Vulnerability Details CVE-2017-3733
During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this can cause OpenSSL 1.1.0 before 1.1.0e to crash (dependent on ciphersuite). Both clients and servers are affected.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.033
EPSS Ranking 86.5%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
- http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
- http://www.securityfocus.com/bid/96269
- http://www.securitytracker.com/id/1037846
- https://github.com/openssl/openssl/commit/4ad93618d26a3ea23d36ad5498ff4f59eff3a4d2
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03728en_us
- https://www.openssl.org/news/secadv/20170216.txt
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
- http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
- http://www.securityfocus.com/bid/96269
- http://www.securitytracker.com/id/1037846
- https://github.com/openssl/openssl/commit/4ad93618d26a3ea23d36ad5498ff4f59eff3a4d2
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03728en_us
- https://www.openssl.org/news/secadv/20170216.txt
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
Products affected by CVE-2017-3733
-
cpe:2.3:a:hp:operations_agent:11.14
-
cpe:2.3:a:hp:operations_agent:11.15
-
cpe:2.3:a:openssl:openssl:1.1.0
-
cpe:2.3:a:openssl:openssl:1.1.0a
-
cpe:2.3:a:openssl:openssl:1.1.0b
-
cpe:2.3:a:openssl:openssl:1.1.0c
-
cpe:2.3:a:openssl:openssl:1.1.0d