ID

VAR-201712-0248


CVE

CVE-2017-3738


TITLE

OpenSSL Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2017-011252

DESCRIPTION

There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732 and CVE-2015-3193. OpenSSL version 1.0.2-1.0.2m and 1.1.0-1.1.0g are affected. Fixed in OpenSSL 1.0.2n. Due to the low severity of this issue we are not issuing a new release of OpenSSL 1.1.0 at this time. The fix will be included in OpenSSL 1.1.0h when it becomes available. The fix is also available in commit e502cc86d in the OpenSSL git repository. This vulnerability CVE-2017-3736 , CVE-2017-3732 and CVE-2015-3193 Similar problem.It may be affected unspecified. An attacker can exploit this issue to gain access to sensitive information that may aid in further attacks. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). After installing the updated packages, the httpd daemon will be restarted automatically. =========================================================================== Ubuntu Security Notice USN-3512-1 December 11, 2017 openssl vulnerabilities =========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 17.10 - Ubuntu 17.04 - Ubuntu 16.04 LTS Summary: Several security issues were fixed in OpenSSL. Software Description: - openssl: Secure Socket Layer (SSL) cryptographic library and tools Details: David Benjamin discovered that OpenSSL did not correctly prevent buggy applications that ignore handshake errors from subsequently calling certain functions. While unlikely, a remote attacker could possibly use this issue to recover private keys. (CVE-2017-3738) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 17.10: libssl1.0.0 1.0.2g-1ubuntu13.3 Ubuntu 17.04: libssl1.0.0 1.0.2g-1ubuntu11.4 Ubuntu 16.04 LTS: libssl1.0.0 1.0.2g-1ubuntu4.10 After a standard system update you need to reboot your computer to make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Core Services Apache HTTP Server 2.4.29 RHEL 7 security update Advisory ID: RHSA-2018:2185-01 Product: Red Hat JBoss Core Services Advisory URL: https://access.redhat.com/errata/RHSA-2018:2185 Issue date: 2018-07-12 CVE Names: CVE-2016-2182 CVE-2016-6302 CVE-2016-6306 CVE-2016-7055 CVE-2017-3731 CVE-2017-3732 CVE-2017-3736 CVE-2017-3737 CVE-2017-3738 ==================================================================== 1. Summary: Red Hat JBoss Core Services Pack Apache Server 2.4.29 packages are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this release as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Core Services on RHEL 7 Server - noarch, ppc64, x86_64 3. Description: This release adds the new Apache HTTP Server 2.4.29 packages that are part of the JBoss Core Services offering. This release serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.23, and includes bug fixes and enhancements. Refer to the Release Notes for information on the most significant bug fixes, enhancements and component upgrades included in this release. This release upgrades OpenSSL to version 1.0.2.n Security Fix(es): * openssl: Out-of-bounds write caused by unchecked errors in BN_bn2dec() (CVE-2016-2182) * openssl: Insufficient TLS session ticket HMAC length checks (CVE-2016-6302) * openssl: certificate message OOB reads (CVE-2016-6306) * openssl: Carry propagating bug in Montgomery multiplication (CVE-2016-7055) * openssl: Truncated packet could crash via OOB read (CVE-2017-3731) * openssl: BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732) * openssl: bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736) * openssl: Read/write after SSL object in error state (CVE-2017-3737) * openssl: rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738) Red Hat would like to thank the OpenSSL project for reporting CVE-2016-6306 and CVE-2016-7055. Upstream acknowledges Shi Lei (Gear Team of Qihoo 360 Inc.) as the original reporter of CVE-2016-6306. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1367340 - CVE-2016-2182 openssl: Out-of-bounds write caused by unchecked errors in BN_bn2dec() 1369855 - CVE-2016-6302 openssl: Insufficient TLS session ticket HMAC length checks 1377594 - CVE-2016-6306 openssl: certificate message OOB reads 1393929 - CVE-2016-7055 openssl: Carry propagating bug in Montgomery multiplication 1416852 - CVE-2017-3731 openssl: Truncated packet could crash via OOB read 1416856 - CVE-2017-3732 openssl: BN_mod_exp may produce incorrect results on x86_64 1509169 - CVE-2017-3736 openssl: bn_sqrx8x_internal carry bug on x86_64 1523504 - CVE-2017-3737 openssl: Read/write after SSL object in error state 1523510 - CVE-2017-3738 openssl: rsaz_1024_mul_avx2 overflow bug on x86_64 6. JIRA issues fixed (https://issues.jboss.org/): JBCS-373 - Errata for httpd 2.4.29 GA RHEL 7 7. Package List: Red Hat JBoss Core Services on RHEL 7 Server: Source: jbcs-httpd24-apache-commons-daemon-1.1.0-1.redhat_2.1.jbcs.el7.src.rpm jbcs-httpd24-apache-commons-daemon-jsvc-1.1.0-1.redhat_2.jbcs.el7.src.rpm jbcs-httpd24-apr-1.6.3-14.jbcs.el7.src.rpm jbcs-httpd24-apr-util-1.6.1-9.jbcs.el7.src.rpm jbcs-httpd24-httpd-2.4.29-17.jbcs.el7.src.rpm jbcs-httpd24-mod_auth_kerb-5.4-36.jbcs.el7.src.rpm jbcs-httpd24-mod_bmx-0.9.6-17.GA.jbcs.el7.src.rpm jbcs-httpd24-mod_cluster-native-1.3.8-1.Final_redhat_2.jbcs.el7.src.rpm jbcs-httpd24-mod_jk-1.2.43-1.redhat_1.jbcs.el7.src.rpm jbcs-httpd24-mod_rt-2.4.1-19.GA.jbcs.el7.src.rpm jbcs-httpd24-mod_security-2.9.1-23.GA.jbcs.el7.src.rpm jbcs-httpd24-nghttp2-1.29.0-8.jbcs.el7.src.rpm jbcs-httpd24-openssl-1.0.2n-11.jbcs.el7.src.rpm noarch: jbcs-httpd24-apache-commons-daemon-1.1.0-1.redhat_2.1.jbcs.el7.noarch.rpm jbcs-httpd24-httpd-manual-2.4.29-17.jbcs.el7.noarch.rpm ppc64: jbcs-httpd24-apache-commons-daemon-jsvc-1.1.0-1.redhat_2.jbcs.el7.ppc64.rpm jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1.1.0-1.redhat_2.jbcs.el7.ppc64.rpm jbcs-httpd24-apr-1.6.3-14.jbcs.el7.ppc64.rpm jbcs-httpd24-apr-debuginfo-1.6.3-14.jbcs.el7.ppc64.rpm jbcs-httpd24-apr-devel-1.6.3-14.jbcs.el7.ppc64.rpm jbcs-httpd24-apr-util-1.6.1-9.jbcs.el7.ppc64.rpm jbcs-httpd24-apr-util-debuginfo-1.6.1-9.jbcs.el7.ppc64.rpm jbcs-httpd24-apr-util-devel-1.6.1-9.jbcs.el7.ppc64.rpm jbcs-httpd24-apr-util-ldap-1.6.1-9.jbcs.el7.ppc64.rpm jbcs-httpd24-apr-util-mysql-1.6.1-9.jbcs.el7.ppc64.rpm jbcs-httpd24-apr-util-nss-1.6.1-9.jbcs.el7.ppc64.rpm jbcs-httpd24-apr-util-odbc-1.6.1-9.jbcs.el7.ppc64.rpm jbcs-httpd24-apr-util-openssl-1.6.1-9.jbcs.el7.ppc64.rpm jbcs-httpd24-apr-util-pgsql-1.6.1-9.jbcs.el7.ppc64.rpm jbcs-httpd24-apr-util-sqlite-1.6.1-9.jbcs.el7.ppc64.rpm jbcs-httpd24-httpd-2.4.29-17.jbcs.el7.ppc64.rpm jbcs-httpd24-httpd-debuginfo-2.4.29-17.jbcs.el7.ppc64.rpm jbcs-httpd24-httpd-devel-2.4.29-17.jbcs.el7.ppc64.rpm jbcs-httpd24-httpd-selinux-2.4.29-17.jbcs.el7.ppc64.rpm jbcs-httpd24-httpd-tools-2.4.29-17.jbcs.el7.ppc64.rpm jbcs-httpd24-mod_auth_kerb-5.4-36.jbcs.el7.ppc64.rpm jbcs-httpd24-mod_auth_kerb-debuginfo-5.4-36.jbcs.el7.ppc64.rpm jbcs-httpd24-mod_bmx-0.9.6-17.GA.jbcs.el7.ppc64.rpm jbcs-httpd24-mod_bmx-debuginfo-0.9.6-17.GA.jbcs.el7.ppc64.rpm jbcs-httpd24-mod_cluster-native-1.3.8-1.Final_redhat_2.jbcs.el7.ppc64.rpm jbcs-httpd24-mod_cluster-native-debuginfo-1.3.8-1.Final_redhat_2.jbcs.el7.ppc64.rpm jbcs-httpd24-mod_jk-ap24-1.2.43-1.redhat_1.jbcs.el7.ppc64.rpm jbcs-httpd24-mod_jk-debuginfo-1.2.43-1.redhat_1.jbcs.el7.ppc64.rpm jbcs-httpd24-mod_jk-manual-1.2.43-1.redhat_1.jbcs.el7.ppc64.rpm jbcs-httpd24-mod_ldap-2.4.29-17.jbcs.el7.ppc64.rpm jbcs-httpd24-mod_proxy_html-2.4.29-17.jbcs.el7.ppc64.rpm jbcs-httpd24-mod_rt-2.4.1-19.GA.jbcs.el7.ppc64.rpm jbcs-httpd24-mod_rt-debuginfo-2.4.1-19.GA.jbcs.el7.ppc64.rpm jbcs-httpd24-mod_security-2.9.1-23.GA.jbcs.el7.ppc64.rpm jbcs-httpd24-mod_security-debuginfo-2.9.1-23.GA.jbcs.el7.ppc64.rpm jbcs-httpd24-mod_session-2.4.29-17.jbcs.el7.ppc64.rpm jbcs-httpd24-mod_ssl-2.4.29-17.jbcs.el7.ppc64.rpm jbcs-httpd24-nghttp2-1.29.0-8.jbcs.el7.ppc64.rpm jbcs-httpd24-nghttp2-debuginfo-1.29.0-8.jbcs.el7.ppc64.rpm jbcs-httpd24-nghttp2-devel-1.29.0-8.jbcs.el7.ppc64.rpm jbcs-httpd24-openssl-1.0.2n-11.jbcs.el7.ppc64.rpm jbcs-httpd24-openssl-debuginfo-1.0.2n-11.jbcs.el7.ppc64.rpm jbcs-httpd24-openssl-devel-1.0.2n-11.jbcs.el7.ppc64.rpm jbcs-httpd24-openssl-libs-1.0.2n-11.jbcs.el7.ppc64.rpm jbcs-httpd24-openssl-perl-1.0.2n-11.jbcs.el7.ppc64.rpm jbcs-httpd24-openssl-static-1.0.2n-11.jbcs.el7.ppc64.rpm x86_64: jbcs-httpd24-apache-commons-daemon-jsvc-1.1.0-1.redhat_2.jbcs.el7.x86_64.rpm jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1.1.0-1.redhat_2.jbcs.el7.x86_64.rpm jbcs-httpd24-apr-1.6.3-14.jbcs.el7.x86_64.rpm jbcs-httpd24-apr-debuginfo-1.6.3-14.jbcs.el7.x86_64.rpm jbcs-httpd24-apr-devel-1.6.3-14.jbcs.el7.x86_64.rpm jbcs-httpd24-apr-util-1.6.1-9.jbcs.el7.x86_64.rpm jbcs-httpd24-apr-util-debuginfo-1.6.1-9.jbcs.el7.x86_64.rpm jbcs-httpd24-apr-util-devel-1.6.1-9.jbcs.el7.x86_64.rpm jbcs-httpd24-apr-util-ldap-1.6.1-9.jbcs.el7.x86_64.rpm jbcs-httpd24-apr-util-mysql-1.6.1-9.jbcs.el7.x86_64.rpm jbcs-httpd24-apr-util-nss-1.6.1-9.jbcs.el7.x86_64.rpm jbcs-httpd24-apr-util-odbc-1.6.1-9.jbcs.el7.x86_64.rpm jbcs-httpd24-apr-util-openssl-1.6.1-9.jbcs.el7.x86_64.rpm jbcs-httpd24-apr-util-pgsql-1.6.1-9.jbcs.el7.x86_64.rpm jbcs-httpd24-apr-util-sqlite-1.6.1-9.jbcs.el7.x86_64.rpm jbcs-httpd24-httpd-2.4.29-17.jbcs.el7.x86_64.rpm jbcs-httpd24-httpd-debuginfo-2.4.29-17.jbcs.el7.x86_64.rpm jbcs-httpd24-httpd-devel-2.4.29-17.jbcs.el7.x86_64.rpm jbcs-httpd24-httpd-selinux-2.4.29-17.jbcs.el7.x86_64.rpm jbcs-httpd24-httpd-tools-2.4.29-17.jbcs.el7.x86_64.rpm jbcs-httpd24-mod_auth_kerb-5.4-36.jbcs.el7.x86_64.rpm jbcs-httpd24-mod_auth_kerb-debuginfo-5.4-36.jbcs.el7.x86_64.rpm jbcs-httpd24-mod_bmx-0.9.6-17.GA.jbcs.el7.x86_64.rpm jbcs-httpd24-mod_bmx-debuginfo-0.9.6-17.GA.jbcs.el7.x86_64.rpm jbcs-httpd24-mod_cluster-native-1.3.8-1.Final_redhat_2.jbcs.el7.x86_64.rpm jbcs-httpd24-mod_cluster-native-debuginfo-1.3.8-1.Final_redhat_2.jbcs.el7.x86_64.rpm jbcs-httpd24-mod_jk-ap24-1.2.43-1.redhat_1.jbcs.el7.x86_64.rpm jbcs-httpd24-mod_jk-debuginfo-1.2.43-1.redhat_1.jbcs.el7.x86_64.rpm jbcs-httpd24-mod_jk-manual-1.2.43-1.redhat_1.jbcs.el7.x86_64.rpm jbcs-httpd24-mod_ldap-2.4.29-17.jbcs.el7.x86_64.rpm jbcs-httpd24-mod_proxy_html-2.4.29-17.jbcs.el7.x86_64.rpm jbcs-httpd24-mod_rt-2.4.1-19.GA.jbcs.el7.x86_64.rpm jbcs-httpd24-mod_rt-debuginfo-2.4.1-19.GA.jbcs.el7.x86_64.rpm jbcs-httpd24-mod_security-2.9.1-23.GA.jbcs.el7.x86_64.rpm jbcs-httpd24-mod_security-debuginfo-2.9.1-23.GA.jbcs.el7.x86_64.rpm jbcs-httpd24-mod_session-2.4.29-17.jbcs.el7.x86_64.rpm jbcs-httpd24-mod_ssl-2.4.29-17.jbcs.el7.x86_64.rpm jbcs-httpd24-nghttp2-1.29.0-8.jbcs.el7.x86_64.rpm jbcs-httpd24-nghttp2-debuginfo-1.29.0-8.jbcs.el7.x86_64.rpm jbcs-httpd24-nghttp2-devel-1.29.0-8.jbcs.el7.x86_64.rpm jbcs-httpd24-openssl-1.0.2n-11.jbcs.el7.x86_64.rpm jbcs-httpd24-openssl-debuginfo-1.0.2n-11.jbcs.el7.x86_64.rpm jbcs-httpd24-openssl-devel-1.0.2n-11.jbcs.el7.x86_64.rpm jbcs-httpd24-openssl-libs-1.0.2n-11.jbcs.el7.x86_64.rpm jbcs-httpd24-openssl-perl-1.0.2n-11.jbcs.el7.x86_64.rpm jbcs-httpd24-openssl-static-1.0.2n-11.jbcs.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2016-2182 https://access.redhat.com/security/cve/CVE-2016-6302 https://access.redhat.com/security/cve/CVE-2016-6306 https://access.redhat.com/security/cve/CVE-2016-7055 https://access.redhat.com/security/cve/CVE-2017-3731 https://access.redhat.com/security/cve/CVE-2017-3732 https://access.redhat.com/security/cve/CVE-2017-3736 https://access.redhat.com/security/cve/CVE-2017-3737 https://access.redhat.com/security/cve/CVE-2017-3738 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_jboss_core_services/2.4.29/ 9. