Vulnerability Details CVE-2017-3730
In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this can result in the client attempting to dereference a NULL pointer leading to a client crash. This could be exploited in a Denial of Service attack.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.601
EPSS Ranking 98.1%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
- http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
- http://www.securityfocus.com/bid/95812
- http://www.securitytracker.com/id/1037717
- https://github.com/openssl/openssl/commit/efbe126e3ebb9123ac9d058aa2bb044261342aaa
- https://security.gentoo.org/glsa/201702-07
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03838en_us
- https://www.exploit-db.com/exploits/41192/
- https://www.openssl.org/news/secadv/20170126.txt
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
- http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
- http://www.securityfocus.com/bid/95812
- http://www.securitytracker.com/id/1037717
- https://github.com/openssl/openssl/commit/efbe126e3ebb9123ac9d058aa2bb044261342aaa
- https://security.gentoo.org/glsa/201702-07
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03838en_us
- https://www.exploit-db.com/exploits/41192/
- https://www.openssl.org/news/secadv/20170126.txt
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
Products affected by CVE-2017-3730
-
cpe:2.3:a:openssl:openssl:1.1.0
-
cpe:2.3:a:openssl:openssl:1.1.0a
-
cpe:2.3:a:openssl:openssl:1.1.0b
-
cpe:2.3:a:openssl:openssl:1.1.0c
-
cpe:2.3:a:oracle:agile_engineering_data_management:6.1.3
-
cpe:2.3:a:oracle:agile_engineering_data_management:6.2.0
-
cpe:2.3:a:oracle:communications_application_session_controller:3.7.1
-
cpe:2.3:a:oracle:communications_application_session_controller:3.8.0
-
cpe:2.3:a:oracle:communications_eagle_lnp_application_processor:10.0
-
cpe:2.3:a:oracle:communications_eagle_lnp_application_processor:10.1
-
cpe:2.3:a:oracle:communications_eagle_lnp_application_processor:10.2
-
cpe:2.3:a:oracle:communications_operations_monitor:3.4
-
cpe:2.3:a:oracle:communications_operations_monitor:4.0
-
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2
-
cpe:2.3:a:oracle:jd_edwards_world_security:a9.1
-
cpe:2.3:a:oracle:jd_edwards_world_security:a9.2
-
cpe:2.3:a:oracle:jd_edwards_world_security:a9.3
-
cpe:2.3:a:oracle:jd_edwards_world_security:a9.4