Vulnerability Name:

CVE-2017-3730 (CCN-121311)

Assigned:2016-12-16
Published:2017-01-26
Updated:2019-04-25
Summary:In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this can result in the client attempting to dereference a NULL pointer leading to a client crash. This could be exploited in a Denial of Service attack.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
4.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
Vulnerability Type:CWE-476
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2017-3730

Source: CCN
Type: IBM Security Bulletin T1024868 (Flex System Manager Node)
Multiple vulnerabilities in OpenSSL affect IBM Flex System Manager (FSM) Storage Manager Install Anywhere (SMIA) configuration tool

Source: CCN
Type: IBM Security Bulletin T1025160 (Flex System Manager Node)
Vulnerabilities in OpenSSL affect IBM Flex System Manager (FSM)

Source: CCN
Type: IBM Security Bulletin T1025664 (Cloud Manager with Openstack)
Multiple vulnerabilities in OpenSSL affect IBM Cloud Manager

Source: CCN
Type: IBM Security Bulletin N1021845 (i)
Multiple Vulnerabilities in OpenSSL affect IBM i

Source: CCN
Type: IBM Security Bulletin S1010726 (Network Advisor)
IBM b-type Network/Storage switches is affected by Open Source OpenSSL Vulnerabilities (OpenSSL and Node.JS consumers).

Source: CCN
Type: IBM Security Bulletin S1012311 (Data ONTAP)
Jnuary 2017 OpenSSL Vulnerabilities affect Multiple N series Products

Source: CCN
Type: IBM Security Bulletin 2000445 (Tealeaf Customer Experience)
Multiple security issues in IBM Tealeaf Customer Experience on Cloud Network Capture Add-On

Source: CCN
Type: IBM Security Bulletin 2000513 (Tealeaf Customer Experience)
Vulnerability in the OpenSSL library affects IBM Tealeaf Customer Experience PCA (CVE-2017-3730).

Source: CCN
Type: IBM Security Bulletin 2002375 (Tivoli Composite Application Manager for Transactions)
vulnerability in OpenSSL affects IBM Tivoli Composite Application Manager for Transactions (CVE-2017-3730)

Source: CCN
Type: IBM Security Bulletin 2004036 (Cognos Business Intelligence)
IBM Cognos Business Intelligence Server 2017Q2 Security Updater : IBM Cognos Business Intelligence Server is affected by multiple vulnerabilities.

Source: CCN
Type: IBM Security Bulletin 2004195 (Sterling B2B Integrator)
Multiple vulnerabilities in OpenSSL affect IBM Sterling B2B Integrator (CVE-2017-3730, CVE-2017-3732, CVE-2016-7055, CVE-2016-8610)

Source: CCN
Type: IBM Security Bulletin 2004648 (Cognos Controller)
IBM Cognos Controller 2017Q2 Security Updater: Multiple vulnerabilities have been identified in IBM Cognos Controller

Source: CCN
Type: IBM Security Bulletin 2004940 (Rational Application Developer for WebSphere Software)
Multiple vulnerabilities in OpenSSL affect IBM Rational Application Developer for WebSphere Software

Source: CCN
Type: IBM Security Bulletin 2005439 (Rational Software Architect)
Multiple vulnerabilities in OpenSSL affect IBM Rational Software Architect and Rational Software Architect for WebSphere Software

Source: CCN
Type: IBM Security Bulletin 2005997 (Rational Reporting for Development Intelligence)
Vulnerabilities in OpenSSL affect Rational Reporting for Development Intelligence

Source: CCN
Type: IBM Security Bulletin 2005998 (Rational Insight)
Vulnerabilities in OpenSSL affect Rational Insight

Source: CCN
Type: IBM Security Bulletin 2006232 (Sametime)
Vulnerabilities in OpenSSL affect IBM Media Server

Source: CCN
Type: IBM Security Bulletin 2006602 (InfoSphere Master Data Management)
IBM InfoSphere Master Data Management is vulnerable to multiple OpenSSL vulnerabilities (CVE-2016-7055, CVE-2017-3730, CVE-2017-3731, CVE-2017-3732)

Source: CCN
Type: IBM Security Bulletin 2014167 (Campaign)
Multiple Open Source Vulnerabilities Affect IBM Campaign and IBM Contact Optimization

Source: CCN
Type: IBM Security Bulletin C1000345 (MobileFirst Platform Foundation)
Multiple Vulnerabilities in OpenSSL affect IBM Worklight and IBM MobileFirst Platform Foundation

Source: CONFIRM
Type: Patch
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

Source: CONFIRM
Type: Patch
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

Source: BID
Type: Broken Link, Third Party Advisory, VDB Entry
95812

Source: CCN
Type: BID-95812
OpenSSL CVE-2017-3730 NULL Pointer Dereference Denial of Service Vulnerability

Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1037717

Source: XF
Type: UNKNOWN
openssl-cve20173730-dos(121311)

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/openssl/openssl/commit/efbe126e3ebb9123ac9d058aa2bb044261342aaa

Source: CCN
Type: Packet Storm Security [01-31-2017]
OpenSSL 1.1.0 Remote Client Denial Of Service

Source: GENTOO
Type: Third Party Advisory
GLSA-201702-07

Source: CONFIRM
Type: Third Party Advisory
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03838en_us

Source: CCN
Type: Cisco Security Advisory cisco-sa-20170130-openssl
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January 2017

Source: EXPLOIT-DB
Type: EXPLOIT
Offensive Security Exploit Database [01-26-2017]

Source: EXPLOIT-DB
Type: Exploit, Third Party Advisory, VDB Entry
41192

Source: CCN
Type: OpenSSL Security Advisory [26 Jan 2017]
OpenSSL Security Advisory [26 Jan 2017]

