Does a security issue with the node cookies continue to exist nowadays?

Does this issue still exist? Given that the guys has mentioned that a fix would involve a lot code change.

And is there a PoC for it?

1 Like

I didn’t watch the talk in full, skimmed through it, and it sounds like a few issues were discussed, but at the start it was mentioned that some patches were created per issues the speaker found. If I can find the time I can double back and watch the video in full or perhaps you can ask more specific questions? Maybe someone from OTP team who was involved with the patches at the time can comment further.

That said, you should follow the manual and :

  1. Generate cookies using crypto
  2. Do use TLS.
  3. Try to treat cookies more as a means to wall off nodes from other nodes vs a security mechanism (but do heed point 1) and rely on TLS and other means more for security.

See distributed erlang

The cookie is not a security measure, it’s meant to prevent distinct clusters from crossing each other on a local and secure network. The documentation states that it’s there to prevent accidental misuse, not a deliberate attack.

We never considered this a security issue in and of itself because no one in their right mind would run the unencrypted and unauthenticated Erlang distribution unsecured over the internet.

There is nothing to fix other than for people who do that, to stop doing that.

6 Likes