{
  "threat_severity" : "Critical",
  "public_date" : "2022-09-21T00:00:00Z",
  "bugzilla" : {
    "description" : "erlang/otp: Client Authentication Bypass",
    "id" : "2141802",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2141802"
  },
  "cvss3" : {
    "cvss3_base_score" : "9.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-305",
  "details" : [ "In Erlang/OTP before 23.3.4.15, 24.x before 24.3.4.2, and 25.x before 25.0.2, there is a Client Authentication Bypass in certain client-certification situations for SSL, TLS, and DTLS.", "A Client Authentication Bypass was found in Erlang/OTP. This issue occurs in certain client-certification situations for SSL, TLS, and DTLS." ],
  "statement" : "Some releases of Red Hat OpenStack Platform ship an affected version of the Erlang libraries, however RHOSP is configured to use application-level shared secret authentication during TLS sessions. This makes it unlikely to be exploitable as none of the vulnerable codepaths are exposed and no client certificate is used for authentication. For this reason the impact to Red Hat OpenStack Platform has been downgraded to Moderate.",
  "affected_release" : [ {
    "product_name" : "Red Hat OpenStack Platform 16.2",
    "release_date" : "2022-12-07T00:00:00Z",
    "advisory" : "RHSA-2022:8857",
    "cpe" : "cpe:/a:redhat:openstack:16.2::el8",
    "package" : "erlang-0:23.3.4.18-1.el8ost",
    "impact" : "moderate"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat OpenStack Platform 13 (Queens)",
    "fix_state" : "Will not fix",
    "package_name" : "erlang",
    "cpe" : "cpe:/a:redhat:openstack:13",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat OpenStack Platform 16.1",
    "fix_state" : "Will not fix",
    "package_name" : "erlang",
    "cpe" : "cpe:/a:redhat:openstack:16.1",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat OpenStack Platform 17.0",
    "fix_state" : "Not affected",
    "package_name" : "erlang",
    "cpe" : "cpe:/a:redhat:openstack:17.0",
    "impact" : "moderate"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-37026\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-37026\nhttps://erlangforums.com/t/otp-25-1-released/1854\nhttps://github.com/erlang/otp/releases/tag/OTP-25.1\nhttps://www.erlang.org/patches/otp-25.1" ],
  "name" : "CVE-2022-37026",
  "csaw" : false
}