←back to thread

Unauthenticated Remote Code Execution in Erlang/OTP SSH

(nvd.nist.gov)
198 points kimi | 1 comments | 17 Apr 25 13:29 UTC | HN request time: 0.239s | source
Show context
aposm ◴[17 Apr 25 17:22 UTC] No.43719774[source]
Oops..... we are currently trying to sell an elixir-based greenfield project internally. This doesn't affect elixir by default as other commenters pointed out, but still might make our project a bit harder to pitch to management...
replies(3): >>43720018 #>>43720413 #>>43724686 #
jerf ◴[17 Apr 25 17:43 UTC] No.43720018[source]
If your organization is looking for "the language ecosystem that never has any security vulnerabilities", pack it in and close up shop because you're not going to find one. How many, how often, and how they are handled is far more important.

While the Erlang/Elixir ecosystem won't stop you from writing a network server that takes in a string and just blithely passes it along to a shell without analysis, overall the Erlang/Elixir ecosystem is very strong and lacks most of the footguns like an "eval" statement that get people. Though I will ding it a point for the most obvious way to run a shell command [1] taking just a string that goes to a shell rather than an array of parameters to a shell command.

It is on the higher end of secure languages to write a network server in.

replies(5): >>43720485 #>>43720496 #>>43720948 #>>43721090 #>>43723488 #
1. Hikikomori ◴[17 Apr 25 19:27 UTC] No.43721090[source]
Just create your own.