CVE-2022-37026: 
Erlang OTP vulnerability analysis and mitigation

A Client Authentication Bypass vulnerability (CVE-2022-37026) was discovered in Erlang/OTP affecting versions before 23.3.4.15, 24.x before 24.3.4.2, and 25.x before 25.0.2. The vulnerability impacts SSL, TLS, and DTLS implementations in the Erlang runtime system. This security issue was disclosed in September 2022 (NVD, Ubuntu).

The vulnerability affects servers that request client certification by setting the option {verify, verify_peer}. It occurs in certain client-certification situations where the TLS client certificate validation during the TLS handshake is not properly implemented. The issue received a CVSS 3.1 Base Score of 9.8 (Critical), indicating a high-severity vulnerability with network attack vector, low attack complexity, and no required privileges or user interaction (Ubuntu).

The vulnerability allows remote attackers to bypass client authentication mechanisms in servers using the SSL application either directly or indirectly through other applications such as inets (httpd) or cowboy. This affects the security of systems requiring client certificate verification (Erlang Forums, Debian).

The vulnerability has been fixed in Erlang/OTP versions 23.3.4.15, 24.3.4.2, and 25.0.2 or later. Users are recommended to upgrade to these patched versions or later releases on their respective tracks. The fix was implemented through several commits that enhanced the handling of unexpected messages in the SSL implementation (Erlang Forums).