CVE-2017-3733
Last modified
CVE-2017-3733 is a vulnerability of currently unknown severity. During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this can cause OpenSSL 1.1.0 before 1.1.0e to crash (dependent on ciphersuite). Both clients and servers are affected.. EPSS estimates a 12.64% chance of exploitation in the next 30 days.
Description
During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this can cause OpenSSL 1.1.0 before 1.1.0e to crash (dependent on ciphersuite). Both clients and servers are affected.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Openssl | Openssl | 1.1.0 |
| Openssl | Openssl | 1.1.0a |
| Openssl | Openssl | 1.1.0b |
| Openssl | Openssl | 1.1.0c |
| Openssl | Openssl | 1.1.0d |
| Hp | Operations Agent | 11.14 |
| Hp | Operations Agent | 11.15 |
References
- http://www.securityfocus.com/bid/96269Third Party Advisory, VDB Entry
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03728en_usThird Party Advisory, VDB Entry
- https://www.openssl.org/news/secadv/20170216.txtVendor Advisory
- http://www.securityfocus.com/bid/96269Third Party Advisory, VDB Entry
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03728en_usThird Party Advisory, VDB Entry
- https://www.openssl.org/news/secadv/20170216.txtVendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2017-3733?
How severe is CVE-2017-3733?
How do I fix CVE-2017-3733?
Are you affected by CVE-2017-3733?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST