←back to thread

Unauthenticated Remote Code Execution in Erlang/OTP SSH

(nvd.nist.gov)
198 points kimi | 1 comments | 17 Apr 25 13:29 UTC | HN request time: 0.232s | source
Show context
aposm ◴[17 Apr 25 17:22 UTC] No.43719774[source]
Oops..... we are currently trying to sell an elixir-based greenfield project internally. This doesn't affect elixir by default as other commenters pointed out, but still might make our project a bit harder to pitch to management...
replies(3): >>43720018 #>>43720413 #>>43724686 #
1. rramadass ◴[18 Apr 25 03:20 UTC] No.43724686[source]
That is quite the wrong way of looking at it. The vulnerability is in a implementation of SSH and not with the language/runtime itself; And it has already been patched. Erlang is a "managed" language and is quite secure compared to others.

You should definitely "sell" Elixir/Erlang/BEAM based languages to your management for a greenfield project; The opportunity is too good to pass up.

Nevertheless, if you would like to learn how to "harden" your Elixir/Erlang system, see the guidelines from the "Security Working Group" of EEF which i have linked to here - https://news.ycombinator.com/item?id=43717633