CVE-2017-3730

high-risk

Published 2017-05-04

In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this can result in the client attempting to dereference a NULL pointer leading to a client crash. This could be exploited in a Denial of Service attack.

Do I need to act?

52.9% chance of exploitation in next 30 days

EPSS score — higher than 47% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

1 public exploit available

41192

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (18)

Openssl

Communications Application Session Controller

Communications Eagle Lnp Application Processor

Communications Operations Monitor

Jd Edwards Enterpriseone Tools

Jd Edwards World Security

Openssl

Agile Engineering Data Management

Communications Application Session Controller

Communications Eagle Lnp Application Processor

Jd Edwards World Security

Affected Vendors

Oracle Openssl

References (20)

Patch http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

Patch http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

Broken Link http://www.securityfocus.com/bid/95812

Third Party Advisory http://www.securitytracker.com/id/1037717

Patch https://github.com/openssl/openssl/commit/efbe126e3ebb9123ac9d058aa2bb044261342a...

Third Party Advisory https://security.gentoo.org/glsa/201702-07

Third Party Advisory https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpe...

Exploit https://www.exploit-db.com/exploits/41192/

Patch https://www.openssl.org/news/secadv/20170126.txt

Patch https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html