": ["x_refsource_MISC"], "url": "https://robotattack.org/"}, {"name": "[erlang-questions] 20171123 Patch Package: OTP 19.3.6.4", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://erlang.org/pipermail/erlang-questions/2017-November/094256.html"}, {"name": "DSA-4057", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2017/dsa-4057"}, {"name": "RHSA-2018:0368", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:0368"}, {"name": "RHSA-2018:0303", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:0303"}, {"name": "[erlang-questions] 20171123 Patch Package: OTP 20.1.7", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://erlang.org/pipermail/erlang-questions/2017-November/094255.html"}, {"name": "102197", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/102197"}, {"name": "VU#144389", "tags": ["third-party-advisory", "x_refsource_CERT-VN"], "url": "https://www.kb.cert.org/vuls/id/144389"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-1000385", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Erlang otp TLS server answers with different TLS alerts to different error types in the RSA PKCS #1 1.5 padding. This allows an attacker to decrypt content or sign messages with the server's private key (this is a variation of the Bleichenbacher attack)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "USN-3571-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/3571-1/"}, {"name": "RHSA-2018:0528", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:0528"}, {"name": "[erlang-questions] 20171123 Patch Package: OTP 18.3.4.7", "refsource": "MLIST", "url": "http://erlang.org/pipermail/erlang-questions/2017-November/094257.html"}, {"name": "[debian-lts-announce] 20171215 [SECURITY] [DLA 1207-1] erlang security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00010.html"}, {"name": "RHSA-2018:0242", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:0242"}, {"name": "https://robotattack.org/", "refsource": "MISC", "url": "https://robotattack.org/"}, {"name": "[erlang-questions] 20171123 Patch Package: OTP 19.3.6.4", "refsource": "MLIST", "url": "http://erlang.org/pipermail/erlang-questions/2017-November/094256.html"}, {"name": "DSA-4057", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2017/dsa-4057"}, {"name": "RHSA-2018:0368", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:0368"}, {"name": "RHSA-2018:0303", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:0303"}, {"name": "[erlang-questions] 20171123 Patch Package: OTP 20.1.7", "refsource": "MLIST", "url": "http://erlang.org/pipermail/erlang-questions/2017-November/094255.html"}, {"name": "102197", "refsource": "BID", "url": "http://www.securityfocus.com/bid/102197"}, {"name": "VU#144389", "refsource": "CERT-VN", "url": "https://www.kb.cert.org/vuls/id/144389"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T22:00:39.950Z"}, "title": "CVE Program Container", "references": [{"name": "USN-3571-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/3571-1/"}, {"name": "RHSA-2018:0528", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:0528"}, {"name": "[erlang-questions] 20171123 Patch Package: OTP 18.3.4.7", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://erlang.org/pipermail/erlang-questions/2017-November/094257.html"}, {"name": "[debian-lts-announce] 20171215 [SECURITY] [DLA 1207-1] erlang security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00010.html"}, {"name": "RHSA-2018:0242", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:0242"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://robotattack.org/"}, {"name": "[erlang-questions] 20171123 Patch Package: OTP 19.3.6.4", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://erlang.org/pipermail/erlang-questions/2017-November/094256.html"}, {"name": "DSA-4057", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2017/dsa-4057"}, {"name": "RHSA-2018:0368", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:0368"}, {"name": "RHSA-2018:0303", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:0303"}, {"name": "[erlang-questions] 20171123 Patch Package: OTP 20.1.7", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://erlang.org/pipermail/erlang-questions/2017-November/094255.html"}, {"name": "102197", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/102197"}, {"name": "VU#144389", "tags": ["third-party-advisory", "x_refsource_CERT-VN", "x_transferred"], "url": "https://www.kb.cert.org/vuls/id/144389"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-1000385", "datePublished": "2017-12-12T21:00:00.000Z", "dateReserved": "2017-11-29T00:00:00.000Z", "dateUpdated": "2024-08-05T22:00:39.950Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:erlang:erlang\\/otp:18.3.4.7:*:*:*:*:*:*:*", "matchCriteriaId": "4CDBB4D0-83D2-4E45-B610-2E2185A30CC1", "vulnerable": true}, {"criteria": "cpe:2.3:a:erlang:erlang\\/otp:19.3.6.4:*:*:*:*:*:*:*", "matchCriteriaId": "1333ABAF-7DD7-4990-AB9B-CA143F6F80F6", "vulnerable": true}, {"criteria": "cpe:2.3:a:erlang:erlang\\/otp:20.1.7:*:*:*:*:*:*:*", "matchCriteriaId": "8567201B-AFAD-41B3-9FBB-ED03D10D8882", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Erlang otp TLS server answers with different TLS alerts to different error types in the RSA PKCS #1 1.5 padding. This allows an attacker to decrypt content or sign messages with the server's private key (this is a variation of the Bleichenbacher attack)."}, {"lang": "es", "value": "El servidor TLS en Erlang/OTP responde con alertas TLS diferentes a los diferentes tipos de error en el relleno RSA PKCS #1 1.5. Esto permite que un atacante descifre contenido o firme mensajes con la clave privada del servidor (esta es una variaci\u00f3n del ataque Bleichenbacher)."}], "id": "CVE-2017-1000385", "lastModified": "2025-04-20T01:37:25.860", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-12-12T21:29:00.213", "references": [{"source": "cve@mitre.org", "tags": ["Issue Tracking", "Mailing List", "Vendor Advisory"], "url": "http://erlang.org/pipermail/erlang-questions/2017-November/094255.html"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Mailing List", "Vendor Advisory"], "url": "http://erlang.org/pipermail/erlang-questions/2017-November/094256.html"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Mailing List", "Vendor Advisory"], "url": "http://erlang.org/pipermail/erlang-questions/2017-November/094257.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/102197"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2018:0242"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2018:0303"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2018:0368"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2018:0528"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00010.html"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://robotattack.org/"}, {"source": "cve@mitre.org", "url": "https://usn.ubuntu.com/3571-1/"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://www.debian.org/security/2017/dsa-4057"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Third Party Advisory", "US Government Resource"], "url": "https://www.kb.cert.org/vuls/id/144389"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Mailing List", "Vendor Advisory"], "url": "http://erlang.org/pipermail/erlang-questions/2017-November/094255.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Mailing List", "Vendor Advisory"], "url": "http://erlang.org/pipermail/erlang-questions/2017-November/094256.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Mailing List", "Vendor Advisory"], "url": "http://erlang.org/pipermail/erlang-questions/2017-November/094257.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/102197"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHSA-2018:0242"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHSA-2018:0303"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHSA-2018:0368"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHSA-2018:0528"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00010.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://robotattack.org/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://usn.ubuntu.com/3571-1/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://www.debian.org/security/2017/dsa-4057"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory", "US Government Resource"], "url": "https://www.kb.cert.org/vuls/id/144389"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-203"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHBA-2019:0453", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "ansible-tower-0:3.4.1-2.el7at", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-03-06T00:00:00Z"}, {"advisory": "RHBA-2019:0453", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "cfme-0:5.10.1.2-2.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-03-06T00:00:00Z"}, {"advisory": "RHBA-2019:0453", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "cfme-amazon-smartstate-0:5.10.1.2-1.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-03-06T00:00:00Z"}, {"advisory": "RHBA-2019:0453", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "cfme-appliance-0:5.10.1.2-1.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-03-06T00:00:00Z"}, {"advisory": "RHBA-2019:0453", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "cfme-gemset-0:5.10.1.2-1.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-03-06T00:00:00Z"}, {"advisory": "RHBA-2019:0453", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "erlang-0:20.3.8.9-2.el7at", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-03-06T00:00:00Z"}, {"advisory": "RHBA-2019:0453", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "nginx-1:1.14.1-1.el7at", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-03-06T00:00:00Z"}, {"advisory": "RHBA-2019:0453", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "rabbitmq-server-0:3.7.4-2.el7at", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-03-06T00:00:00Z"}, {"advisory": "RHSA-2018:0368", "cpe": "cpe:/a:redhat:openstack:10::el7", "package": "erlang-0:18.3.4.7-1.el7ost", "product_name": "Red Hat OpenStack Platform 10.0 (Newton)", "release_date": "2018-02-27T00:00:00Z"}, {"advisory": "RHSA-2018:0303", "cpe": "cpe:/a:redhat:openstack:11::el7", "package": "erlang-0:18.3.4.7-1.el7ost", "product_name": "Red Hat OpenStack Platform 11.0 (Ocata)", "release_date": "2018-02-13T00:00:00Z"}, {"advisory": "RHSA-2018:0242", "cpe": "cpe:/a:redhat:openstack:12::el7", "package": "erlang-0:18.3.4.7-1.el7ost", "product_name": "Red Hat OpenStack Platform 12.0 (Pike)", "release_date": "2018-01-30T00:00:00Z"}, {"advisory": "RHSA-2018:0528", "cpe": "cpe:/a:redhat:openstack:9::el7", "package": "erlang-0:18.3.4.7-1.el7ost", "product_name": "Red Hat OpenStack Platform 9.0 (Mitaka)", "release_date": "2018-03-15T00:00:00Z"}], "bugzilla": {"description": "erlang: TLS server vulnerable to Adaptive Chosen Ciphertext attack allowing plaintext recovery or MITM attack", "id": "1520400", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1520400"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", "status": "verified"}, "cwe": "CWE-300", "details": ["The Erlang otp TLS server answers with different TLS alerts to different error types in the RSA PKCS #1 1.5 padding. This allows an attacker to decrypt content or sign messages with the server's private key (this is a variation of the Bleichenbacher attack).", "An erlang TLS server configured with cipher suites using RSA key exchange, may be vulnerable to an Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) against RSA. This may result in plain-text recovery of encrypted messages and/or a man-in-the-middle (MiTM) attack, despite the attacker not having gained access to the server\u2019s private key itself."], "name": "CVE-2017-1000385", "package_state": [{"cpe": "cpe:/a:redhat:openstack:6", "fix_state": "Will not fix", "package_name": "erlang", "product_name": "Red Hat Enterprise Linux OpenStack Platform 6 (Juno)"}, {"cpe": "cpe:/a:redhat:openstack:7", "fix_state": "Will not fix", "package_name": "erlang", "product_name": "Red Hat Enterprise Linux OpenStack Platform 7 (Kilo)"}, {"cpe": "cpe:/a:redhat:openstack:8", "fix_state": "Will not fix", "package_name": "erlang", "product_name": "Red Hat OpenStack Platform 8 (Liberty)"}], "public_date": "2017-11-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2017-1000385\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-1000385"], "statement": "This issue affects the versions of erlang as shipped with Red Hat CloudForms 4. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", "threat_severity": "Low"}

{}