Any suggestion on below is appreciated: Using lower version of OTP purpose of Rabiit MQ
We have vulnerability identified :there is a Client Authentication Bypass in certain client-certification situations for SSL, TLS, and DTLS.
So advised downloading patches to fix the vulnerabilities: (patches are not available in the machine) So manually downloaded and installed otp-25-1.
Still i see otp 24 is not upgraded and vulnerabilities flagging still.
From where do you get your information?
From our release notes:
A vulnerability has been discovered and corrected. It is registered as CVE-2022-37026 “Client Authentication Bypass”. Corrections have been released on the supported tracks with patches 23.3.4.15, 24.3.4.2, and 25.0.2. The vulnerability might also exist in older OTP versions. We recommend that impacted users upgrade to one of these versions or later on the respective tracks. OTP 25.1 would be an even better choice. Impacted are those who are running an ssl/tls/dtls server using the ssl application either directly or indirectly via other applications. For example via inets (httpd), cowboy, etc. Note that the vulnerability only affects servers that request client certification, that is sets the option {verify, verify_peer}.
Own Id: OTP-18241
Note that his was some time ago. We currently do not view either 23 or 24 as supported tracks anymore.
Erlang/OTP 24.x is no longer supported; the Erlang/OTP support policy is documented here: Support, Compatibility, Deprecations, and Removal — Erlang System Documentation v27.1.2
Erlang | endoflife.date says that Erlang/OTP 25.x will receive security updates until May 2025. I can’t reconcile that with the above support policy (which implies that only 27.x is supported), but it sounds fair.
Per the RabbitMQ documentation – Erlang Version Requirements | RabbitMQ – Erlang/OTP 25.x and 26.x are the only currently supported versions.
Upgrade to the latest version of RabbitMQ, using Erlang/OTP 26.x.