ID

VAR-201705-3649


CVE

CVE-2017-3732


TITLE

OpenSSL Service disruption in (DoS) Vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2017-003156

DESCRIPTION

There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL 1.0.2 before 1.0.2k and 1.1.0 before 1.1.0d. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. For example this can occur by default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very similar to CVE-2015-3193 but must be treated as a separate problem. OpenSSL There is a service disruption ( crash ) There are vulnerabilities that are put into a state.Service operation interruption ( crash ) There is a possibility of being put into a state. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Note: the current version of the following document is available here: https://softwaresupport.hpe.com/document/-/facetsearch/document/KM03158061 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: KM03158061 Version: 1 MFSBGN03804 - HP Service Manager Software, Remote Disclosure of Information NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2018-05-09 Last Updated: 2018-05-09 Potential Security Impact: Remote: Disclosure of Information Source: Micro Focus, Product Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with Service Manager. These vulnerabilities have been identified in the OpenSSL open source library component and may be exploited to cause disruption of service and unauthorized disclosure of information. References: - CVE-2017-3731 - CVE-2017-3732 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. - HP Service Manager Software - v9.30, v9.31, v9.32, v9.33, v9.34, v9.35, v9.40, v9.41, v9.50, v9.51 BACKGROUND CVSS Base Metrics ================= Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector RESOLUTION MicroFocus has made the following mitigation information available to resolve the vulnerability for the impacted versions of Service Manager: For versions 9.30, 9.31, 9.32, 9.33, 9.34.9.35 please upgrade to SM 9.35.P6: SM9.35 P6 packages, SM 9.35 AIX Server 9.35.6007 p6 <http://softwaresupport.softwaregrp.com/group/softwaresupport/search-result/- facetsearch/document/LID/HPSM_00916> SM 9.35 HP Itanium Server 9.35.6007 p6 <http://softwaresupport.softwaregrp.com/group/softwaresupport/search-result/- facetsearch/document/LID/HPSM_00917> SM 9.35 HP Itanium Server for Oracle 12c 9.35.6007 p6 <http://softwaresupport.softwaregrp.com/group/softwaresupport/search-result/- facetsearch/document/LID/HPSM_00918> SM 9.35 Linux Server 9.35.6007 p6 <http://softwaresupport.softwaregrp.com/group/softwaresupport/search-result/- facetsearch/document/LID/HPSM_00919> SM 9.35 Solaris Server 9.35.6007 p6 <http://softwaresupport.softwaregrp.com/group/softwaresupport/search-result/- facetsearch/document/LID/HPSM_00920> SM 9.35 Windows Server 9.35.6007 p6 <http://softwaresupport.softwaregrp.com/group/softwaresupport/search-result/- facetsearch/document/LID/HPSM_00921> For version 9.40, 9.41 please upgrade to SM 9.41.P6: SM9.41.P6 packages, Service Manager 9.41.6000 p6 - Server for AIX <http://softwaresupport.softwaregrp.com/group/softwaresupport/search-result/- facetsearch/document/LID/HPSM_00891> Service Manager 9.41.6000 p6 - Server for HP-UX/IA <http://softwaresupport.softwaregrp.com/group/softwaresupport/search-result/- facetsearch/document/LID/HPSM_00892> Service Manager 9.41.6000 p6 - Server for Linux <http://softwaresupport.softwaregrp.com/group/softwaresupport/search-result/- facetsearch/document/LID/HPSM_00893> Service Manager 9.41.6000 p6 - Server for Solaris <http://softwaresupport.softwaregrp.com/group/softwaresupport/search-result/- facetsearch/document/LID/HPSM_00894> Service Manager 9.41.6000 p6 - Server for Windows <http://softwaresupport.softwaregrp.com/group/softwaresupport/search-result/- facetsearch/document/LID/HPSM_00895> For version 9.50, 9.51 Server and KM components please upgrade to SM 9.52.P2: SM9.52.P2 packages, Service Manager 9.52.2021 p2 - Server for Windows <http://softwaresupport.softwaregrp.com/group/softwaresupport/search-result/- facetsearch/document/LID/HPSM_00906> Service Manager 9.52.2021 p2 - Server for Linux <http://softwaresupport.softwaregrp.com/group/softwaresupport/search-result/- facetsearch/document/LID/HPSM_00907> HISTORY Version:1 (rev.1) - 9 May 2018 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running Micro Focus products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal Micro Focus services support channel. For other issues about the content of this Security Bulletin, send e-mail to cyber-psrt@microfocus.com. Report: To report a potential security vulnerability for any supported product: Web form: https://www.microfocus.com/support-and-services/report-security Email: security@microfocus.com Subscribe: To initiate receiving subscriptions for future Micro Focus Security Bulletin alerts via Email, please subscribe here - https://softwaresupport.hpe.com/group/softwaresupport/email-notification/-/subscriptions/registerdocumentnotification Once you are logged in to the portal, please choose security bulletins under product and document types. Please note that you will need to sign in using a Passport account. If you do not have a Passport account yet, you can create one- its free and easy https://cf.passport.softwaregrp.com/hppcf/createuser.do Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://softwaresupport.hpe.com/security-vulnerability Software Product Category: The Software Product Category is represented in the title by the two characters following Micro Focus Security Bulletin. 3P = 3rd Party Software GN = Micro Focus General Software MU = Multi-Platform Software System management and security procedures must be reviewed frequently to maintain system integrity. Micro Focus is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "Micro Focus is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected Micro Focus products the important security information contained in this Bulletin. Micro Focus recommends that all users determine the applicability of this information to their individual situations and take appropriate action. Micro Focus does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, Micro Focus will not be responsible for any damages resulting from user's use or disregard of the information provided in this Security Bulletin. To the extent permitted by law, Micro Focus disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." Copyright 2017 EntIT Software LLC Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither Micro Focus nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Micro Focus and the names of Micro Focus products referenced herein are trademarks of Micro Focus in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201702-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: OpenSSL: Multiple vulnerabilities Date: February 14, 2017 Bugs: #607318 ID: 201702-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in OpenSSL, the worst of which might allow attackers to access sensitive information. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-libs/openssl < 1.0.2k >= 1.0.2k Description =========== Multiple vulnerabilities have been discovered in OpenSSL. Please review the CVE identifiers referenced below for details. Impact ====== A remote attacker is able to crash applications linked against OpenSSL or could obtain sensitive private-key information via an attack against the Diffie-Hellman (DH) ciphersuite. Resolution ========== All OpenSSL users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.0.2k" References ========== [ 1 ] CVE-2016-7055 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7055 [ 2 ] CVE-2017-3730 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3730 [ 3 ] CVE-2017-3731 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3731 [ 4 ] CVE-2017-3732 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3732 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201702-07 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 --6TxcaqolfH5V8d0tqHGgGlj1v2tmUA9I9-- . Description: This release adds the new Apache HTTP Server 2.4.29 packages that are part of the JBoss Core Services offering. This release serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.23, and includes bug fixes and enhancements. Refer to the Release Notes for information on the most significant bug fixes, enhancements and component upgrades included in this release. This release upgrades OpenSSL to version 1.0.2.n Security Fix(es): * openssl: Out-of-bounds write caused by unchecked errors in BN_bn2dec() (CVE-2016-2182) * openssl: Insufficient TLS session ticket HMAC length checks (CVE-2016-6302) * openssl: certificate message OOB reads (CVE-2016-6306) * openssl: Carry propagating bug in Montgomery multiplication (CVE-2016-7055) * openssl: Truncated packet could crash via OOB read (CVE-2017-3731) * openssl: BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732) * openssl: bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736) * openssl: Read/write after SSL object in error state (CVE-2017-3737) * openssl: rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738) Red Hat would like to thank the OpenSSL project for reporting CVE-2016-6306 and CVE-2016-7055. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. Bugs fixed (https://bugzilla.redhat.com/): 1367340 - CVE-2016-2182 openssl: Out-of-bounds write caused by unchecked errors in BN_bn2dec() 1369855 - CVE-2016-6302 openssl: Insufficient TLS session ticket HMAC length checks 1377594 - CVE-2016-6306 openssl: certificate message OOB reads 1393929 - CVE-2016-7055 openssl: Carry propagating bug in Montgomery multiplication 1416852 - CVE-2017-3731 openssl: Truncated packet could crash via OOB read 1416856 - CVE-2017-3732 openssl: BN_mod_exp may produce incorrect results on x86_64 1509169 - CVE-2017-3736 openssl: bn_sqrx8x_internal carry bug on x86_64 1523504 - CVE-2017-3737 openssl: Read/write after SSL object in error state 1523510 - CVE-2017-3738 openssl: rsaz_1024_mul_avx2 overflow bug on x86_64 6. JIRA issues fixed (https://issues.jboss.org/): JBCS-373 - Errata for httpd 2.4.29 GA RHEL 7 7. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-17:02.openssl Security Advisory The FreeBSD Project Topic: OpenSSL multiple vulnerabilities Category: contrib Module: openssl Announced: 2017-02-23 Affects: All supported versions of FreeBSD. Corrected: 2017-01-26 19:14:14 UTC (stable/11, 11.0-STABLE) 2017-02-23 07:11:48 UTC (releng/11.0, 11.0-RELEASE-p8) 2017-01-27 07:45:06 UTC (stable/10, 10.3-STABLE) 2017-02-23 07:12:18 UTC (releng/10.3, 10.3-RELEASE-p16) CVE Name: CVE-2016-7055, CVE-2017-3731, CVE-2017-3732 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. II. Problem Description If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. [CVE-2017-3732] Montgomery multiplication may produce incorrect results. [CVE-2016-7055] III. Impact A remote attacker may trigger a crash on servers or clients that supported RC4-MD5. [CVE-2017-3732, CVE-2016-7055] IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Restart all daemons that use the library, or reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Restart all daemons that use the library, or reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 11.0] # fetch https://security.FreeBSD.org/patches/SA-17:02/openssl-11.patch # fetch https://security.FreeBSD.org/patches/SA-17:02/openssl-11.patch.asc # gpg --verify openssl-11.patch.asc [FreeBSD 10.3] # fetch https://security.FreeBSD.org/patches/SA-17:02/openssl-10.patch # fetch https://security.FreeBSD.org/patches/SA-17:02/openssl-10.patch.asc # gpg --verify openssl-10.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. Restart all daemons that use the library, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/10/ r312863 releng/10.3/ r314125 stable/11/ r312826 releng/11.0/ r314126 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> VII. References <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7055> <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3731> <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3732> <URL:https://www.openssl.org/news/secadv/20170126.txt> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-17:02.openssl.asc> -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.18 (FreeBSD) iQIzBAEBCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAliujOsACgkQ7Wfs1l3P aufZHhAAy8U5oOrLGq0XH8Dumpkyc+bFOmsEh+S1hL6jFL13jUVpDqogZ3w/a7If Hcqiyipx5dbcGbHJayokfimkxPcIYydYQK9NwWaXVlnZifvgWka+KxtcD0u2A8S5 cpTbNl+CALQQqEF3+JmOc4Uq2Dtui0xFG1N5Og4oF5Uo+lvQh4bcJ1UbfhMdq8EG US3hGlJLJJW75m3jkgHyu0o7A0swnNTUQrW9Z0p/3iTiel7fM57d/N1who+kt59V UErXTzMDBT1kkWRne0aTA71gdy3SUeRiVi9/LWggjIRJNyMnQjO3UI2UOIHLLQAG CXcZLPekB87iHZxMAw8oV6b4GIkJhqUFW2ep2AZkUdDZ2Mup9bDrx/0Ik0jHjyQY KEmZDroHvP8z569q+aWfIIpMXPv6zJTnent45U2/q13wMHJwWsADu9ukeWKTw7wI P0Rc3vht+AXbXFi9SjxwdldgrVszV7x8Yi6W9KhHsGqCl6NBCW9Md/PWbNQQUVkq I5tV0WB3pTwOk0yMi3h/okM9VBr1lPDU18W0he5T9wbOh4w0jwFb8AqMu1slst3l 9MlhRfO/4LIDlfRQ/dj4dOfVLZqEd/xleax99yFXZUzibUYrOMlBxNaKvV80plwB Kg2Hr3DJuJa3599kNgXMCNV1lRIOJbJ9dRmX6B0YzMgvxKPIXY4= =8Jsr -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: java-1.8.0-ibm security update Advisory ID: RHSA-2018:2575-01 Product: Red Hat Enterprise Linux Supplementary Advisory URL: https://access.redhat.com/errata/RHSA-2018:2575 Issue date: 2018-08-28 CVE Names: CVE-2016-0705 CVE-2017-3732 CVE-2017-3736 CVE-2018-1517 CVE-2018-1656 CVE-2018-2940 CVE-2018-2952 CVE-2018-2973 CVE-2018-12539 ==================================================================== 1. Summary: An update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node Supplementary (v. 6) - x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. Description: IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 8 to version 8 SR5-FP20. Security Fix(es): * IBM JDK: privilege escalation via insufficiently restricted access to Attach API (CVE-2018-12539) * openssl: BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732) * openssl: bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736) * IBM JDK: DoS in the java.math component (CVE-2018-1517) * IBM JDK: path traversal flaw in the Diagnostic Tooling Framework (CVE-2018-1656) * Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (Libraries) (CVE-2018-2940) * OpenJDK: insufficient index validation in PatternSyntaxException getMessage() (Concurrency, 8199547) (CVE-2018-2952) * Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (JSSE) (CVE-2018-2973) * OpenSSL: Double-free in DSA code (CVE-2016-0705) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank the OpenSSL project for reporting CVE-2016-0705. Upstream acknowledges Adam Langley (Google/BoringSSL) as the original reporter of CVE-2016-0705. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running instances of IBM Java must be restarted for this update to take effect. Bugs fixed (https://bugzilla.redhat.com/): 1310596 - CVE-2016-0705 OpenSSL: Double-free in DSA code 1416856 - CVE-2017-3732 openssl: BN_mod_exp may produce incorrect results on x86_64 1509169 - CVE-2017-3736 openssl: bn_sqrx8x_internal carry bug on x86_64 1600925 - CVE-2018-2952 OpenJDK: insufficient index validation in PatternSyntaxException getMessage() (Concurrency, 8199547) 1602145 - CVE-2018-2973 Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (JSSE) 1602146 - CVE-2018-2940 Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (Libraries) 1618767 - CVE-2018-12539 IBM JDK: privilege escalation via insufficiently restricted access to Attach API 1618869 - CVE-2018-1656 IBM JDK: path traversal flaw in the Diagnostic Tooling Framework 1618871 - CVE-2018-1517 IBM JDK: DoS in the java.math component 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: java-1.8.0-ibm-jdbc-1.8.0.5.20-1jpp.1.el6_10.i686.rpm x86_64: java-1.8.0-ibm-jdbc-1.8.0.5.20-1jpp.1.el6_10.x86_64.rpm Red Hat Enterprise Linux HPC Node Supplementary (v. 6): x86_64: java-1.8.0-ibm-1.8.0.5.20-1jpp.1.el6_10.x86_64.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: java-1.8.0-ibm-jdbc-1.8.0.5.20-1jpp.1.el6_10.i686.rpm ppc64: java-1.8.0-ibm-jdbc-1.8.0.5.20-1jpp.1.el6_10.ppc64.rpm s390x: java-1.8.0-ibm-jdbc-1.8.0.5.20-1jpp.1.el6_10.s390x.rpm x86_64: java-1.8.0-ibm-jdbc-1.8.0.5.20-1jpp.1.el6_10.x86_64.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: java-1.8.0-ibm-jdbc-1.8.0.5.20-1jpp.1.el6_10.i686.rpm x86_64: java-1.8.0-ibm-jdbc-1.8.0.5.20-1jpp.1.el6_10.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-0705 https://access.redhat.com/security/cve/CVE-2017-3732 https://access.redhat.com/security/cve/CVE-2017-3736 https://access.redhat.com/security/cve/CVE-2018-1517 https://access.redhat.com/security/cve/CVE-2018-1656 https://access.redhat.com/security/cve/CVE-2018-2940 https://access.redhat.com/security/cve/CVE-2018-2952 https://access.redhat.com/security/cve/CVE-2018-2973 https://access.redhat.com/security/cve/CVE-2018-12539 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. For OpenSSL 1.1.0, the crash can be triggered when using CHACHA20/POLY1305; users should upgrade to 1.1.0d For Openssl 1.0.2, the crash can be triggered when using RC4-MD5; users who have not disabled that algorithm should update to 1.0.2k This issue was reported to OpenSSL on 13th November 2016 by Robert Święcki of Google. The fix was developed by Andy Polyakov of the OpenSSL development team. Bad (EC)DHE parameters cause a client crash (CVE-2017-3730) =========================================================== Severity: Moderate If a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this can result in the client attempting to dereference a NULL pointer leading to a client crash. This could be exploited in a Denial of Service attack. OpenSSL 1.1.0 users should upgrade to 1.1.0d This issue does not affect OpenSSL version 1.0.2. This means the git commit with the fix does not contain the CVE identifier. The relevant fix commit can be identified by commit hash efbe126e3. This issue was reported to OpenSSL on 14th January 2017 by Guido Vranken. The fix was developed by Matt Caswell of the OpenSSL development team. UPDATE 31 Jan 2017. This is not true. OpenSSL 1.1.0 users should upgrade to 1.1.0d OpenSSL 1.0.2 users should upgrade to 1.0.2k This issue was reported to OpenSSL on 15th January 2017 by the OSS-Fuzz project. The fix was developed by Andy Polyakov of the OpenSSL development team. Montgomery multiplication may produce incorrect results (CVE-2016-7055) ======================================================================= Severity: Low This issue was previously fixed in 1.1.0c and covered in security advisory https://www.openssl.org/news/secadv/20161110.txt OpenSSL 1.0.2 users should upgrade to 1.0.2k Note ==== Support for version 1.0.1 ended on 31st December 2016. Support for versions 0.9.8 and 1.0.0 ended on 31st December 2015. Those versions are no longer receiving security updates. References ========== URL for this Security Advisory: https://www.openssl.org/news/secadv/20170126.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html . OpenSSL Security Advisory [07 Dec 2017] ======================================== Read/write after SSL object in error state (CVE-2017-3737) ========================================================== Severity: Moderate OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state" mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). Due to the low severity of this issue we are not issuing a new release of OpenSSL 1.1.0 at this time. The issue was originally found via the OSS-Fuzz project. OpenSSL Security Advisory [27 Mar 2018] ======================================== Constructed ASN.1 types with a recursive definition could exceed the stack (CVE-2018-0739) ========================================================================================== Severity: Moderate Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. This allows an attacker to forge messages that would be considered as authenticated in an amount of tries lower than that guaranteed by the security claims of the scheme. The module can only be compiled by the HP-UX assembler, so that only HP-UX PA-RISC targets are affected

Trust: 2.52

sources: NVD: CVE-2017-3732 // JVNDB: JVNDB-2017-003156 // VULMON: CVE-2017-3732 // PACKETSTORM: 148525 // PACKETSTORM: 147577 // PACKETSTORM: 141088 // PACKETSTORM: 148524 // PACKETSTORM: 141255 // PACKETSTORM: 149130 // PACKETSTORM: 169650 // PACKETSTORM: 169655 // PACKETSTORM: 169626

AFFECTED PRODUCTS

vendor:opensslmodel:opensslscope:eqversion:1.0.2d

Trust: 1.0

vendor:opensslmodel:opensslscope:eqversion:1.0.2i

Trust: 1.0

vendor:opensslmodel:opensslscope:eqversion:1.0.2e

Trust: 1.0

vendor:nodejsmodel:node.jsscope:gteversion:4.2.0

Trust: 1.0

vendor:nodejsmodel:node.jsscope:lteversion:6.8.1

Trust: 1.0

vendor:nodejsmodel:node.jsscope:ltversion:6.9.5

Trust: 1.0

vendor:nodejsmodel:node.jsscope:gteversion:5.0.0

Trust: 1.0

vendor:nodejsmodel:node.jsscope:gteversion:7.0.0

Trust: 1.0

vendor:opensslmodel:opensslscope:eqversion:1.0.2a

Trust: 1.0

vendor:opensslmodel:opensslscope:eqversion:1.0.2f

Trust: 1.0

vendor:nodejsmodel:node.jsscope:ltversion:4.7.3

Trust: 1.0

vendor:nodejsmodel:node.jsscope:ltversion:7.5.0

Trust: 1.0

vendor:nodejsmodel:node.jsscope:lteversion:5.12.0

Trust: 1.0

vendor:nodejsmodel:node.jsscope:gteversion:4.0.0

Trust: 1.0

vendor:opensslmodel:opensslscope:eqversion:1.0.2

Trust: 1.0

vendor:opensslmodel:opensslscope:eqversion:1.1.0b

Trust: 1.0

vendor:nodejsmodel:node.jsscope:gteversion:6.0.0

Trust: 1.0

vendor:opensslmodel:opensslscope:eqversion:1.0.2b

Trust: 1.0

vendor:opensslmodel:opensslscope:eqversion:1.0.2h

Trust: 1.0

vendor:nodejsmodel:node.jsscope:gteversion:6.9.0

Trust: 1.0

vendor:opensslmodel:opensslscope:eqversion:1.1.0c

Trust: 1.0

vendor:nodejsmodel:node.jsscope:lteversion:4.1.2

Trust: 1.0

vendor:opensslmodel:opensslscope:eqversion:1.0.2c

Trust: 1.0

vendor:opensslmodel:opensslscope:eqversion:1.1.0a

Trust: 1.0

vendor:hitachimodel:jp1/automatic job management system 3scope:eqversion:- manager web console

Trust: 0.8

vendor:hitachimodel:jp1/integrated managementscope:eqversion:- service support starter edition

Trust: 0.8

vendor:opensslmodel:opensslscope:eqversion:1.1.0d

Trust: 0.8

vendor:hitachimodel:jp1/it desktop managementscope:eqversion:2 - operations director

Trust: 0.8

vendor:hitachimodel:ucosminexus application serverscope:eqversion:(64)

Trust: 0.8

vendor:opensslmodel:opensslscope:ltversion:1.1.0

Trust: 0.8

vendor:necmodel:systemdirector enterprisescope: - version: -

Trust: 0.8

vendor:necmodel:enterprisedirectoryserverscope:eqversion:all versions

Trust: 0.8

vendor:hitachimodel:job management partner 1/integrated managementscope:eqversion:- service support

Trust: 0.8

vendor:necmodel:webotx application serverscope:eqversion:foundation

Trust: 0.8

vendor:hitachimodel:job management partner 1/it desktop managementscope:eqversion:2 - smart device manager

Trust: 0.8

vendor:hitachimodel:jp1/performance managementscope:eqversion:- web console

Trust: 0.8

vendor:necmodel:express5800scope:eqversion:/sg all versions

Trust: 0.8

vendor:necmodel:webotx enterprise service busscope: - version: -

Trust: 0.8

vendor:opensslmodel:opensslscope:eqversion:1.0.2k

Trust: 0.8

vendor:hitachimodel:ucosminexus service platformscope:eqversion:(64)

Trust: 0.8

vendor:hitachimodel:jp1/performance managementscope:eqversion:- manager

Trust: 0.8

vendor:hitachimodel:jp1/it desktop management - managerscope: - version: -

Trust: 0.8

vendor:hitachimodel:jp1/automatic operationscope: - version: -

Trust: 0.8

vendor:hitachimodel:job management partner 1/performance management - web consolescope: - version: -

Trust: 0.8

vendor:hitachimodel:job management partner 1/it desktop managementscope:eqversion:2 - manager

Trust: 0.8

vendor:necmodel:webotx application serverscope:eqversion:st ard

Trust: 0.8

vendor:hitachimodel:ucosminexus application serverscope:eqversion:none

Trust: 0.8

vendor:hitachimodel:jp1/it desktop managementscope:eqversion:2 - smart device manager

Trust: 0.8

vendor:hitachimodel:jp1/integrated managementscope:eqversion:- service support

Trust: 0.8

vendor:hitachimodel:ucosminexus primary serverscope:eqversion:base

Trust: 0.8

vendor:hitachimodel:ucosminexus primary serverscope:eqversion:base(64)

Trust: 0.8

vendor:hitachimodel:job management partner 1/integrated managementscope:eqversion:- service support advanced edition

Trust: 0.8

vendor:hitachimodel:ucosminexus service platformscope:eqversion:none

Trust: 0.8

vendor:hitachimodel:it operations directorscope: - version: -

Trust: 0.8

vendor:hitachimodel:jp1/service supportscope:eqversion:none

Trust: 0.8

vendor:hitachimodel:jp1/operations analyticsscope: - version: -

Trust: 0.8

vendor:hitachimodel:jp1/service supportscope:eqversion:starter edition

Trust: 0.8

vendor:hitachimodel:cosminexus http serverscope: - version: -

Trust: 0.8

vendor:hitachimodel:ucosminexus application serverscope:eqversion:-r

Trust: 0.8

vendor:hitachimodel:jp1/it desktop managementscope:eqversion:2 - manager

Trust: 0.8

vendor:hitachimodel:job management partner 1/it desktop management - managerscope: - version: -

Trust: 0.8

vendor:hitachimodel:ucosminexus service architectscope: - version: -

Trust: 0.8

vendor:necmodel:webotx application serverscope:eqversion:express

Trust: 0.8

vendor:necmodel:esmpro/serveragentservicescope:eqversion:all versions (linux edition )

Trust: 0.8

vendor:hitachimodel:jp1/performance managementscope:eqversion:- manager web console

Trust: 0.8

vendor:opensslmodel:opensslscope:ltversion:1.0.2

Trust: 0.8

vendor:necmodel:webotx portalscope: - version: -

Trust: 0.8

vendor:hitachimodel:ucosminexus developerscope: - version: -

Trust: 0.8

vendor:necmodel:webotx application serverscope:eqversion:enterprise

Trust: 0.8

vendor:hitachimodel:jp1/integrated managementscope:eqversion:- service support advanced edition

Trust: 0.8

sources: JVNDB: JVNDB-2017-003156 // NVD: CVE-2017-3732

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-3732
value: MEDIUM

Trust: 1.0

NVD: CVE-2017-3732
value: MEDIUM

Trust: 0.8

VULMON: CVE-2017-3732
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-3732
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

nvd@nist.gov: CVE-2017-3732
baseSeverity: MEDIUM
baseScore: 5.9
vectorString: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.2
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2017-3732
baseSeverity: MEDIUM
baseScore: 5.9
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULMON: CVE-2017-3732 // JVNDB: JVNDB-2017-003156 // NVD: CVE-2017-3732

PROBLEMTYPE DATA

problemtype:CWE-200

Trust: 1.8

sources: JVNDB: JVNDB-2017-003156 // NVD: CVE-2017-3732

THREAT TYPE

remote

Trust: 0.2

sources: PACKETSTORM: 148525 // PACKETSTORM: 148524

TYPE

sql injection

Trust: 0.2

sources: PACKETSTORM: 148525 // PACKETSTORM: 148524

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-003156

PATCH

title:hitachi-sec-2018-103url:http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2018-103/index.html

Trust: 0.8

title:hitachi-sec-2017-115url:http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2017-115/index.html

Trust: 0.8

title:NV17-011url:http://jpn.nec.com/security-info/secinfo/nv17-011.html

Trust: 0.8

title:BN_mod_exp may produce incorrect results on x86_64url:https://www.openssl.org/news/secadv/20170126.txt

