Vulnerability Data

by Reconmap

CVE-2017-3733

During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this can cause OpenSSL 1.1.0 before 1.1.0e to crash (dependent on ciphersuite). Both clients and servers are affected.

Published at
2017-05-04T19:29Z
2558 days ago
Modified
2019-04-23T19:30Z
1839 days ago
CWE-20
Problem type

Impact

CVSS v3 vector string
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Severity Score Vector

7.5CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References


URLType
www.openssl.org
https://www.openssl.org/news/secadv/20170216.txt		CONFIRM
96269
http://www.securityfocus.com/bid/96269		BID
h20566.www2.hpe.com
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03728en_us		CONFIRM
1037846
http://www.securitytracker.com/id/1037846		SECTRACK
www.oracle.com
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html		CONFIRM
www.oracle.com
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html		CONFIRM
github.com
https://github.com/openssl/openssl/commit/4ad93618d26a3ea23d36ad5498ff4f59eff3a4d2		MISC
www.oracle.com
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html		MISC

GET https://vulnerabilitydata.com/api/details/CVE-2017-3733

{
	"id": "CVE-2017-3733",
	"published_date": "2017-05-04T19:29Z",
	"last_modified_date": "2019-04-23T19:30Z",
	"assigner": "openssl-security@openssl.org",
	"description": "During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this can cause OpenSSL 1.1.0 before 1.1.0e to crash (dependent on ciphersuite). Both clients and servers are affected.",
	"references": [
		{
			"url": "https://www.openssl.org/news/secadv/20170216.txt",
			"name": "https://www.openssl.org/news/secadv/20170216.txt",
			"refsource": "CONFIRM",
			"tags": [
				"Vendor Advisory"
			]
		},
		{
			"url": "http://www.securityfocus.com/bid/96269",
			"name": "96269",
			"refsource": "BID",
			"tags": [
				"Third Party Advisory",
				"VDB Entry"
			]
		},
		{
			"url": "https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03728en_us",
			"name": "https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03728en_us",
			"refsource": "CONFIRM",
			"tags": [
				"Third Party Advisory",
				"VDB Entry"
			]
		},
		{
			"url": "http://www.securitytracker.com/id/1037846",
			"name": "1037846",
			"refsource": "SECTRACK",
			"tags": []
		},
		{
			"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html",
			"name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html",
			"refsource": "CONFIRM",
			"tags": []
		},
		{
			"url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html",
			"name": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html",
			"refsource": "CONFIRM",
			"tags": []
		},
		{
			"url": "https://github.com/openssl/openssl/commit/4ad93618d26a3ea23d36ad5498ff4f59eff3a4d2",
			"name": "https://github.com/openssl/openssl/commit/4ad93618d26a3ea23d36ad5498ff4f59eff3a4d2",
			"refsource": "MISC",
			"tags": []
		},
		{
			"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html",
			"name": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html",
			"refsource": "MISC",
			"tags": []
		}
	],
	"impact": {
		"baseMetricV3": {
			"cvssV3": {
				"version": "3.0",
				"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
				"attackVector": "NETWORK",
				"attackComplexity": "LOW",
				"privilegesRequired": "NONE",
				"userInteraction": "NONE",
				"scope": "UNCHANGED",
				"confidentialityImpact": "NONE",
				"integrityImpact": "NONE",
				"availabilityImpact": "HIGH",
				"baseScore": 7.5,
				"baseSeverity": "HIGH"
			},
			"exploitabilityScore": 3.9,
			"impactScore": 3.6
		},
		"baseMetricV2": {
			"cvssV2": {
				"version": "2.0",
				"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
				"accessVector": "NETWORK",
				"accessComplexity": "LOW",
				"authentication": "NONE",
				"confidentialityImpact": "NONE",
				"integrityImpact": "NONE",
				"availabilityImpact": "PARTIAL",
				"baseScore": 5
			},
			"severity": "MEDIUM",
			"exploitabilityScore": 10,
			"impactScore": 2.9,
			"acInsufInfo": true,
			"obtainAllPrivilege": false,
			"obtainUserPrivilege": false,
			"obtainOtherPrivilege": false,
			"userInteractionRequired": false
		}
	},
	"problem_type": "CWE-20"
}