CVE-2017-3733

EPSS 7.79%
Published 04.05.2017 19:29:00
Last modified 20.04.2025 01:37:25
Source openssl-security@openssl.org
Teams watchlist Login
Open Login

During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this can cause OpenSSL 1.1.0 before 1.1.0e to crash (dependent on ciphersuite). Both clients and servers are affected.

Affected products Warnungen 0 Metrics 3 CWE 1 References 11

Data is provided by the National Vulnerability Database (NVD)

OpenSSL ≫ OpenSSL Version1.1.0

OpenSSL ≫ OpenSSL Version1.1.0a

OpenSSL ≫ OpenSSL Version1.1.0b

OpenSSL ≫ OpenSSL Version1.1.0c

OpenSSL ≫ OpenSSL Version1.1.0d

Hp ≫ Operations Agent Version11.14

Hp ≫ Operations Agent Version11.15

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	7.79%	0.917

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:N/A:P

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03728en_us

Third Party Advisory

VDB Entry

http://www.securityfocus.com/bid/96269

Third Party Advisory

VDB Entry

http://www.securitytracker.com/id/1037846

https://github.com/openssl/openssl/commit/4ad93618d26a3ea23d36ad5498ff4f59eff3a4d2

https://www.openssl.org/news/secadv/20170216.txt

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2017-3733

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2017-3733

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2017-3733

EUVD