How to address CVE-2022-37026 vulnerability in Expedition

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
L6 Presenter
No ratings
Updated April 23, 2024: adding new repository to get erlang > 25+ packages

Symptoms

Expedition is vulnerable to CVE-2022-37026, below are the Detail about the vulnerability :

In Erlang/OTP before 23.3.4.15, 24.x before 24.3.4.2, and 25.x before 25.0.2, there is a Client Authentication Bypass in certain client-certification situations for SSL, TLS, and DTLS.

 

Diagnosis

Issue below command in Expedition CLI:

$apt list --installed | grep erlang 

the result will show erlang package is v22.x which is vulnerable to the CVE

 

Solution

Summary: Run below commands in Expedition CLI to add new repositories and upgrade the two packages to the stated version:

 

rabbitmq-server: 3.11.4-1
erlang: 25.0.4

 

-------------------------------------------------------------------------------------

// execute below commands as root

sudo -su root

// stop mysql service so Expedition is not available

service mysql stop

// remove any potential version installed

apt-get remove rabbitmq-server && apt-get purge rabbitmq-server

apt-get remove erlang && apt-get purge erlang

apt autoremove

// disable the legacy repository for erlang > 25+ packages

echo "#deb https://packages.erlang-solutions.com/ubuntu focal contrib" | sudo tee /etc/apt/sources.list.d/erlang-solution.list
echo "#deb [trusted=yes] http://www.rabbitmq.com/debian/ testing main" | sudo tee /etc/apt/sources.list.d/rabbitmq.list

// update the apt list

apt update

// add the new repository storing erlang > 25+ packages
add-apt-repository -y ppa:rabbitmq/rabbitmq-erlang-25

// update the apt list

apt update

// add the rabbitmq repository

$curl -s https://packagecloud.io/install/repositories/rabbitmq/rabbitmq-server/script.deb.sh | sudo bash

// update the apt list
apt update

// fix any broken dependency 

sudo apt --fix-broken install

// install the rabbitmq-server

$apt-get install rabbitmq-server=3.11.4-1

// remove any unneeded package

$apt autoremove

$apt purge

// start the mysql service to make Expedition available

$service mysql start

 

Verify the two packages are updated with the required version with below commands:

 

$apt list --installed | grep erlang 

$apt list --installed | grep rabbitmq-server

 

Screen Shot 2022-12-14 at 9.02.49 AM.png

 

Rate this article:
  • 4171 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Article Dashboard
Version history
Last Updated:
‎04-23-2024 06:25 AM
Updated by: