Sign-up

ID

VAR-201705-3649


CVE

CVE-2017-3732


TITLE

OpenSSL Service disruption in (DoS) Vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2017-003156

DESCRIPTION

There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL 1.0.2 before 1.0.2k and 1.1.0 before 1.1.0d. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. For example this can occur by default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very similar to CVE-2015-3193 but must be treated as a separate problem. OpenSSL There is a service disruption ( crash ) There are vulnerabilities that are put into a state.Service operation interruption ( crash ) There is a possibility of being put into a state. For OpenSSL 1.1.0, the crash can be triggered when using CHACHA20/POLY1305; users should upgrade to 1.1.0d For Openssl 1.0.2, the crash can be triggered when using RC4-MD5; users who have not disabled that algorithm should update to 1.0.2k This issue was reported to OpenSSL on 13th November 2016 by Robert Święcki of Google. The fix was developed by Andy Polyakov of the OpenSSL development team. Bad (EC)DHE parameters cause a client crash (CVE-2017-3730) =========================================================== Severity: Moderate If a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this can result in the client attempting to dereference a NULL pointer leading to a client crash. This could be exploited in a Denial of Service attack. OpenSSL 1.1.0 users should upgrade to 1.1.0d This issue does not affect OpenSSL version 1.0.2. This means the git commit with the fix does not contain the CVE identifier. The relevant fix commit can be identified by commit hash efbe126e3. This issue was reported to OpenSSL on 14th January 2017 by Guido Vranken. The fix was developed by Matt Caswell of the OpenSSL development team. UPDATE 31 Jan 2017. This is not true. OpenSSL 1.1.0 users should upgrade to 1.1.0d OpenSSL 1.0.2 users should upgrade to 1.0.2k This issue was reported to OpenSSL on 15th January 2017 by the OSS-Fuzz project. The fix was developed by Andy Polyakov of the OpenSSL development team. Montgomery multiplication may produce incorrect results (CVE-2016-7055) ======================================================================= Severity: Low This issue was previously fixed in 1.1.0c and covered in security advisory https://www.openssl.org/news/secadv/20161110.txt OpenSSL 1.0.2 users should upgrade to 1.0.2k Note ==== Support for version 1.0.1 ended on 31st December 2016. Support for versions 0.9.8 and 1.0.0 ended on 31st December 2015. Those versions are no longer receiving security updates. References ========== URL for this Security Advisory: https://www.openssl.org/news/secadv/20170126.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html . OpenSSL Security Advisory [07 Dec 2017] ======================================== Read/write after SSL object in error state (CVE-2017-3737) ========================================================== Severity: Moderate OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state" mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). Due to the low severity of this issue we are not issuing a new release of OpenSSL 1.1.0 at this time. The issue was originally found via the OSS-Fuzz project. Here are the details from the Slackware 14.2 ChangeLog: +--------------------------+ patches/packages/openssl-1.0.2k-i586-1_slack14.2.txz: Upgraded. +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated packages for Slackware 14.2: ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/openssl-1.0.2k-i586-1_slack14.2.txz ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/openssl-solibs-1.0.2k-i586-1_slack14.2.txz Updated packages for Slackware x86_64 14.2: ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/openssl-1.0.2k-x86_64-1_slack14.2.txz ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/openssl-solibs-1.0.2k-x86_64-1_slack14.2.txz Updated packages for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/openssl-solibs-1.0.2k-i586-1.txz ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/openssl-1.0.2k-i586-1.txz Updated packages for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/openssl-solibs-1.0.2k-x86_64-1.txz ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/openssl-1.0.2k-x86_64-1.txz MD5 signatures: +-------------+ Slackware 14.2 packages: 1d03d7f59dece41b97104cbe8341b812 openssl-1.0.2k-i586-1_slack14.2.txz c5e689d9ac1c1675c5059b8e7cd42594 openssl-solibs-1.0.2k-i586-1_slack14.2.txz Slackware x86_64 14.2 packages: 5e075d516ab7ccc1ef14f430e599bdef openssl-1.0.2k-x86_64-1_slack14.2.txz 110479b47a4208bcdb43fee59b9f06ca openssl-solibs-1.0.2k-x86_64-1_slack14.2.txz Slackware -current packages: 8eca7a113cf58688dc6203c4091fd0ac a/openssl-solibs-1.0.2k-i586-1.txz 1ee03441f6409e48dda42c006ae5a7ad n/openssl-1.0.2k-i586-1.txz Slackware x86_64 -current packages: 51ed87062d6898bd50705b2c2abc2c68 a/openssl-solibs-1.0.2k-x86_64-1.txz d9e56ff59fd7aa5791bf6809ccea0f92 n/openssl-1.0.2k-x86_64-1.txz Installation instructions: +------------------------+ Upgrade the packages as root: # upgradepkg openssl-1.0.2k-i586-1_slack14.2.txz openssl-solibs-1.0.2k-i586-1_slack14.2.txz +-----+ Slackware Linux Security Team http://slackware.com/gpg-key security@slackware.com +------------------------------------------------------------------------+ | To leave the slackware-security mailing list: | +------------------------------------------------------------------------+ | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back containing instructions to | | complete the process. Please do not reply to this email address. Description: IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 8 to version 8 SR5-FP20. Security Fix(es): * IBM JDK: privilege escalation via insufficiently restricted access to Attach API (CVE-2018-12539) * openssl: BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732) * openssl: bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736) * IBM JDK: DoS in the java.math component (CVE-2018-1517) * IBM JDK: path traversal flaw in the Diagnostic Tooling Framework (CVE-2018-1656) * Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (Libraries) (CVE-2018-2940) * OpenJDK: insufficient index validation in PatternSyntaxException getMessage() (Concurrency, 8199547) (CVE-2018-2952) * Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (JSSE) (CVE-2018-2973) * OpenSSL: Double-free in DSA code (CVE-2016-0705) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank the OpenSSL project for reporting CVE-2016-0705. All running instances of IBM Java must be restarted for this update to take effect. Bugs fixed (https://bugzilla.redhat.com/): 1310596 - CVE-2016-0705 OpenSSL: Double-free in DSA code 1416856 - CVE-2017-3732 openssl: BN_mod_exp may produce incorrect results on x86_64 1509169 - CVE-2017-3736 openssl: bn_sqrx8x_internal carry bug on x86_64 1600925 - CVE-2018-2952 OpenJDK: insufficient index validation in PatternSyntaxException getMessage() (Concurrency, 8199547) 1602145 - CVE-2018-2973 Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (JSSE) 1602146 - CVE-2018-2940 Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (Libraries) 1618767 - CVE-2018-12539 IBM JDK: privilege escalation via insufficiently restricted access to Attach API 1618869 - CVE-2018-1656 IBM JDK: path traversal flaw in the Diagnostic Tooling Framework 1618871 - CVE-2018-1517 IBM JDK: DoS in the java.math component 6. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Core Services Apache HTTP Server 2.4.29 RHEL 7 security update Advisory ID: RHSA-2018:2185-01 Product: Red Hat JBoss Core Services Advisory URL: https://access.redhat.com/errata/RHSA-2018:2185 Issue date: 2018-07-12 CVE Names: CVE-2016-2182 CVE-2016-6302 CVE-2016-6306 CVE-2016-7055 CVE-2017-3731 CVE-2017-3732 CVE-2017-3736 CVE-2017-3737 CVE-2017-3738 ==================================================================== 1. Summary: Red Hat JBoss Core Services Pack Apache Server 2.4.29 packages are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this release as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Relevant releases/architectures: Red Hat JBoss Core Services on RHEL 7 Server - noarch, ppc64, x86_64 3. Description: This release adds the new Apache HTTP Server 2.4.29 packages that are part of the JBoss Core Services offering. This release serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.23, and includes bug fixes and enhancements. Refer to the Release Notes for information on the most significant bug fixes, enhancements and component upgrades included in this release. This release upgrades OpenSSL to version 1.0.2.n Security Fix(es): * openssl: Out-of-bounds write caused by unchecked errors in BN_bn2dec() (CVE-2016-2182) * openssl: Insufficient TLS session ticket HMAC length checks (CVE-2016-6302) * openssl: certificate message OOB reads (CVE-2016-6306) * openssl: Carry propagating bug in Montgomery multiplication (CVE-2016-7055) * openssl: Truncated packet could crash via OOB read (CVE-2017-3731) * openssl: BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732) * openssl: bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736) * openssl: Read/write after SSL object in error state (CVE-2017-3737) * openssl: rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738) Red Hat would like to thank the OpenSSL project for reporting CVE-2016-6306 and CVE-2016-7055. Upstream acknowledges Shi Lei (Gear Team of Qihoo 360 Inc.) as the original reporter of CVE-2016-6306. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1367340 - CVE-2016-2182 openssl: Out-of-bounds write caused by unchecked errors in BN_bn2dec() 1369855 - CVE-2016-6302 openssl: Insufficient TLS session ticket HMAC length checks 1377594 - CVE-2016-6306 openssl: certificate message OOB reads 1393929 - CVE-2016-7055 openssl: Carry propagating bug in Montgomery multiplication 1416852 - CVE-2017-3731 openssl: Truncated packet could crash via OOB read 1416856 - CVE-2017-3732 openssl: BN_mod_exp may produce incorrect results on x86_64 1509169 - CVE-2017-3736 openssl: bn_sqrx8x_internal carry bug on x86_64 1523504 - CVE-2017-3737 openssl: Read/write after SSL object in error state 1523510 - CVE-2017-3738 openssl: rsaz_1024_mul_avx2 overflow bug on x86_64 6. JIRA issues fixed (https://issues.jboss.org/): JBCS-373 - Errata for httpd 2.4.29 GA RHEL 7 7. Package List: Red Hat JBoss Core Services on RHEL 7 Server: Source: jbcs-httpd24-apache-commons-daemon-1.1.0-1.redhat_2.1.jbcs.el7.src.rpm jbcs-httpd24-apache-commons-daemon-jsvc-1.1.0-1.redhat_2.jbcs.el7.src.rpm jbcs-httpd24-apr-1.6.3-14.jbcs.el7.src.rpm jbcs-httpd24-apr-util-1.6.1-9.jbcs.el7.src.rpm jbcs-httpd24-httpd-2.4.29-17.jbcs.el7.src.rpm jbcs-httpd24-mod_auth_kerb-5.4-36.jbcs.el7.src.rpm jbcs-httpd24-mod_bmx-0.9.6-17.GA.jbcs.el7.src.rpm jbcs-httpd24-mod_cluster-native-1.3.8-1.Final_redhat_2.jbcs.el7.src.rpm jbcs-httpd24-mod_jk-1.2.43-1.redhat_1.jbcs.el7.src.rpm jbcs-httpd24-mod_rt-2.4.1-19.GA.jbcs.el7.src.rpm jbcs-httpd24-mod_security-2.9.1-23.GA.jbcs.el7.src.rpm jbcs-httpd24-nghttp2-1.29.0-8.jbcs.el7.src.rpm jbcs-httpd24-openssl-1.0.2n-11.jbcs.el7.src.rpm noarch: jbcs-httpd24-apache-commons-daemon-1.1.0-1.redhat_2.1.jbcs.el7.noarch.rpm jbcs-httpd24-httpd-manual-2.4.29-17.jbcs.el7.noarch.rpm ppc64: jbcs-httpd24-apache-commons-daemon-jsvc-1.1.0-1.redhat_2.jbcs.el7.ppc64.rpm jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1.1.0-1.redhat_2.jbcs.el7.ppc64.rpm jbcs-httpd24-apr-1.6.3-14.jbcs.el7.ppc64.rpm jbcs-httpd24-apr-debuginfo-1.6.3-14.jbcs.el7.ppc64.rpm jbcs-httpd24-apr-devel-1.6.3-14.jbcs.el7.ppc64.rpm jbcs-httpd24-apr-util-1.6.1-9.jbcs.el7.ppc64.rpm jbcs-httpd24-apr-util-debuginfo-1.6.1-9.jbcs.el7.ppc64.rpm jbcs-httpd24-apr-util-devel-1.6.1-9.jbcs.el7.ppc64.rpm jbcs-httpd24-apr-util-ldap-1.6.1-9.jbcs.el7.ppc64.rpm jbcs-httpd24-apr-util-mysql-1.6.1-9.jbcs.el7.ppc64.rpm jbcs-httpd24-apr-util-nss-1.6.1-9.jbcs.el7.ppc64.rpm jbcs-httpd24-apr-util-odbc-1.6.1-9.jbcs.el7.ppc64.rpm jbcs-httpd24-apr-util-openssl-1.6.1-9.jbcs.el7.ppc64.rpm jbcs-httpd24-apr-util-pgsql-1.6.1-9.jbcs.el7.ppc64.rpm jbcs-httpd24-apr-util-sqlite-1.6.1-9.jbcs.el7.ppc64.rpm jbcs-httpd24-httpd-2.4.29-17.jbcs.el7.ppc64.rpm jbcs-httpd24-httpd-debuginfo-2.4.29-17.jbcs.el7.ppc64.rpm jbcs-httpd24-httpd-devel-2.4.29-17.jbcs.el7.ppc64.rpm jbcs-httpd24-httpd-selinux-2.4.29-17.jbcs.el7.ppc64.rpm jbcs-httpd24-httpd-tools-2.4.29-17.jbcs.el7.ppc64.rpm jbcs-httpd24-mod_auth_kerb-5.4-36.jbcs.el7.ppc64.rpm jbcs-httpd24-mod_auth_kerb-debuginfo-5.4-36.jbcs.el7.ppc64.rpm jbcs-httpd24-mod_bmx-0.9.6-17.GA.jbcs.el7.ppc64.rpm jbcs-httpd24-mod_bmx-debuginfo-0.9.6-17.GA.jbcs.el7.ppc64.rpm jbcs-httpd24-mod_cluster-native-1.3.8-1.Final_redhat_2.jbcs.el7.ppc64.rpm jbcs-httpd24-mod_cluster-native-debuginfo-1.3.8-1.Final_redhat_2.jbcs.el7.ppc64.rpm jbcs-httpd24-mod_jk-ap24-1.2.43-1.redhat_1.jbcs.el7.ppc64.rpm jbcs-httpd24-mod_jk-debuginfo-1.2.43-1.redhat_1.jbcs.el7.ppc64.rpm jbcs-httpd24-mod_jk-manual-1.2.43-1.redhat_1.jbcs.el7.ppc64.rpm jbcs-httpd24-mod_ldap-2.4.29-17.jbcs.el7.ppc64.rpm jbcs-httpd24-mod_proxy_html-2.4.29-17.jbcs.el7.ppc64.rpm jbcs-httpd24-mod_rt-2.4.1-19.GA.jbcs.el7.ppc64.rpm jbcs-httpd24-mod_rt-debuginfo-2.4.1-19.GA.jbcs.el7.ppc64.rpm jbcs-httpd24-mod_security-2.9.1-23.GA.jbcs.el7.ppc64.rpm jbcs-httpd24-mod_security-debuginfo-2.9.1-23.GA.jbcs.el7.ppc64.rpm jbcs-httpd24-mod_session-2.4.29-17.jbcs.el7.ppc64.rpm jbcs-httpd24-mod_ssl-2.4.29-17.jbcs.el7.ppc64.rpm jbcs-httpd24-nghttp2-1.29.0-8.jbcs.el7.ppc64.rpm jbcs-httpd24-nghttp2-debuginfo-1.29.0-8.jbcs.el7.ppc64.rpm jbcs-httpd24-nghttp2-devel-1.29.0-8.jbcs.el7.ppc64.rpm jbcs-httpd24-openssl-1.0.2n-11.jbcs.el7.ppc64.rpm jbcs-httpd24-openssl-debuginfo-1.0.2n-11.jbcs.el7.ppc64.rpm jbcs-httpd24-openssl-devel-1.0.2n-11.jbcs.el7.ppc64.rpm jbcs-httpd24-openssl-libs-1.0.2n-11.jbcs.el7.ppc64.rpm jbcs-httpd24-openssl-perl-1.0.2n-11.jbcs.el7.ppc64.rpm jbcs-httpd24-openssl-static-1.0.2n-11.jbcs.el7.ppc64.rpm x86_64: jbcs-httpd24-apache-commons-daemon-jsvc-1.1.0-1.redhat_2.jbcs.el7.x86_64.rpm jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1.1.0-1.redhat_2.jbcs.el7.x86_64.rpm jbcs-httpd24-apr-1.6.3-14.jbcs.el7.x86_64.rpm jbcs-httpd24-apr-debuginfo-1.6.3-14.jbcs.el7.x86_64.rpm jbcs-httpd24-apr-devel-1.6.3-14.jbcs.el7.x86_64.rpm jbcs-httpd24-apr-util-1.6.1-9.jbcs.el7.x86_64.rpm jbcs-httpd24-apr-util-debuginfo-1.6.1-9.jbcs.el7.x86_64.rpm jbcs-httpd24-apr-util-devel-1.6.1-9.jbcs.el7.x86_64.rpm jbcs-httpd24-apr-util-ldap-1.6.1-9.jbcs.el7.x86_64.rpm jbcs-httpd24-apr-util-mysql-1.6.1-9.jbcs.el7.x86_64.rpm jbcs-httpd24-apr-util-nss-1.6.1-9.jbcs.el7.x86_64.rpm jbcs-httpd24-apr-util-odbc-1.6.1-9.jbcs.el7.x86_64.rpm jbcs-httpd24-apr-util-openssl-1.6.1-9.jbcs.el7.x86_64.rpm jbcs-httpd24-apr-util-pgsql-1.6.1-9.jbcs.el7.x86_64.rpm jbcs-httpd24-apr-util-sqlite-1.6.1-9.jbcs.el7.x86_64.rpm jbcs-httpd24-httpd-2.4.29-17.jbcs.el7.x86_64.rpm jbcs-httpd24-httpd-debuginfo-2.4.29-17.jbcs.el7.x86_64.rpm jbcs-httpd24-httpd-devel-2.4.29-17.jbcs.el7.x86_64.rpm jbcs-httpd24-httpd-selinux-2.4.29-17.jbcs.el7.x86_64.rpm jbcs-httpd24-httpd-tools-2.4.29-17.jbcs.el7.x86_64.rpm jbcs-httpd24-mod_auth_kerb-5.4-36.jbcs.el7.x86_64.rpm jbcs-httpd24-mod_auth_kerb-debuginfo-5.4-36.jbcs.el7.x86_64.rpm jbcs-httpd24-mod_bmx-0.9.6-17.GA.jbcs.el7.x86_64.rpm jbcs-httpd24-mod_bmx-debuginfo-0.9.6-17.GA.jbcs.el7.x86_64.rpm jbcs-httpd24-mod_cluster-native-1.3.8-1.Final_redhat_2.jbcs.el7.x86_64.rpm jbcs-httpd24-mod_cluster-native-debuginfo-1.3.8-1.Final_redhat_2.jbcs.el7.x86_64.rpm jbcs-httpd24-mod_jk-ap24-1.2.43-1.redhat_1.jbcs.el7.x86_64.rpm jbcs-httpd24-mod_jk-debuginfo-1.2.43-1.redhat_1.jbcs.el7.x86_64.rpm jbcs-httpd24-mod_jk-manual-1.2.43-1.redhat_1.jbcs.el7.x86_64.rpm jbcs-httpd24-mod_ldap-2.4.29-17.jbcs.el7.x86_64.rpm jbcs-httpd24-mod_proxy_html-2.4.29-17.jbcs.el7.x86_64.rpm jbcs-httpd24-mod_rt-2.4.1-19.GA.jbcs.el7.x86_64.rpm jbcs-httpd24-mod_rt-debuginfo-2.4.1-19.GA.jbcs.el7.x86_64.rpm jbcs-httpd24-mod_security-2.9.1-23.GA.jbcs.el7.x86_64.rpm