7.5

CVE-2017-3733

Encrypt-Then-Mac renegotiation crash

During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this can cause OpenSSL 1.1.0 before 1.1.0e to crash (dependent on ciphersuite). Both clients and servers are affected.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
OpenSSLOpenSSL Version1.1.0
OpenSSLOpenSSL Version1.1.0a
OpenSSLOpenSSL Version1.1.0b
OpenSSLOpenSSL Version1.1.0c
OpenSSLOpenSSL Version1.1.0d
HpOperations Agent Version11.14
HpOperations Agent Version11.15
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 12.87% 0.958
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:N/I:N/A:P
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03728en_us
Third Party Advisory
VDB Entry
http://www.securityfocus.com/bid/96269
Third Party Advisory
VDB Entry
http://www.securitytracker.com/id/1037846
https://github.com/openssl/openssl/commit/4ad93618d26a3ea23d36ad5498ff4f59eff3a4d2
https://www.openssl.org/news/secadv/20170216.txt
Vendor Advisory