Source: CONFIRM
Type: Patch, Vendor Advisory
https://www.openssl.org/news/secadv/20170126.txt

Source: MISC
Type: Patch
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Vulnerable Configuration:Configuration 1:
  • cpe:/a:openssl:openssl:1.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.1.0a:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.1.0b:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.1.0c:*:*:*:*:*:*:*

    • Configuration 2:
  • cpe:/a:oracle:agile_engineering_data_management:6.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:agile_engineering_data_management:6.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_application_session_controller:3.7.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_application_session_controller:3.8.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_eagle_lnp_application_processor:10.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_eagle_lnp_application_processor:10.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_eagle_lnp_application_processor:10.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_operations_monitor:3.4:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_operations_monitor:4.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:jd_edwards_world_security:a9.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:jd_edwards_world_security:a9.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:jd_edwards_world_security:a9.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:jd_edwards_world_security:a9.4:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:openssl:openssl:1.1.0:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:infosphere_master_data_management:10.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_business_intelligence:10.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_business_intelligence:10.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:5.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sametime:8.5.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sametime:8.5.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_insight:1.1.1.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_insight:1.1.1.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_master_data_management:11.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_business_intelligence:10.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:campaign:9.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:campaign:9.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sametime:9.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sametime:9.0.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_business_intelligence:10.2.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:5.2.4:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:i:7.1:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:i:7.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:5.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:5.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:5.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_master_data_management:11.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_master_data_management:11.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_insight:1.1.1.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_software_architect:9.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_software_architect:9.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_business_intelligence:10.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:5.2.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_controller:10.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_controller:10.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:campaign:9.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_software_architect:9.1.2:*:*:*:*:*:*:*
  • OR cpe:/h:ibm:flex_system_manager_node_7955:-:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_master_data_management:11.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_software_architect:9.1.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:campaign:9.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:5.2.6:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:i:7.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sametime:9.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_master_data_management:11.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tealeaf_customer_experience:*:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tealeaf_customer_experience:9.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tealeaf_customer_experience:8.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tealeaf_customer_experience:8.8:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tealeaf_customer_experience:9.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tealeaf_customer_experience:9.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_controller:10.3.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.ubuntu.xenial:def:201737300000000
    V
    		CVE-2017-3730 on Ubuntu 16.04 LTS (xenial) - medium.
    2017-05-04
    oval:com.ubuntu.trusty:def:20173730000
    V
    		CVE-2017-3730 on Ubuntu 14.04 LTS (trusty) - medium.
    2017-05-04
    oval:com.ubuntu.xenial:def:20173730000
    V
    		CVE-2017-3730 on Ubuntu 16.04 LTS (xenial) - medium.
    2017-05-04
    oval:org.cisecurity:def:1949
    V
    		Vulnerability in OpenSSL 1.1.0 before 1.1.0d - CVE-2017-3730
    2017-03-10
    oval:com.ubuntu.precise:def:20173730000
    V
    		CVE-2017-3730 on Ubuntu 12.04 LTS (precise) - medium.
    2017-01-26
    BACK
    openssl openssl 1.1.0
    openssl openssl 1.1.0a
    openssl openssl 1.1.0b
    openssl openssl 1.1.0c
    oracle agile engineering data management 6.1.3
    oracle agile engineering data management 6.2.0
    oracle communications application session controller 3.7.1
    oracle communications application session controller 3.8.0
    oracle communications eagle lnp application processor 10.0
    oracle communications eagle lnp application processor 10.1
    oracle communications eagle lnp application processor 10.2
    oracle communications operations monitor 3.4
    oracle communications operations monitor 4.0
    oracle jd edwards enterpriseone tools 9.2
    oracle jd edwards world security a9.1
    oracle jd edwards world security a9.2
    oracle jd edwards world security a9.3
    oracle jd edwards world security a9.4
    openssl openssl 1.1.0
    ibm infosphere master data management 10.1
    ibm cognos business intelligence 10.1.1
    ibm cognos business intelligence 10.2
    ibm sterling b2b integrator 5.2
    ibm sametime 8.5.2
    ibm sametime 8.5.2.1
    ibm rational insight 1.1.1.5
    ibm rational insight 1.1.1.5
    ibm infosphere master data management 11.0
    ibm cognos business intelligence 10.2.1
    ibm campaign 9.0
    ibm campaign 9.1
    ibm sametime 9.0.0.0
    ibm sametime 9.0.0.1
    ibm cognos business intelligence 10.2.1.1
    ibm sterling b2b integrator 5.2.4
    ibm i 7.1
    ibm i 7.2
    ibm sterling b2b integrator 5.2.1
    ibm sterling b2b integrator 5.2.2
    ibm sterling b2b integrator 5.2.3
    ibm infosphere master data management 11.3
    ibm infosphere master data management 11.4
    ibm rational insight 1.1.1.5
    ibm rational software architect 9.1.0
    ibm rational software architect 9.1.1
    ibm cognos business intelligence 10.2.2
    ibm sterling b2b integrator 5.2.5
    ibm cognos controller 10.2.1
    ibm cognos controller 10.2.0
    ibm campaign 9.1.1
    ibm rational software architect 9.1.2
    ibm flex system manager node 7955 -
    ibm infosphere master data management 11.5
    ibm rational software architect 9.1.2.1
    ibm campaign 9.1.2
    ibm sterling b2b integrator 5.2.6
    ibm i 7.3
    ibm sametime 9.0.1
    ibm infosphere master data management 11.6
    ibm tealeaf customer experience *
    ibm tealeaf customer experience 9.0.2
    ibm tealeaf customer experience 8.7
    ibm tealeaf customer experience 8.8
    ibm tealeaf customer experience 9.0.0
    ibm tealeaf customer experience 9.0.1
    ibm cognos controller 10.3.0