<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Patch Package:Â Â Â OTP 19.3.6.4
<br>
Git Tag:Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â OTP-19.3.6.4
<br>
Date:Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â 2017-11-23
<br>
Trouble Report Id:Â OTP-14748
<br>
Seq num:
<br>
System:Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â OTP
<br>
Release:Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â 19
<br>
Application:Â Â Â Â Â Â Â Â Â Â Â ssl-8.1.3.1
<br>
Predecessor:Â Â Â Â Â Â Â Â Â OTP 19.3.6.3
<br>
<br>
 Check out the git tag OTP-19.3.6.4, and build a full OTP system
<br>
 including documentation. Apply one or more applications from this
<br>
 build as patches to your installation using the 'otp_patch_apply'
<br>
 tool. For information on install requirements, see descriptions
for
<br>
 each application version below.
<br>
<br>
 ---------------------------------------------------------------------
<br>
 --- ssl-8.1.3.1
-----------------------------------------------------
<br>
 ---------------------------------------------------------------------
<br>
<br>
 Note! The ssl-8.1.3.1 application can <b class="moz-txt-star"><span
class="moz-txt-tag">*</span>not<span class="moz-txt-tag">*</span></b>
be applied independently
<br>
      of other applications on an arbitrary OTP 19 installation.
<br>
<br>
      On a full OTP 19 installation, also the following runtime
<br>
      dependency has to be satisfied:
<br>
      -- stdlib-3.2 (first satisfied in OTP 19.2)
<br>
<br>
<br>
 --- Fixed Bugs and Malfunctions ---
<br>
<br>
 OTP-14748   Application(s): ssl
<br>
<br>
              An erlang TLS server configured with cipher suites
<br>
              using rsa key exchange, may be vulnerable to an
<br>
              Adaptive Chosen Ciphertext attack (AKA
Bleichenbacher
<br>
              attack) against RSA, which when exploited, may
result
<br>
              in plaintext recovery of encrypted messages and/or
a
<br>
              Man-in-the-middle (MiTM) attack, despite the
attacker
<br>
              not having gained access to the server’s private
key
<br>
              itself. CVE-2017-1000385
<br>
<br>
              Exploiting this vulnerability to perform plaintext
<br>
              recovery of encrypted messages will, in most
practical
<br>
              cases, allow an attacker to read the plaintext only
<br>
              after the session has completed. Only TLS sessions
<br>
              established using RSA key exchange are vulnerable
to
<br>
              this attack.
<br>
<br>
              Exploiting this vulnerability to conduct a MiTM
attack
<br>
              requires the attacker to complete the initial
attack,
<br>
              which may require thousands of server requests,
during
<br>
              the handshake phase of the targeted session within
the
<br>
              window of the configured handshake timeout. This
attack
<br>
              may be conducted against any TLS session using RSA
<br>
              signatures, but only if cipher suites using RSA key
<br>
              exchange are also enabled on the server. The
limited
<br>
              window of opportunity, limitations in bandwidth,
and
<br>
              latency make this attack significantly more
difficult
<br>
              to execute.
<br>
<br>
              RSA key exchange is enabled by default although
least
<br>
              prioritized if server order is honored. For such a
<br>
              cipher suite to be chosen it must also be supported
by
<br>
              the client and probably the only shared cipher
suite.
<br>
<br>
              Captured TLS sessions encrypted with ephemeral
cipher
<br>
              suites (DHE or ECDHE) are not at risk for
subsequent
<br>
              decryption due to this vulnerability.
<br>
<br>
              As a workaround if default cipher suite
configuration
<br>
              was used you can configure the server to not use
<br>
              vulnerable suites with the ciphers option like
this:
<br>
<br>
              {ciphers, [Suite || Suite <-
ssl:cipher_suites(),
<br>
              element(1,Suite) =/= rsa]}
<br>
<br>
              that is your code will look somethingh like this:
<br>
<br>
              ssl:listen(Port, [{ciphers, [Suite || Suite <-
<br>
              ssl:cipher_suites(), element(1,S) =/= rsa]} |
<br>
              Options]).
<br>
<br>
              Thanks to Hanno Böck, Juraj Somorovsky and Craig
Young
<br>
              for reporting this vulnerability.
<br>
<br>
<br>
 Full runtime dependencies of ssl-8.1.3.1: crypto-3.3, erts-7.0,
<br>
 inets-5.10.7, kernel-3.0, public_key-1.2, stdlib-3.2
<br>
<br>
<br>
 ---------------------------------------------------------------------
<br>
 ---------------------------------------------------------------------
<br>
 ---------------------------------------------------------------------
<br>
<br>
</p>
</body>
</html>