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBW0d+y9zjgjWX9erEAQh8oA/7BIg3HlOvxwmHZR8gAxdYdX87HQj/jy3D 0jmV0br7tzHq81RFOtVGw2c57FA6bnj/2YpL61k7l2KIBPltTQHWqu3QbeCvofUn Iw1ga1Q54PjMrAiniwYma8MHO0jf1prdPQbfaLzcd6KQxSGaxd1zRCucysSzjXud Kq5Q//HeY2jvj6JmwHxxfRhVrkMrM++7zb945XECKEvfejkLNuNM51MllnlEYlpG iIKSjXP03UyG3sE6+h5pMgYLS0iB2wGVdopRaKLNFNQ8JiVlWODUVYlDkGuPWFu3 llvdWj/yPdbSDSs/hGTXOg4u0ng/3q/361WEp33goAW6dcoQg7ucUH8zWdB/lNwd kC1Kxqny7D0h1RReVMPVpa1H40zH1k+4xgTzrgFVPo35n483axTuytac3O/E6rf8 QkP5Cytj0VwvTVukfVovXTB7SctQ2J9k05w9zPQJXzdpww+VU4pLA/UlIi/a85lR Y+vCkFuuFfoS0f7pNL4ariNJFnHAHJom0AlBILO2QxNeQ3lr794fEmHLSBQ4S9s6 5xtgmvo/qZEIe486r0mrYKw8N4+sbKJwCJVUr9E6AkR3u0mgBZa3Y2AqisIJUq9g iMqV5xYQX2nxuyeW8rkYisKI4ISJ3O5XQ3p8Je4ctUGhKFzSTAJQUfXxJEwx+w/p EF1cPMI+sEc=l2Ei -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201712-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: OpenSSL: Multiple vulnerabilities Date: December 14, 2017 Bugs: #629290, #636264, #640172 ID: 201712-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in OpenSSL, the worst of which may lead to a Denial of Service condition. Background ========== OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-libs/openssl < 1.0.2n >= 1.0.2n Description =========== Multiple vulnerabilities have been discovered in OpenSSL. Please review the referenced CVE identifiers for details. Impact ====== A remote attacker could cause a Denial of Service condition, recover a private key in unlikely circumstances, circumvent security restrictions to perform unauthorized actions, or gain access to sensitive information. Workaround ========== There are no known workarounds at this time. Resolution ========== All OpenSSL users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.0.2n" References ========== [ 1 ] CVE-2017-3735 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3735 [ 2 ] CVE-2017-3736 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3736 [ 3 ] CVE-2017-3737 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3737 [ 4 ] CVE-2017-3738 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3738 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201712-03 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 --IrEhWFjxIJsFtqH1v1HHQsLm3nLmhNeP4-- . Here are the details from the Slackware 14.2 ChangeLog: +--------------------------+ patches/packages/openssl-1.0.2n-i586-1_slack14.2.txz: Upgraded. +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated packages for Slackware 13.0: ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/openssl-0.9.8zh-i486-2_slack13.0.txz ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/openssl-solibs-0.9.8zh-i486-2_slack13.0.txz Updated packages for Slackware x86_64 13.0: ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/openssl-0.9.8zh-x86_64-2_slack13.0.txz ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/openssl-solibs-0.9.8zh-x86_64-2_slack13.0.txz Updated packages for Slackware 13.1: ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/openssl-0.9.8zh-i486-2_slack13.1.txz ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/openssl-solibs-0.9.8zh-i486-2_slack13.1.txz Updated packages for Slackware x86_64 13.1: ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/openssl-0.9.8zh-x86_64-2_slack13.1.txz ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/openssl-solibs-0.9.8zh-x86_64-2_slack13.1.txz Updated packages for Slackware 13.37: ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/openssl-0.9.8zh-i486-2_slack13.37.txz ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/openssl-solibs-0.9.8zh-i486-2_slack13.37.txz Updated packages for Slackware x86_64 13.37: ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/openssl-0.9.8zh-x86_64-2_slack13.37.txz ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/openssl-solibs-0.9.8zh-x86_64-2_slack13.37.txz Updated packages for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/openssl-1.0.1u-i486-1_slack14.0.txz ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/openssl-solibs-1.0.1u-i486-1_slack14.0.txz Updated packages for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/openssl-1.0.1u-x86_64-1_slack14.0.txz ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/openssl-solibs-1.0.1u-x86_64-1_slack14.0.txz Updated packages for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/openssl-1.0.1u-i486-1_slack14.1.txz ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/openssl-solibs-1.0.1u-i486-1_slack14.1.txz Updated packages for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/openssl-1.0.1u-x86_64-1_slack14.1.txz ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/openssl-solibs-1.0.1u-x86_64-1_slack14.1.txz Updated packages for Slackware 14.2: ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/openssl-1.0.2n-i586-1_slack14.2.txz ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/openssl-solibs-1.0.2n-i586-1_slack14.2.txz Updated packages for Slackware x86_64 14.2: ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/openssl-1.0.2n-x86_64-1_slack14.2.txz ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/openssl-solibs-1.0.2n-x86_64-1_slack14.2.txz Updated packages for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/openssl-solibs-1.0.2n-i586-1.txz ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/openssl-1.0.2n-i586-1.txz Updated packages for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/openssl-solibs-1.0.2n-x86_64-1.txz ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/openssl-1.0.2n-x86_64-1.txz MD5 signatures: +-------------+ Slackware 13.0 packages: 644fbae107aa826aeb955cec011af852 openssl-0.9.8zh-i486-2_slack13.0.txz 6fa3075d061664f5bbe3d8de9e2bf368 openssl-solibs-0.9.8zh-i486-2_slack13.0.txz Slackware x86_64 13.0 packages: b53745715746f9dbef4a38dd8da03c94 openssl-0.9.8zh-x86_64-2_slack13.0.txz 5976e4f969f6adc2b43ba1592a52d5ba openssl-solibs-0.9.8zh-x86_64-2_slack13.0.txz Slackware 13.1 packages: e0608c002b708abaf2f5ceee4e4b155d openssl-0.9.8zh-i486-2_slack13.1.txz cac0d5ccba2dccd979284f2051dab525 openssl-solibs-0.9.8zh-i486-2_slack13.1.txz Slackware x86_64 13.1 packages: 01510ab2aab397be93e4bfdd04315bd0 openssl-0.9.8zh-x86_64-2_slack13.1.txz 0be1f99d5391cbc3b15dcd4371cb621a openssl-solibs-0.9.8zh-x86_64-2_slack13.1.txz Slackware 13.37 packages: c1c1d0a8483d4218fdd29ce1b2eb9e63 openssl-0.9.8zh-i486-2_slack13.37.txz 34ee96116c28ef08fbc08ab70b14f5a9 openssl-solibs-0.9.8zh-i486-2_slack13.37.txz Slackware x86_64 13.37 packages: 32dadc44ba5dbd7621023e8fec1e3069 openssl-0.9.8zh-x86_64-2_slack13.37.txz 2f0205cfba8228e3d1980cef54d8668b openssl-solibs-0.9.8zh-x86_64-2_slack13.37.txz Slackware 14.0 packages: e6d4b3a76383f9f253da4128ba23f269 openssl-1.0.1u-i486-1_slack14.0.txz c61d31a1751ae39af89d3fee0b54f0d8 openssl-solibs-1.0.1u-i486-1_slack14.0.txz Slackware x86_64 14.0 packages: 96be19e6a96c9beb5d3bbc55348fb483 openssl-1.0.1u-x86_64-1_slack14.0.txz b7a8fa2ebd16c8ae106fc1267bc29eca openssl-solibs-1.0.1u-x86_64-1_slack14.0.txz Slackware 14.1 packages: 099b960e62eaea5d1a639a61a2fabca7 openssl-1.0.1u-i486-1_slack14.1.txz b5d5219e05db97f63c4d6c389d6884fb openssl-solibs-1.0.1u-i486-1_slack14.1.txz Slackware x86_64 14.1 packages: fc96c87d76c9d1efd1290ac847fa7c7c openssl-1.0.1u-x86_64-1_slack14.1.txz e873b66f84f45ea34d028a3d524ce573 openssl-solibs-1.0.1u-x86_64-1_slack14.1.txz Slackware 14.2 packages: e03fab49e9d967c5612484d919dd0268 openssl-1.0.2n-i586-1_slack14.2.txz 08747665f462b8f8c2832853e38e1e6f openssl-solibs-1.0.2n-i586-1_slack14.2.txz Slackware x86_64 14.2 packages: b3a50ce9b6e6d449a8169e95d0a9612d openssl-1.0.2n-x86_64-1_slack14.2.txz c802bcfdfc5ff50f4ff8f9d3854201a6 openssl-solibs-1.0.2n-x86_64-1_slack14.2.txz Slackware -current packages: 94858e542e5e174cddd6ebc2f8901dfe a/openssl-solibs-1.0.2n-i586-1.txz e74abd2caa67240856cbe198051739db n/openssl-1.0.2n-i586-1.txz Slackware x86_64 -current packages: 708ff8cacfe797d28cb93e537ab7d4ee a/openssl-solibs-1.0.2n-x86_64-1.txz ed92a17a9345cfd0fbe7dc2f83eade22 n/openssl-1.0.2n-x86_64-1.txz Installation instructions: +------------------------+ Upgrade the packages as root: # upgradepkg openssl-1.0.2n-i586-1_slack14.2.txz openssl-solibs-1.0.2n-i586-1_slack14.2.txz +-----+ Slackware Linux Security Team http://slackware.com/gpg-key security@slackware.com +------------------------------------------------------------------------+ | To leave the slackware-security mailing list: | +------------------------------------------------------------------------+ | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back containing instructions to | | complete the process. Please do not reply to this email address. Details can be found in the upstream advisory: https://www.openssl.org/news/secadv/20180327.txt For the oldstable distribution (jessie), these problems have been fixed in version 1.0.1t-1+deb8u8. The oldstable distribution is not affected by CVE-2017-3738. For the stable distribution (stretch), these problems have been fixed in version 1.1.0f-3+deb9u2. For the detailed security status of openssl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openssl Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlq9UxtfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Qi/Q//U7BsT4ITKgPcpErXfKx5RXi2xcPw/trUr83HqZvNIR99HUnQPVYbkyyX PLvB6xhmPAjx4cQFff8e5EIHR2OpoRzZ5nAvqo2b2bn1liVL1/pllYmj5HiHz5tb 8NXuDrDpO432rFDgrba6LDlXulq4Kux/NJpg1G/CkzNHMXXZR9xi3JZDMZU7jiZC eGynQd1MLlF2+6qWIX/7KJHI+tmT4ZNDK9IDMv/YH71gvku0ICY8zB+1qeHP7mPN dYYC6v5rqrES1SF//NxYu26E/YNo7krn6tN0OPhoDRZ3aPuqyOfB7QpxHOsdztfQ 2mIcXzS5JXdhQ5J8aEBrziAQ/nSoW+T533LniXVIiSQn+sYjrjg1vRt5PrBLx2N0 CNX4OVcstV2bGYKknOGYBVnEzURGoeydHx3zZn/OflCe+X6lpxQAwmfgrw4+T+FX QxnjVEn4e5HeR2RGOnHzA6g3GuyJ+OeU3g0WEbAgOhqowTx3OOX7/htYnt702GKQ 9aA4ypYG8228owbno857nfnDb6eGbeqeH3BF8B20p4VHwlL1+XxyMmM+yzgbwCoA 8npl1DiiyUNBFl3WpQrjg7NwWXw+EGp5F+GxRip9yO/8cxKXn3+LqZP7gGR/+Mz5 ATXpKzuY6L8Gzh4Y+W7IH+iApSpSOlDXzo18PVCfp9qxnKNjetA= =whaV -----END PGP SIGNATURE----- . OpenSSL Security Advisory [27 Mar 2018] ======================================== Constructed ASN.1 types with a recursive definition could exceed the stack (CVE-2018-0739) ========================================================================================== Severity: Moderate Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. OpenSSL 1.1.0 users should upgrade to 1.1.0h OpenSSL 1.0.2 users should upgrade to 1.0.2o This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz project. Incorrect CRYPTO_memcmp on HP-UX PA-RISC (CVE-2018-0733) ======================================================== Severity: Moderate Because of an implementation bug the PA-RISC CRYPTO_memcmp function is effectively reduced to only comparing the least significant bit of each byte. This allows an attacker to forge messages that would be considered as authenticated in an amount of tries lower than that guaranteed by the security claims of the scheme. The module can only be compiled by the HP-UX assembler, so that only HP-UX PA-RISC targets are affected. OpenSSL 1.1.0 users should upgrade to 1.1.0h This issue was reported to OpenSSL on 2nd March 2018 by Peter Waltenberg (IBM). OpenSSL 1.1.0 users should upgrade to 1.1.0h OpenSSL 1.0.2 users should upgrade to 1.0.2n This issue was reported to OpenSSL on 22nd November 2017 by David Benjamin (Google). The issue was originally found via the OSS-Fuzz project. References ========== URL for this Security Advisory: https://www.openssl.org/news/secadv/20180327.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html

Trust: 2.7

sources: NVD: CVE-2017-3738 // JVNDB: JVNDB-2017-011252 // BID: 102118 // VULMON: CVE-2017-3738 // PACKETSTORM: 148521 // PACKETSTORM: 148525 // PACKETSTORM: 145372 // PACKETSTORM: 148524 // PACKETSTORM: 145423 // PACKETSTORM: 145368 // PACKETSTORM: 146958 // PACKETSTORM: 169626

AFFECTED PRODUCTS

vendor:opensslmodel:opensslscope:eqversion:1.0.2b

Trust: 1.6

vendor:opensslmodel:opensslscope:eqversion:1.0.2a

Trust: 1.6

vendor:opensslmodel:opensslscope:eqversion:1.0.2

Trust: 1.6

vendor:opensslmodel:opensslscope:eqversion:1.0.2e

Trust: 1.6

vendor:opensslmodel:opensslscope:eqversion:1.0.2f

Trust: 1.6

vendor:opensslmodel:opensslscope:eqversion:1.0.2d

Trust: 1.6

vendor:opensslmodel:opensslscope:eqversion:1.0.2c

Trust: 1.6

vendor:debianmodel:linuxscope:eqversion:8.0

Trust: 1.0

vendor:opensslmodel:opensslscope:eqversion:1.1.0g

Trust: 1.0

vendor:opensslmodel:opensslscope:eqversion:1.0.2k

Trust: 1.0

vendor:opensslmodel:opensslscope:eqversion:1.1.0b

Trust: 1.0

vendor:nodejsmodel:node.jsscope:gteversion:9.0.0

Trust: 1.0

vendor:opensslmodel:opensslscope:eqversion:1.0.2h

Trust: 1.0

vendor:nodejsmodel:node.jsscope:gteversion:6.9.0

Trust: 1.0

vendor:nodejsmodel:node.jsscope:ltversion:8.9.3

Trust: 1.0

vendor:opensslmodel:opensslscope:eqversion:1.0.2m

Trust: 1.0

vendor:opensslmodel:opensslscope:eqversion:1.1.0a

Trust: 1.0

vendor:nodejsmodel:node.jsscope:ltversion:6.12.2

Trust: 1.0

vendor:opensslmodel:opensslscope:eqversion:1.1.0f

Trust: 1.0

vendor:opensslmodel:opensslscope:eqversion:1.1.0d

Trust: 1.0

vendor:opensslmodel:opensslscope:eqversion:1.0.2i

Trust: 1.0

vendor:nodejsmodel:node.jsscope:lteversion:8.8.1

Trust: 1.0

vendor:nodejsmodel:node.jsscope:gteversion:4.2.0

Trust: 1.0

vendor:nodejsmodel:node.jsscope:lteversion:6.8.1

Trust: 1.0

vendor:nodejsmodel:node.jsscope:gteversion:8.0.0

Trust: 1.0

vendor:opensslmodel:opensslscope:eqversion:1.1.0

Trust: 1.0

vendor:opensslmodel:opensslscope:eqversion:1.0.2j

Trust: 1.0

vendor:nodejsmodel:node.jsscope:gteversion:4.0.0

Trust: 1.0

vendor:nodejsmodel:node.jsscope:ltversion:4.8.7

Trust: 1.0

vendor:opensslmodel:opensslscope:eqversion:1.0.2l

Trust: 1.0

vendor:nodejsmodel:node.jsscope:gteversion:6.0.0

Trust: 1.0

vendor:opensslmodel:opensslscope:eqversion:1.0.2g

Trust: 1.0

vendor:opensslmodel:opensslscope:eqversion:1.1.0e

Trust: 1.0

vendor:nodejsmodel:node.jsscope:ltversion:9.2.1

Trust: 1.0

vendor:opensslmodel:opensslscope:eqversion:1.1.0c

Trust: 1.0

vendor:nodejsmodel:node.jsscope:lteversion:4.1.2

Trust: 1.0

vendor:nodejsmodel:node.jsscope:gteversion:8.9.0

Trust: 1.0

vendor:debianmodel:linuxscope:eqversion:9.0

Trust: 1.0

vendor:debianmodel:gnu/linuxscope:eqversion:9.0

Trust: 0.8

vendor:opensslmodel:opensslscope: - version: -

Trust: 0.8

vendor:necmodel:edge gatewayscope:eqversion: -

Trust: 0.8

vendor:hitachimodel:cosminexus http serverscope: - version: -

Trust: 0.8

vendor:hitachimodel:automation directorscope:eqversion:( overseas edition )

Trust: 0.8

vendor:hitachimodel:automation directorscope:eqversion:( domestic version )

Trust: 0.8

vendor:hitachimodel:compute systems managerscope: - version: -

Trust: 0.8

vendor:hitachimodel:configuration managerscope: - version: -

Trust: 0.8

vendor:hitachimodel:device managerscope: - version: -

Trust: 0.8

vendor:hitachimodel:global link managerscope: - version: -

Trust: 0.8

vendor:hitachimodel:infrastructure analytics advisorscope: - version: -

Trust: 0.8

vendor:hitachimodel:replication managerscope: - version: -

Trust: 0.8

vendor:hitachimodel:tiered storage managerscope: - version: -

Trust: 0.8

vendor:hitachimodel:tuning managerscope: - version: -

Trust: 0.8

vendor:hitachimodel:jp1/automatic job management system 3scope:eqversion:- web console (windows

Trust: 0.8

vendor:hitachimodel:jp1/automatic job management system 3scope:eqversion:linux)

Trust: 0.8

vendor:hitachimodel:jp1/automatic operationscope: - version: -

Trust: 0.8

vendor:hitachimodel:jp1/it desktop managementscope:eqversion:2 - smart device manager

Trust: 0.8

vendor:hitachimodel:jp1/operations analyticsscope: - version: -

Trust: 0.8

vendor:hitachimodel:jp1/performance managementscope:eqversion:- web console

Trust: 0.8

vendor:hitachimodel:jp1/snmp system observerscope: - version: -

Trust: 0.8

vendor:hitachimodel:ucosminexus application serverscope:eqversion:none

Trust: 0.8

vendor:hitachimodel:ucosminexus application serverscope:eqversion:-r

Trust: 0.8

vendor:hitachimodel:ucosminexus developerscope: - version: -

Trust: 0.8

vendor:hitachimodel:ucosminexus primary serverscope:eqversion:base

Trust: 0.8

vendor:hitachimodel:ucosminexus service architectscope: - version: -

Trust: 0.8

vendor:hitachimodel:ucosminexus service platformscope: - version: -

Trust: 0.8

vendor:oraclemodel:linuxscope:eqversion:7.0

Trust: 0.3

vendor:opensslmodel:project opensslscope:eqversion:1.1

Trust: 0.3

vendor:opensslmodel:project opensslscope:eqversion:1.0.2

Trust: 0.3

vendor:opensslmodel:project openssl 1.1.0gscope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.1.0f-gitscope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.1.0fscope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.1.0escope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.1.0dscope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.1.0cscope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.1.0bscope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.1.0ascope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.0.2mscope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.0.2lscope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.0.2kscope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.0.2jscope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.0.2iscope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.0.2hscope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.0.2gscope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.0.2fscope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.0.2escope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.0.2dscope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.0.2cscope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.0.2bscope: - version: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.0.2ascope: - version: -

Trust: 0.3

vendor:ibmmodel:db2scope:eqversion:9.8

Trust: 0.3

vendor:ibmmodel:db2scope:eqversion:9.7

Trust: 0.3

vendor:ibmmodel:db2scope:eqversion:11.1

Trust: 0.3

vendor:ibmmodel:db2scope:eqversion:10.5

Trust: 0.3

vendor:ibmmodel:db2scope:eqversion:10.1

Trust: 0.3

vendor:opensslmodel:project openssl 1.1.0hscope:neversion: -

Trust: 0.3

vendor:opensslmodel:project openssl 1.0.2nscope:neversion: -

Trust: 0.3

sources: BID: 102118 // JVNDB: JVNDB-2017-011252 // CNNVD: CNNVD-201712-216 // NVD: CVE-2017-3738

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-3738
value: MEDIUM

Trust: 1.0

NVD: CVE-2017-3738
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201712-216
value: MEDIUM

Trust: 0.6

VULMON: CVE-2017-3738
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-3738
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

nvd@nist.gov: CVE-2017-3738
baseSeverity: MEDIUM
baseScore: 5.9
vectorString: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.2
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2017-3738
baseSeverity: MEDIUM
baseScore: 5.9
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULMON: CVE-2017-3738 // JVNDB: JVNDB-2017-011252 // CNNVD: CNNVD-201712-216 // NVD: CVE-2017-3738

PROBLEMTYPE DATA

problemtype:CWE-200

Trust: 1.8

sources: JVNDB: JVNDB-2017-011252 // NVD: CVE-2017-3738

THREAT TYPE

remote

Trust: 0.9

sources: PACKETSTORM: 148525 // PACKETSTORM: 145372 // PACKETSTORM: 148524 // CNNVD: CNNVD-201712-216

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201712-216

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-011252

PATCH

title:DSA-4065url:https://www.debian.org/security/2017/dsa-4065

Trust: 0.8

title:hitachi-sec-2018-106url:http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2018-106/index.html

Trust: 0.8

title:hitachi-sec-2018-124url:http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2018-124/index.html

Trust: 0.8

title:hitachi-sec-2019-105url:http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2019-105/index.html

Trust: 0.8

title:NV18-010url:https://jpn.nec.com/security-info/secinfo/nv18-010.html

Trust: 0.8

title:NTAP-20171208-0001url:https://security.netapp.com/advisory/ntap-20171208-0001/

Trust: 0.8

title:Data Confidentiality/Integrity Vulnerability, December 2017url:https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/

Trust: 0.8

title:Read/write after SSL object in error state (CVE-2017-3737)url:https://www.openssl.org/news/secadv/20171207.txt

Trust: 0.8

title:hitachi-sec-2018-106url:http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/hitachi-sec-2018-106/index.html

Trust: 0.8

title:hitachi-sec-2018-124url:http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/hitachi-sec-2018-124/index.html

Trust: 0.8

title:hitachi-sec-2019-105url:http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/hitachi-sec-2019-105/index.html

Trust: 0.8

title:OpenSSL Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=76995

Trust: 0.6

title:Red Hat: Moderate: openssl security and bug fix updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20180998 - Security Advisory

Trust: 0.1

title:Ubuntu Security Notice: openssl vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-3512-1

Trust: 0.1

title:Red Hat: Moderate: Red Hat JBoss Core Services Apache HTTP Server 2.4.29 RHEL 6 security updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20182186 - Security Advisory

Trust: 0.1

title:Red Hat: Moderate: Red Hat JBoss Core Services Apache HTTP Server 2.4.29 security updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20182187 - Security Advisory

Trust: 0.1

title:Debian Security Advisories: DSA-4157-1 openssl -- security updateurl:https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories&qid=c79d1e1d762e93b378a3fac64f240919

Trust: 0.1

title:Red Hat: Moderate: Red Hat JBoss Core Services Apache HTTP Server 2.4.29 RHEL 7 security updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20182185 - Security Advisory

Trust: 0.1

title:IBM: IBM Security Bulletin: Vulnerabilities in OpenSSL affect QLogic 8Gb Intelligent Pass-thru Module and SAN Switch Module for IBM BladeCenter and QLogic Virtual Fabric Extension Module for IBM BladeCenterurl:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=29a34ceeb17cecefa4b82c6b5a2da56d

Trust: 0.1

title:Red Hat: CVE-2017-3738url:https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database&qid=CVE-2017-3738

Trust: 0.1

title:Arch Linux Issues: url:https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues&qid=CVE-2017-3738

Trust: 0.1

title:Hitachi Security Advisories: Multiple Vulnerabilities in JP1url:https://vulmon.com/vendoradvisory?qidtp=hitachi_security_advisories&qid=hitachi-sec-2019-105

Trust: 0.1

title:Arch Linux Advisories: [ASA-201804-6] lib32-openssl: private key recoveryurl:https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories&qid=ASA-201804-6

Trust: 0.1

title:Amazon Linux AMI: ALAS-2018-1016url:https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami&qid=ALAS-2018-1016

Trust: 0.1

title:Symantec Security Advisories: SA159: OpenSSL Vulnerabilities 7-Dec-2017url:https://vulmon.com/vendoradvisory?qidtp=symantec_security_advisories&qid=7a23414ce58f57534a106c24bd753c6b

Trust: 0.1

title:Arch Linux Advisories: [ASA-201804-2] openssl: multiple issuesurl:https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories&qid=ASA-201804-2

Trust: 0.1

title:Amazon Linux 2: ALAS2-2018-1004url:https://vulmon.com/vendoradvisory?qidtp=amazon_linux2&qid=ALAS2-2018-1004

Trust: 0.1

title:Tenable Security Advisories: [R1] OpenSSL Stand-alone Patch Available for SecurityCenter versions 5.0 or Laterurl:https://vulmon.com/vendoradvisory?qidtp=tenable_security_advisories&qid=TNS-2018-04

Trust: 0.1

title:Tenable Security Advisories: [R1] Industrial Security 1.1.0 Fixes One Third-party Vulnerabilityurl:https://vulmon.com/vendoradvisory?qidtp=tenable_security_advisories&qid=TNS-2018-06

Trust: 0.1

title:Tenable Security Advisories: [R2] SecurityCenter 5.6.1 Fixes Multiple Third-party Vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=tenable_security_advisories&qid=TNS-2017-16

Trust: 0.1

title:Arch Linux Advisories: [ASA-201712-11] lib32-openssl-1.0: multiple issuesurl:https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories&qid=ASA-201712-11

Trust: 0.1

title:Tenable Security Advisories: [R1] Nessus Network Monitor 5.5.0 Fixes One Third-party Vulnerabilityurl:https://vulmon.com/vendoradvisory?qidtp=tenable_security_advisories&qid=TNS-2018-07

Trust: 0.1

title:Oracle: Oracle Critical Patch Update Advisory - July 2018url:https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=5f8c525f1408011628af1792207b2099

Trust: 0.1

title:Oracle Solaris Third Party Bulletins: Oracle Solaris Third Party Bulletin - April 2018url:https://vulmon.com/vendoradvisory?qidtp=oracle_solaris_third_party_bulletins&qid=72fe5ebf222112c8481815fd7cefc7af

Trust: 0.1

title:Oracle: Oracle Critical Patch Update Advisory - January 2019url:https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=f655264a6935505d167bbf45f409a57b

Trust: 0.1

title:Oracle: Oracle Critical Patch Update Advisory - April 2018url:https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=4019ca77f50c7a34e4d97833e6f3321e

Trust: 0.1

title:IBM: IBM Security Bulletin: Multiple Security Vulnerabilities have been fixed in IBM Security Privileged Identity Manager Appliance.url:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=f5bb2b180c7c77e5a02747a1f31830d9

Trust: 0.1

title:Oracle: Oracle Critical Patch Update Advisory - October 2018url:https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=81c63752a6f26433af2128b2e8c02385

Trust: 0.1

title:Oracle Linux Bulletins: Oracle Linux Bulletin - April 2018url:https://vulmon.com/vendoradvisory?qidtp=oracle_linux_bulletins&qid=ae57a14ec914f60b7203332a77613077

Trust: 0.1

title:Oracle Solaris Third Party Bulletins: Oracle Solaris Third Party Bulletin - July 2018url:https://vulmon.com/vendoradvisory?qidtp=oracle_solaris_third_party_bulletins&qid=586e6062440cdd312211d748e028164e

Trust: 0.1

title:Oracle Solaris Third Party Bulletins: Oracle Solaris Third Party Bulletin - January 2018url:https://vulmon.com/vendoradvisory?qidtp=oracle_solaris_third_party_bulletins&qid=525e4e31765e47b9e53b24e880af9d6e

Trust: 0.1

title:Oracle: Oracle Critical Patch Update Advisory - January 2018url:https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=e2a7f287e9acc8c64ab3df71130bc64d

Trust: 0.1

title:core-kiturl:https://github.com/funtoo/core-kit

Trust: 0.1

sources: VULMON: CVE-2017-3738 // JVNDB: JVNDB-2017-011252 // CNNVD: CNNVD-201712-216

EXTERNAL IDS

db:NVDid:CVE-2017-3738

Trust: 3.6

db:BIDid:102118

Trust: 2.0

db:TENABLEid:TNS-2018-04

Trust: 1.7

db:TENABLEid:TNS-2018-07

Trust: 1.7

db:TENABLEid:TNS-2017-16

Trust: 1.7

db:TENABLEid:TNS-2018-06

Trust: 1.7

db:SECTRACKid:1039978

Trust: 1.7

db:JVNid:JVNVU93502675

Trust: 0.8

db:JVNDBid:JVNDB-2017-011252

Trust: 0.8

db:AUSCERTid:ESB-2019.4645

Trust: 0.6

db:AUSCERTid:ESB-2019.2261

Trust: 0.6

db:AUSCERTid:ESB-2022.0696

Trust: 0.6

db:AUSCERTid:ESB-2019.1089

Trust: 0.6

db:AUSCERTid:ESB-2019.2536

Trust: 0.6

db:AUSCERTid:ESB-2019.1054

Trust: 0.6

db:CNNVDid:CNNVD-201712-216

Trust: 0.6

db:VULMONid:CVE-2017-3738

Trust: 0.1

db:PACKETSTORMid:148521

Trust: 0.1

db:PACKETSTORMid:148525

Trust: 0.1

db:PACKETSTORMid:145372

Trust: 0.1

db:PACKETSTORMid:148524

Trust: 0.1

db:PACKETSTORMid:145423

Trust: 0.1

db:PACKETSTORMid:145368

Trust: 0.1

db:PACKETSTORMid:146958

Trust: 0.1

db:PACKETSTORMid:169626

Trust: 0.1

sources: VULMON: CVE-2017-3738 // BID: 102118 // JVNDB: JVNDB-2017-011252 // PACKETSTORM: 148521 // PACKETSTORM: 148525 // PACKETSTORM: 145372 // PACKETSTORM: 148524 // PACKETSTORM: 145423 // PACKETSTORM: 145368 // PACKETSTORM: 146958 // PACKETSTORM: 169626 // CNNVD: CNNVD-201712-216 // NVD: CVE-2017-3738

REFERENCES

url:http://www.securityfocus.com/bid/102118

Trust: 2.4

url:https://www.openssl.org/news/secadv/20180327.txt

Trust: 2.2

url:https://www.openssl.org/news/secadv/20171207.txt

Trust: 2.1

url:https://security.gentoo.org/glsa/201712-03

Trust: 1.8

url:https://access.redhat.com/errata/rhsa-2018:0998

Trust: 1.8

url:https://access.redhat.com/errata/rhsa-2018:2187

Trust: 1.8

url:https://access.redhat.com/errata/rhsa-2018:2186

Trust: 1.8

url:https://access.redhat.com/errata/rhsa-2018:2185

Trust: 1.8

url:http://www.securitytracker.com/id/1039978

Trust: 1.7

url:https://security.netapp.com/advisory/ntap-20171208-0001/

Trust: 1.7

url:https://security.freebsd.org/advisories/freebsd-sa-17:12.openssl.asc

Trust: 1.7

url:https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/

Trust: 1.7

url:https://www.debian.org/security/2017/dsa-4065

Trust: 1.7

url:https://www.tenable.com/security/tns-2017-16

Trust: 1.7

url:http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

Trust: 1.7

url:https://github.com/openssl/openssl/commit/e502cc86df9dafded1694fceb3228ee34d11c11a

Trust: 1.7

url:https://www.debian.org/security/2018/dsa-4157

Trust: 1.7

url:http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

Trust: 1.7

url:https://www.tenable.com/security/tns-2018-04

Trust: 1.7

url:https://www.tenable.com/security/tns-2018-07

Trust: 1.7

url:https://www.tenable.com/security/tns-2018-06

Trust: 1.7

url:http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

Trust: 1.7

url:https://support.hpe.com/hpsc/doc/public/display?doclocale=en_us&docid=emr_na-hpesbst03881en_us

Trust: 1.7

url:http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

Trust: 1.7

url:https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Trust: 1.7

url:https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Trust: 1.7

url:https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2017-3738

Trust: 1.6

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-3738

Trust: 0.9

url:http://jvn.jp/cert/jvnvu93502675

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2017-3737

Trust: 0.6

url:https://www.suse.com/support/update/announcement/2019/suse-su-201914246-1.html

Trust: 0.6

url:http://www.ibm.com/support/docview.wss?uid=ibm10887987

Trust: 0.6

url:http://www.ibm.com/support/docview.wss?uid=ibm10887995

Trust: 0.6

url:http://www.ibm.com/support/docview.wss?uid=ibm10887989

Trust: 0.6

url:http://www.ibm.com/support/docview.wss?uid=ibm10887985

Trust: 0.6

url:http://www.ibm.com/support/docview.wss?uid=ibm10887991

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.0696

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2019.2261/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2019.2536/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2019.4645/

Trust: 0.6

url:https://www-01.ibm.com/support/docview.wss?uid=ibm10887987

Trust: 0.6

url:http://www.ibm.com/support/docview.wss?uid=ibm10879093

Trust: 0.6

url:https://www.auscert.org.au/bulletins/78218

Trust: 0.6

url:https://www.auscert.org.au/bulletins/78082

Trust: 0.6

url:http://www.ibm.com/support/docview.wss?uid=ibm10888295

Trust: 0.6

url:https://nvd.nist.gov/vuln/detail/cve-2017-3736

Trust: 0.5

url:https://nvd.nist.gov/vuln/detail/cve-2017-3732

Trust: 0.4

url:http://openssl.org/

Trust: 0.3

url:https://www.oracle.com/technetwork/topics/security/linuxbulletinapr2018-4431087.html

Trust: 0.3

url:http://www-01.ibm.com/support/docview.wss?uid=swg21984819

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2016-2182

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2017-3731

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2016-7055

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2016-6302

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2017-3731

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2017-3737

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2016-6306

Trust: 0.3

url:https://access.redhat.com/security/team/contact/

Trust: 0.3

url:https://www.redhat.com/mailman/listinfo/rhsa-announce

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2017-3738

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2017-3732

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2016-6306

Trust: 0.3

url:https://bugzilla.redhat.com/):

Trust: 0.3

url:https://access.redhat.com/documentation/en-us/red_hat_jboss_core_services/2.4.29/

Trust: 0.3

url:https://access.redhat.com/security/updates/classification/#moderate

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2016-2182

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2016-7055

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2016-6302

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2017-3736

Trust: 0.3

url:https://issues.jboss.org/):

Trust: 0.2

url:https://access.redhat.com/articles/11258

Trust: 0.2

url:https://access.redhat.com/security/team/key/

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2018-0739

Trust: 0.2

url:https://cwe.mitre.org/data/definitions/200.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://usn.ubuntu.com/3512-1/

Trust: 0.1

url:https://tools.cisco.com/security/center/viewalert.x?alertid=56193

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/openssl/1.0.2g-1ubuntu13.3

Trust: 0.1

url:https://www.ubuntu.com/usn/usn-3512-1

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/openssl/1.0.2g-1ubuntu11.4

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/openssl/1.0.2g-1ubuntu4.10

Trust: 0.1

url:http://creativecommons.org/licenses/by-sa/2.5

Trust: 0.1

url:https://nvd.nist.gov/nvd.cfm?cvename=cve-2017-3737

Trust: 0.1

url:https://nvd.nist.gov/nvd.cfm?cvename=cve-2017-3736

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2017-3735

Trust: 0.1

url:https://nvd.nist.gov/nvd.cfm?cvename=cve-2017-3738

Trust: 0.1

url:https://nvd.nist.gov/nvd.cfm?cvename=cve-2017-3735

Trust: 0.1

url:https://security.gentoo.org/

Trust: 0.1

url:https://bugs.gentoo.org.

Trust: 0.1

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-3737

Trust: 0.1

url:http://slackware.com

Trust: 0.1

url:http://osuosl.org)

Trust: 0.1

url:http://slackware.com/gpg-key

Trust: 0.1

url:https://www.debian.org/security/faq

Trust: 0.1

url:https://www.debian.org/security/

Trust: 0.1

url:https://security-tracker.debian.org/tracker/openssl

Trust: 0.1

url:https://www.openssl.org/policies/secpolicy.html

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-0701

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2015-3193

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-0733

Trust: 0.1

sources: VULMON: CVE-2017-3738 // BID: 102118 // JVNDB: JVNDB-2017-011252 // PACKETSTORM: 148521 // PACKETSTORM: 148525 // PACKETSTORM: 145372 // PACKETSTORM: 148524 // PACKETSTORM: 145423 // PACKETSTORM: 145368 // PACKETSTORM: 146958 // PACKETSTORM: 169626 // CNNVD: CNNVD-201712-216 // NVD: CVE-2017-3738

CREDITS

David Benjamin

Trust: 0.3

sources: BID: 102118

SOURCES

db:VULMONid:CVE-2017-3738
db:BIDid:102118
db:JVNDBid:JVNDB-2017-011252
db:PACKETSTORMid:148521
db:PACKETSTORMid:148525
db:PACKETSTORMid:145372
db:PACKETSTORMid:148524
db:PACKETSTORMid:145423
db:PACKETSTORMid:145368
db:PACKETSTORMid:146958
db:PACKETSTORMid:169626
db:CNNVDid:CNNVD-201712-216
db:NVDid:CVE-2017-3738

LAST UPDATE DATE

2024-11-19T20:53:33.250000+00:00


SOURCES UPDATE DATE

db:VULMONid:CVE-2017-3738date:2022-08-19T00:00:00
db:BIDid:102118date:2018-10-15T09:00:00
db:JVNDBid:JVNDB-2017-011252date:2018-08-13T00:00:00
db:CNNVDid:CNNVD-201712-216date:2022-08-22T00:00:00
db:NVDid:CVE-2017-3738date:2022-08-19T11:49:42.737

SOURCES RELEASE DATE

db:VULMONid:CVE-2017-3738date:2017-12-07T00:00:00
db:BIDid:102118date:2017-12-07T00:00:00
db:JVNDBid:JVNDB-2017-011252date:2018-01-12T00:00:00
db:PACKETSTORMid:148521date:2018-07-12T21:45:18
db:PACKETSTORMid:148525date:2018-07-12T21:48:57
db:PACKETSTORMid:145372date:2017-12-12T05:29:29
db:PACKETSTORMid:148524date:2018-07-12T21:48:49
db:PACKETSTORMid:145423date:2017-12-15T14:15:17
db:PACKETSTORMid:145368date:2017-12-12T05:28:59
db:PACKETSTORMid:146958date:2018-03-30T15:44:00
db:PACKETSTORMid:169626date:2018-03-27T12:12:12
db:CNNVDid:CNNVD-201712-216date:2017-12-08T00:00:00
db:NVDid:CVE-2017-3738date:2017-12-07T16:29:00.240