| Vulnerability Name: | CVE-2017-3733 (CCN-122091) | ||||||||||||||||||||||||||||||||
| Assigned: | 2016-12-16 | ||||||||||||||||||||||||||||||||
| Published: | 2017-02-16 | ||||||||||||||||||||||||||||||||
| Updated: | 2019-04-23 | ||||||||||||||||||||||||||||||||
| Summary: | During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this can cause OpenSSL 1.1.0 before 1.1.0e to crash (dependent on ciphersuite). Both clients and servers are affected. | ||||||||||||||||||||||||||||||||
| CVSS v3 Severity: | 7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) 6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)
| ||||||||||||||||||||||||||||||||
| CVSS v2 Severity: | 5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
| ||||||||||||||||||||||||||||||||
| Vulnerability Type: | CWE-20 | ||||||||||||||||||||||||||||||||
| Vulnerability Consequences: | Denial of Service | ||||||||||||||||||||||||||||||||
| References: | Source: MITRE Type: CNA CVE-2017-3733 Source: CCN Type: IBM Security Bulletin 2002374 (Tivoli Composite Application Manager for Transactions) Vulnerabilities in OpenSSL affects IBM Tivoli Composite Application Manager for Transactions (CVE-2000-1254,CVE-2016-2177,CVE-2016-2178,CVE-2016-2179,CVE-2016-2180,CVE-2016-2181,CVE-2016-2182,CVE-2016-2183,CVE-2016-6302,CVE-2016-6303,C Source: CCN Type: IBM Security Bulletin 2002489 (Initiate Master Data Service) Denial of service vulnerability in OpenSSL affects IBM InfoSphere Master Data Management (CVE-2017-3733) Source: CCN Type: IBM Security Bulletin 2003673 (Spectrum Protect for Virtual Environments) Vulnerabilities in OpenSSL affect IBM Spectrum Protect (formerly Tivoli Storage Manager) Client and IBM Spectrum Protect (formerly Tivoli Storage Manager) for Virtual Environments: Data Protection for VMware Source: CCN Type: IBM Security Bulletin 2004940 (Rational Application Developer for WebSphere Software) Multiple vulnerabilities in OpenSSL affect IBM Rational Application Developer for WebSphere Software Source: CONFIRM Type: UNKNOWN http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html Source: CCN Type: Oracle CPUOct2017 Oracle Critical Patch Update Advisory - October 2017 Source: CONFIRM Type: UNKNOWN http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html Source: BID Type: Third Party Advisory, VDB Entry 96269 Source: CCN Type: BID-96269 OpenSSL CVE-2017-3733 Denial of Service Vulnerability Source: SECTRACK Type: UNKNOWN 1037846 Source: XF Type: UNKNOWN openssl-cve20173733-dos(122091) Source: MISC Type: UNKNOWN https://github.com/openssl/openssl/commit/4ad93618d26a3ea23d36ad5498ff4f59eff3a4d2 Source: CONFIRM Type: Third Party Advisory, VDB Entry https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03728en_us Source: CCN Type: Cisco Security Advisory cisco-sa-20170130-openssl Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017 Source: CCN Type: OpenSSL Security Advisory [16 Feb 2017] OpenSSL Security Advisory [16 Feb 2017] Source: CONFIRM Type: Vendor Advisory https://www.openssl.org/news/secadv/20170216.txt Source: MISC Type: UNKNOWN https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html | ||||||||||||||||||||||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration 2: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||||||||||||||||||||||
| Oval Definitions | |||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||
| BACK | |||||||||||||||||||||||||||||||||