CVE-2017-1000385

Name: CVE-2017-1000385
Creator: NVD / NIST
Published: 2017-12-12T21:29:00.213+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 22.10%

Last modified Jun 17, 2026

CVE-2017-1000385 is a vulnerability of currently unknown severity. The Erlang otp TLS server answers with different TLS alerts to different error types in the RSA PKCS #1 1.5 padding. This allows an attacker to decrypt content or sign messages with the server's private key (this is a variation of the Bleichenbacher attack).. EPSS estimates a 22.10% chance of exploitation in the next 30 days.

Description

The Erlang otp TLS server answers with different TLS alerts to different error types in the RSA PKCS #1 1.5 padding. This allows an attacker to decrypt content or sign messages with the server's private key (this is a variation of the Bleichenbacher attack).

Metrics

EPSS Probability

22.10%

97.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-203

Affected Software

Vendor	Product	Versions
Erlang	Erlang\/Otp	18.3.4.7
Erlang	Erlang\/Otp	19.3.6.4
Erlang	Erlang\/Otp	20.1.7
Debian	Debian Linux	8.0
Debian	Debian Linux	9.0

References

http://erlang.org/pipermail/erlang-questions/2017-November/094255.htmlIssue Tracking, Mailing List, Vendor Advisory
http://erlang.org/pipermail/erlang-questions/2017-November/094256.htmlIssue Tracking, Mailing List, Vendor Advisory
http://erlang.org/pipermail/erlang-questions/2017-November/094257.htmlIssue Tracking, Mailing List, Vendor Advisory
http://www.securityfocus.com/bid/102197Third Party Advisory, VDB Entry
https://access.redhat.com/errata/RHSA-2018:0242
https://access.redhat.com/errata/RHSA-2018:0303
https://access.redhat.com/errata/RHSA-2018:0368
https://access.redhat.com/errata/RHSA-2018:0528
https://lists.debian.org/debian-lts-announce/2017/12/msg00010.html
https://robotattack.org/Issue Tracking, Third Party Advisory
https://usn.ubuntu.com/3571-1/
https://www.debian.org/security/2017/dsa-4057Issue Tracking, Third Party Advisory
https://www.kb.cert.org/vuls/id/144389Issue Tracking, Third Party Advisory, US Government Resource
http://erlang.org/pipermail/erlang-questions/2017-November/094255.htmlIssue Tracking, Mailing List, Vendor Advisory
http://erlang.org/pipermail/erlang-questions/2017-November/094256.htmlIssue Tracking, Mailing List, Vendor Advisory
http://erlang.org/pipermail/erlang-questions/2017-November/094257.htmlIssue Tracking, Mailing List, Vendor Advisory
http://www.securityfocus.com/bid/102197Third Party Advisory, VDB Entry
https://access.redhat.com/errata/RHSA-2018:0242
https://access.redhat.com/errata/RHSA-2018:0303
https://access.redhat.com/errata/RHSA-2018:0368
https://access.redhat.com/errata/RHSA-2018:0528
https://lists.debian.org/debian-lts-announce/2017/12/msg00010.html
https://robotattack.org/Issue Tracking, Third Party Advisory
https://usn.ubuntu.com/3571-1/
https://www.debian.org/security/2017/dsa-4057Issue Tracking, Third Party Advisory
https://www.kb.cert.org/vuls/id/144389Issue Tracking, Third Party Advisory, US Government Resource

Timeline

Published: Dec 12, 2017
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2017-1000385?

How severe is CVE-2017-1000385?

Severity scoring for CVE-2017-1000385 is pending analysis. The EPSS model estimates a 22.10% probability of exploitation in the next 30 days.

How do I fix CVE-2017-1000385?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2017-1000385?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST