How to address CVE-2022-37026 vulnerability in Expedition

lychiang — Tue, 23 Apr 2024 13:25:10 GMT

Updated April 23, 2024: adding new repository to get erlang > 25+ packages

Symptoms

Expedition is vulnerable to CVE-2022-37026, below are the Detail about the vulnerability :

In Erlang/OTP before 23.3.4.15, 24.x before 24.3.4.2, and 25.x before 25.0.2, there is a Client Authentication Bypass in certain client-certification situations for SSL, TLS, and DTLS.

Diagnosis

Issue below command in Expedition CLI:

$apt list --installed | grep erlang

the result will show erlang package is v22.x which is vulnerable to the CVE

Solution

Summary: Run below commands in Expedition CLI to add new repositories and upgrade the two packages to the stated version:

rabbitmq-server: 3.11.4-1
erlang: 25.0.4

-------------------------------------------------------------------------------------

// execute below commands as root

sudo -su root

// stop mysql service so Expedition is not available

service mysql stop

// remove any potential version installed

apt-get remove rabbitmq-server && apt-get purge rabbitmq-server

apt-get remove erlang && apt-get purge erlang

apt autoremove

// disable the legacy repository for erlang > 25+ packages

echo "#deb https://packages.erlang-solutions.com/ubuntu focal contrib" | sudo tee /etc/apt/sources.list.d/erlang-solution.list
echo "#deb [trusted=yes] http://www.rabbitmq.com/debian/ testing main" | sudo tee /etc/apt/sources.list.d/rabbitmq.list

// update the apt list

apt update

// add the new repository storing erlang > 25+ packages
add-apt-repository -y ppa:rabbitmq/rabbitmq-erlang-25

// update the apt list

apt update

// add the rabbitmq repository

$curl -s https://packagecloud.io/install/repositories/rabbitmq/rabbitmq-server/script.deb.sh | sudo bash

// update the apt list
apt update

// fix any broken dependency

sudo apt --fix-broken install

// install the rabbitmq-server

$apt-get install rabbitmq-server=3.11.4-1

// remove any unneeded package

$apt autoremove

$apt purge

// start the mysql service to make Expedition available

$service mysql start

Verify the two packages are updated with the required version with below commands: