CVE-2020-12872

[carnil]

While going trough some CVE feeds and track the information noticed the CVE-2020-12872 assignment for yaws, which is from the following report

Were you informed about this?

[vinoski]

I have not been informed of this until now, thanks for letting me know.

In this particular area, Yaws by default supports whatever Erlang/OTP underneath it supports, which in turn is affected by the OpenSSL version the Erlang/OTP VM was built to use. OpenSSL took steps years ago to mitigate this issue, so if users are using a recent OpenSSL version in their deployment, they're probably in pretty good shape. In addition, Yaws allows users to specify, via configuration, the TLS versions and cipher suites they use for a particular server.

The author of the blog post is using Yaws version 2.0.2, which is five years old, but they don't specify what versions of Erlang/OTP or OpenSSL they're using. The posting says Yaws versions up to 2.0.6 are also vulnerable, but that depends, again, on the underlying Erlang/OTP and OpenSSL versions. We generally don't patch old versions; instead, given that we try hard to maintain backward compatibility, we encourage folks to upgrade to newer versions. I'm currently doing some work on Yaws in the cipher suite area due to changes that came along in the recent Erlang/OTP 23.0 release, and will consider additional work to address this CVE.

[sgolovan]

I confirm that Yaws by default uses the list of TLS ciphers supplied by the Erlang ssl module. As far as I can find, Erlang/OTP up to version 20 included 3DES ciphers into the default list, and starting from version 21 (released 2 years ago) it doesn't include 3DES ciphers into its default list of ciphers.