Trust: 0.8

title:hitachi-sec-2018-103url:http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/hitachi-sec-2018-103/index.html

Trust: 0.8

title:hitachi-sec-2017-115url:http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/hitachi-sec-2017-115/index.html

Trust: 0.8

title:The Registerurl:https://www.theregister.co.uk/2017/01/31/openssl_patches/

Trust: 0.2

title:Red Hat: Moderate: Red Hat JBoss Core Services Apache HTTP Server 2.4.29 RHEL 7 security updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20182185 - Security Advisory

Trust: 0.1

title:Red Hat: Important: java-1.8.0-ibm security updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20182575 - Security Advisory

Trust: 0.1

title:Red Hat: Moderate: Red Hat JBoss Core Services Apache HTTP Server 2.4.29 RHEL 6 security updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20182186 - Security Advisory

Trust: 0.1

title:Red Hat: Moderate: java-1.8.0-ibm security updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20182713 - Security Advisory

Trust: 0.1

title:Red Hat: Important: java-1.8.0-ibm security updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20182568 - Security Advisory

Trust: 0.1

title:Red Hat: Moderate: Red Hat JBoss Core Services Apache HTTP Server 2.4.29 security updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20182187 - Security Advisory

Trust: 0.1

title:Red Hat: CVE-2017-3732url:https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database&qid=CVE-2017-3732

Trust: 0.1

title:Arch Linux Issues: url:https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues&qid=CVE-2017-3732

Trust: 0.1

title:IBM: Security Bulletin: OpenSSL vulnerabilites impacting IBM Aspera Connect 3.7.4 and earlier (CVE-2017-3732, CVE-2016-7055)url:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=030cb7ac9266aec85453c1d2339fbc00

Trust: 0.1

title:Ubuntu Security Notice: openssl vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-3181-1

Trust: 0.1

title:Arch Linux Advisories: [ASA-201701-37] openssl: multiple issuesurl:https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories&qid=ASA-201701-37

Trust: 0.1

title:Huawei Security Advisories: Security Advisory - Three OpenSSL Vulnerabilities in Huawei Productsurl:https://vulmon.com/vendoradvisory?qidtp=huawei_security_advisories&qid=1181e052a6a83786d4182d45ddb56d5d

Trust: 0.1

title:Symantec Security Advisories: SA141 : OpenSSL Vulnerabilities 26-Jan-2017url:https://vulmon.com/vendoradvisory?qidtp=symantec_security_advisories&qid=117bc0d26e74d755d85acf15af842eaf

Trust: 0.1

title:Arch Linux Advisories: [ASA-201701-36] lib32-openssl: multiple issuesurl:https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories&qid=ASA-201701-36

Trust: 0.1

title:IBM: IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Spectrum Protect Operations Center and Client Management Service (CVE-2016-0705, CVE-2017-3732, CVE-2017-3736, CVE-2018-1656, CVE-2018-12539)url:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=3d9ab13c871ea2142681c7977b25c5ff

Trust: 0.1

title:IBM: IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Jul 2018 – Includes Oracle Jul 2018 CPU affects DB2 Recovery Expert for Linux, Unix and Windowsurl:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=af4ddb95056d65a4af347aec0f652f0e

Trust: 0.1

title:Cisco: Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017url:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-20170130-openssl

Trust: 0.1

title:IBM: IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Planningurl:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=62ef85c9034c17315b7d0a712483c5ea

Trust: 0.1

title:IBM: IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Reporting for Development Intelligenceurl:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=03b0267d78cd8ac1bbb43afc737474f0

Trust: 0.1

title:IBM: IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM InfoSphere Information Serverurl:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=63bbfc68418161b36080acd59a541d45

Trust: 0.1

title:IBM: IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Privileged Identity Managerurl:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=42a34f9348fc5f34065c6d25764eb2a2

Trust: 0.1

title:Debian CVElist Bug Report Logs: Security fixes from the July 2017 CPUurl:https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=adc1e0c986afd5f2f3b0797ba936d072

Trust: 0.1

title:IBM: IBM Security Bulletin: IBM Cognos Controller 2019Q2 Security Updater: Multiple vulnerabilities have been identified in IBM Cognos Controllerurl:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=38227211accce022b0a3d9b56a974186

Trust: 0.1

title:Forcepoint Security Advisories: CVE-2017-3730, -3731, -3732 OpenSSL Vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=forcepoint_security_advisories&qid=16a227df38f44014c9520f3b6cb5344e

Trust: 0.1

title:Oracle Solaris Third Party Bulletins: Oracle Solaris Third Party Bulletin - January 2017url:https://vulmon.com/vendoradvisory?qidtp=oracle_solaris_third_party_bulletins&qid=a2bac27fb002bed513645d4775c7275b

Trust: 0.1

title:Tenable Security Advisories: [R5] SecurityCenter 5.4.3 Fixes Multiple Vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=tenable_security_advisories&qid=TNS-2017-04

Trust: 0.1

title:Oracle Solaris Third Party Bulletins: Oracle Solaris Third Party Bulletin - April 2017url:https://vulmon.com/vendoradvisory?qidtp=oracle_solaris_third_party_bulletins&qid=a31bff03e9909229fd67996884614fdf

Trust: 0.1

title:Oracle: Oracle Critical Patch Update Advisory - July 2017url:https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=2f446a7e1ea263c0c3a365776c6713f2

Trust: 0.1

title:Oracle: Oracle Critical Patch Update Advisory - July 2018url:https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=5f8c525f1408011628af1792207b2099

Trust: 0.1

title:Oracle Solaris Third Party Bulletins: Oracle Solaris Third Party Bulletin - July 2018url:https://vulmon.com/vendoradvisory?qidtp=oracle_solaris_third_party_bulletins&qid=586e6062440cdd312211d748e028164e

Trust: 0.1

title:IBM: IBM Security Bulletin: IBM Security Privileged Identity Manager is affected by multiple vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=dd8c9d5928cc3b1ac8c35b4b24703e38

Trust: 0.1

title:Oracle: Oracle Critical Patch Update Advisory - April 2017url:https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=143b3fb255063c81571469eaa3cf0a87

Trust: 0.1

title:Oracle: Oracle Critical Patch Update Advisory - October 2017url:https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=523d3f220a64ff01dd95e064bd37566a

Trust: 0.1

title:Oracle: Oracle Critical Patch Update Advisory - January 2018url:https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=e2a7f287e9acc8c64ab3df71130bc64d

Trust: 0.1

title:IBM: Security Bulletin: Multiple vulnerabilities in IBM Java affect IBM Netezza Analytics for NPSurl:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=c36fc403a4c2c6439b732d2fca738f58

Trust: 0.1

title:Oracle Solaris Third Party Bulletins: Oracle Solaris Third Party Bulletin - January 2018url:https://vulmon.com/vendoradvisory?qidtp=oracle_solaris_third_party_bulletins&qid=525e4e31765e47b9e53b24e880af9d6e

Trust: 0.1

title:Oracle Solaris Third Party Bulletins: Oracle Solaris Third Party Bulletin - October 2017url:https://vulmon.com/vendoradvisory?qidtp=oracle_solaris_third_party_bulletins&qid=6283337cd31f81f24d445925f2138c0e

Trust: 0.1

sources: VULMON: CVE-2017-3732 // JVNDB: JVNDB-2017-003156

EXTERNAL IDS

db:NVDid:CVE-2017-3732

Trust: 2.8

db:SECTRACKid:1037717

Trust: 1.1

db:BIDid:95814

Trust: 1.1

db:TENABLEid:TNS-2017-04

Trust: 1.1

db:JVNid:JVNVU92830136

Trust: 0.8

db:JVNDBid:JVNDB-2017-003156

Trust: 0.8

db:VULMONid:CVE-2017-3732

Trust: 0.1

db:PACKETSTORMid:148525

Trust: 0.1

db:PACKETSTORMid:147577

Trust: 0.1

db:PACKETSTORMid:141088

Trust: 0.1

db:PACKETSTORMid:148524

Trust: 0.1

db:PACKETSTORMid:141255

Trust: 0.1

db:PACKETSTORMid:149130

Trust: 0.1

db:PACKETSTORMid:169650

Trust: 0.1

db:PACKETSTORMid:169655

Trust: 0.1

db:PACKETSTORMid:169626

Trust: 0.1

sources: VULMON: CVE-2017-3732 // JVNDB: JVNDB-2017-003156 // PACKETSTORM: 148525 // PACKETSTORM: 147577 // PACKETSTORM: 141088 // PACKETSTORM: 148524 // PACKETSTORM: 141255 // PACKETSTORM: 149130 // PACKETSTORM: 169650 // PACKETSTORM: 169655 // PACKETSTORM: 169626 // NVD: CVE-2017-3732

REFERENCES

url:https://nvd.nist.gov/vuln/detail/cve-2017-3732

Trust: 1.7

url:https://www.openssl.org/news/secadv/20170126.txt

Trust: 1.2

url:https://security.gentoo.org/glsa/201702-07

Trust: 1.2

url:https://access.redhat.com/errata/rhsa-2018:2186

Trust: 1.2

url:https://access.redhat.com/errata/rhsa-2018:2185

Trust: 1.2

url:https://access.redhat.com/errata/rhsa-2018:2575

Trust: 1.2

url:http://www.securityfocus.com/bid/95814

Trust: 1.1

url:http://www.securitytracker.com/id/1037717

Trust: 1.1

url:http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html

Trust: 1.1

url:http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

Trust: 1.1

url:https://www.tenable.com/security/tns-2017-04

Trust: 1.1

url:https://security.freebsd.org/advisories/freebsd-sa-17:02.openssl.asc

Trust: 1.1

url:http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

Trust: 1.1

url:https://github.com/openssl/openssl/commit/a59b90bf491410f1f2bc4540cc21f1980fd14c5b

Trust: 1.1

url:https://access.redhat.com/errata/rhsa-2018:2187

Trust: 1.1

url:https://support.hpe.com/hpsc/doc/public/display?doclocale=en_us&docid=emr_na-hpesbhf03838en_us

Trust: 1.1

url:https://access.redhat.com/errata/rhsa-2018:2568

Trust: 1.1

url:https://access.redhat.com/errata/rhsa-2018:2713

Trust: 1.1

url:https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Trust: 1.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-3732

Trust: 0.8

url:https://jvn.jp/vu/jvnvu92830136/

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2017-3731

Trust: 0.6

url:https://nvd.nist.gov/vuln/detail/cve-2016-7055

Trust: 0.5

url:https://nvd.nist.gov/vuln/detail/cve-2017-3736

Trust: 0.5

url:https://nvd.nist.gov/vuln/detail/cve-2017-3738

Trust: 0.4

url:https://access.redhat.com/articles/11258

Trust: 0.3

url:https://access.redhat.com/security/team/contact/

Trust: 0.3

url:https://www.redhat.com/mailman/listinfo/rhsa-announce

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2017-3732

Trust: 0.3

url:https://bugzilla.redhat.com/):

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2017-3737

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2017-3736

Trust: 0.3

url:https://access.redhat.com/security/team/key/

Trust: 0.3

url:https://www.openssl.org/policies/secpolicy.html

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2015-3193

Trust: 0.3

url:https://issues.jboss.org/):

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2016-2182

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2016-6302

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2017-3731

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2017-3737

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2016-6306

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2017-3738

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2016-6306

Trust: 0.2

url:https://access.redhat.com/documentation/en-us/red_hat_jboss_core_services/2.4.29/

Trust: 0.2

url:https://access.redhat.com/security/updates/classification/#moderate

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2016-2182

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2016-7055

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2016-6302

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2017-3730

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2016-0701

Trust: 0.2

url:https://cwe.mitre.org/data/definitions/200.html

Trust: 0.1

url:https://tools.cisco.com/security/center/viewalert.x?alertid=52438

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://usn.ubuntu.com/3181-1/

Trust: 0.1

url:https://www.microfocus.com/support-and-services/report-security

Trust: 0.1

url:https://softwaresupport.hpe.com/group/softwaresupport/email-notification/-/subscriptions/registerdocumentnotification

Trust: 0.1

url:https://cf.passport.softwaregrp.com/hppcf/createuser.do

Trust: 0.1

url:http://softwaresupport.softwaregrp.com/group/softwaresupport/search-result/-

Trust: 0.1

url:https://softwaresupport.hpe.com/document/-/facetsearch/document/km03158061

Trust: 0.1

url:https://softwaresupport.hpe.com/security-vulnerability

Trust: 0.1

url:http://creativecommons.org/licenses/by-sa/2.5

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2017-3732

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2017-3731

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2017-3730

Trust: 0.1

url:https://security.gentoo.org/

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2016-7055

Trust: 0.1

url:https://bugs.gentoo.org.

Trust: 0.1

url:https://www.freebsd.org/handbook/makeworld.html>.

Trust: 0.1

url:https://security.freebsd.org/>.

Trust: 0.1

url:https://www.openssl.org/news/secadv/20170126.txt>

Trust: 0.1

url:https://security.freebsd.org/patches/sa-17:02/openssl-11.patch.asc

Trust: 0.1

url:https://security.freebsd.org/advisories/freebsd-sa-17:02.openssl.asc>

Trust: 0.1

url:https://security.freebsd.org/patches/sa-17:02/openssl-11.patch

Trust: 0.1

url:https://security.freebsd.org/patches/sa-17:02/openssl-10.patch

Trust: 0.1

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-3732>

Trust: 0.1

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-3731>

Trust: 0.1

url:https://security.freebsd.org/patches/sa-17:02/openssl-10.patch.asc

Trust: 0.1

url:https://svnweb.freebsd.org/base?view=revision&revision=nnnnnn>

Trust: 0.1

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-7055>

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-2940

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2018-2952

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2018-12539

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-0705

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2016-0705

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2018-2973

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2018-1656

Trust: 0.1

url:https://access.redhat.com/security/updates/classification/#important

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2018-2940

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2018-1517

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-1517

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-2952

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-1656

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-2973

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-12539

Trust: 0.1

url:https://www.openssl.org/news/secadv/20161110.txt

Trust: 0.1

url:https://www.openssl.org/news/secadv/20171207.txt

Trust: 0.1

url:https://www.openssl.org/news/secadv/20180327.txt

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-0739

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-0733

Trust: 0.1

sources: VULMON: CVE-2017-3732 // JVNDB: JVNDB-2017-003156 // PACKETSTORM: 148525 // PACKETSTORM: 147577 // PACKETSTORM: 141088 // PACKETSTORM: 148524 // PACKETSTORM: 141255 // PACKETSTORM: 149130 // PACKETSTORM: 169650 // PACKETSTORM: 169655 // PACKETSTORM: 169626 // NVD: CVE-2017-3732

CREDITS

Red Hat

Trust: 0.3

sources: PACKETSTORM: 148525 // PACKETSTORM: 148524 // PACKETSTORM: 149130

SOURCES

db:VULMONid:CVE-2017-3732
db:JVNDBid:JVNDB-2017-003156
db:PACKETSTORMid:148525
db:PACKETSTORMid:147577
db:PACKETSTORMid:141088
db:PACKETSTORMid:148524
db:PACKETSTORMid:141255
db:PACKETSTORMid:149130
db:PACKETSTORMid:169650
db:PACKETSTORMid:169655
db:PACKETSTORMid:169626
db:NVDid:CVE-2017-3732

LAST UPDATE DATE

2024-11-18T20:43:52.539000+00:00


SOURCES UPDATE DATE

db:VULMONid:CVE-2017-3732date:2022-08-29T00:00:00
db:JVNDBid:JVNDB-2017-003156date:2018-02-07T00:00:00
db:NVDid:CVE-2017-3732date:2022-08-29T20:43:33.220

SOURCES RELEASE DATE

db:VULMONid:CVE-2017-3732date:2017-05-04T00:00:00
db:JVNDBid:JVNDB-2017-003156date:2017-05-18T00:00:00
db:PACKETSTORMid:148525date:2018-07-12T21:48:57
db:PACKETSTORMid:147577date:2018-05-10T10:11:22
db:PACKETSTORMid:141088date:2017-02-14T17:07:17
db:PACKETSTORMid:148524date:2018-07-12T21:48:49
db:PACKETSTORMid:141255date:2017-02-23T17:14:20
db:PACKETSTORMid:149130date:2018-08-29T00:28:49
db:PACKETSTORMid:169650date:2017-01-26T12:12:12
db:PACKETSTORMid:169655date:2017-12-07T12:12:12
db:PACKETSTORMid:169626date:2018-03-27T12:12:12
db:NVDid:CVE-2017-3732date:2017-05-04T19:29:00.400