jbcs-httpd24-mod_security-debuginfo-2.9.1-23.GA.jbcs.el7.x86_64.rpm jbcs-httpd24-mod_session-2.4.29-17.jbcs.el7.x86_64.rpm jbcs-httpd24-mod_ssl-2.4.29-17.jbcs.el7.x86_64.rpm jbcs-httpd24-nghttp2-1.29.0-8.jbcs.el7.x86_64.rpm jbcs-httpd24-nghttp2-debuginfo-1.29.0-8.jbcs.el7.x86_64.rpm jbcs-httpd24-nghttp2-devel-1.29.0-8.jbcs.el7.x86_64.rpm jbcs-httpd24-openssl-1.0.2n-11.jbcs.el7.x86_64.rpm jbcs-httpd24-openssl-debuginfo-1.0.2n-11.jbcs.el7.x86_64.rpm jbcs-httpd24-openssl-devel-1.0.2n-11.jbcs.el7.x86_64.rpm jbcs-httpd24-openssl-libs-1.0.2n-11.jbcs.el7.x86_64.rpm jbcs-httpd24-openssl-perl-1.0.2n-11.jbcs.el7.x86_64.rpm jbcs-httpd24-openssl-static-1.0.2n-11.jbcs.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2016-2182 https://access.redhat.com/security/cve/CVE-2016-6302 https://access.redhat.com/security/cve/CVE-2016-6306 https://access.redhat.com/security/cve/CVE-2016-7055 https://access.redhat.com/security/cve/CVE-2017-3731 https://access.redhat.com/security/cve/CVE-2017-3732 https://access.redhat.com/security/cve/CVE-2017-3736 https://access.redhat.com/security/cve/CVE-2017-3737 https://access.redhat.com/security/cve/CVE-2017-3738 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_jboss_core_services/2.4.29/ 9. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-17:02.openssl Security Advisory The FreeBSD Project Topic: OpenSSL multiple vulnerabilities Category: contrib Module: openssl Announced: 2017-02-23 Affects: All supported versions of FreeBSD. Corrected: 2017-01-26 19:14:14 UTC (stable/11, 11.0-STABLE) 2017-02-23 07:11:48 UTC (releng/11.0, 11.0-RELEASE-p8) 2017-01-27 07:45:06 UTC (stable/10, 10.3-STABLE) 2017-02-23 07:12:18 UTC (releng/10.3, 10.3-RELEASE-p16) CVE Name: CVE-2016-7055, CVE-2017-3731, CVE-2017-3732 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. II. Problem Description If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. [CVE-2017-3732] Montgomery multiplication may produce incorrect results. [CVE-2016-7055] III. Impact A remote attacker may trigger a crash on servers or clients that supported RC4-MD5. [CVE-2017-3732, CVE-2016-7055] IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Restart all daemons that use the library, or reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Restart all daemons that use the library, or reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 11.0] # fetch https://security.FreeBSD.org/patches/SA-17:02/openssl-11.patch # fetch https://security.FreeBSD.org/patches/SA-17:02/openssl-11.patch.asc # gpg --verify openssl-11.patch.asc [FreeBSD 10.3] # fetch https://security.FreeBSD.org/patches/SA-17:02/openssl-10.patch # fetch https://security.FreeBSD.org/patches/SA-17:02/openssl-10.patch.asc # gpg --verify openssl-10.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. Restart all daemons that use the library, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/10/ r312863 releng/10.3/ r314125 stable/11/ r312826 releng/11.0/ r314126 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> VII. References <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7055> <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3731> <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3732> <URL:https://www.openssl.org/news/secadv/20170126.txt> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-17:02.openssl.asc> -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.18 (FreeBSD) iQIzBAEBCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAliujOsACgkQ7Wfs1l3P aufZHhAAy8U5oOrLGq0XH8Dumpkyc+bFOmsEh+S1hL6jFL13jUVpDqogZ3w/a7If Hcqiyipx5dbcGbHJayokfimkxPcIYydYQK9NwWaXVlnZifvgWka+KxtcD0u2A8S5 cpTbNl+CALQQqEF3+JmOc4Uq2Dtui0xFG1N5Og4oF5Uo+lvQh4bcJ1UbfhMdq8EG US3hGlJLJJW75m3jkgHyu0o7A0swnNTUQrW9Z0p/3iTiel7fM57d/N1who+kt59V UErXTzMDBT1kkWRne0aTA71gdy3SUeRiVi9/LWggjIRJNyMnQjO3UI2UOIHLLQAG CXcZLPekB87iHZxMAw8oV6b4GIkJhqUFW2ep2AZkUdDZ2Mup9bDrx/0Ik0jHjyQY KEmZDroHvP8z569q+aWfIIpMXPv6zJTnent45U2/q13wMHJwWsADu9ukeWKTw7wI P0Rc3vht+AXbXFi9SjxwdldgrVszV7x8Yi6W9KhHsGqCl6NBCW9Md/PWbNQQUVkq I5tV0WB3pTwOk0yMi3h/okM9VBr1lPDU18W0he5T9wbOh4w0jwFb8AqMu1slst3l 9MlhRfO/4LIDlfRQ/dj4dOfVLZqEd/xleax99yFXZUzibUYrOMlBxNaKvV80plwB Kg2Hr3DJuJa3599kNgXMCNV1lRIOJbJ9dRmX6B0YzMgvxKPIXY4= =8Jsr -----END PGP SIGNATURE----- . =========================================================================== Ubuntu Security Notice USN-3181-1 January 31, 2017 openssl vulnerabilities =========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.10 - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS Summary: Several security issues were fixed in OpenSSL. Software Description: - openssl: Secure Socket Layer (SSL) cryptographic library and tools Details: Guido Vranken discovered that OpenSSL used undefined behaviour when performing pointer arithmetic. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS as other releases were fixed in a previous security update. This issue only applied to Ubuntu 16.04 LTS, and Ubuntu 16.10. (CVE-2016-7055) It was discovered that OpenSSL did not properly use constant-time operations when performing ECDSA P-256 signing. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-7056) Shi Lei discovered that OpenSSL incorrectly handled certain warning alerts. A remote attacker could possibly use this issue to cause OpenSSL to stop responding, resulting in a denial of service. (CVE-2016-8610) Robert =C5=9Awi=C4=99cki discovered that OpenSSL incorrectly handled certain truncated packets. This issue only applied to Ubuntu 16.04 LTS, and Ubuntu 16.10. (CVE-2017-3732) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.10: libssl1.0.0 1.0.2g-1ubuntu9.1 Ubuntu 16.04 LTS: libssl1.0.0 1.0.2g-1ubuntu4.6 Ubuntu 14.04 LTS: libssl1.0.0 1.0.1f-1ubuntu2.22 Ubuntu 12.04 LTS: libssl1.0.0 1.0.1-4ubuntu5.39 After a standard system update you need to reboot your computer to make all the necessary changes

Trust: 2.34

sources: NVD: CVE-2017-3732 // JVNDB: JVNDB-2017-003156 // VULMON: CVE-2017-3732 // PACKETSTORM: 169650 // PACKETSTORM: 169655 // PACKETSTORM: 141025 // PACKETSTORM: 149403 // PACKETSTORM: 148524 // PACKETSTORM: 141255 // PACKETSTORM: 140850

AFFECTED PRODUCTS

vendor:nodejsmodel:node.jsscope:gteversion:6.9.0

Trust: 1.0

vendor:opensslmodel:opensslscope:eqversion:1.0.2f

Trust: 1.0

vendor:nodejsmodel:node.jsscope:ltversion:4.7.3

Trust: 1.0

vendor:nodejsmodel:node.jsscope:lteversion:6.8.1

Trust: 1.0

vendor:opensslmodel:opensslscope:eqversion:1.0.2c

Trust: 1.0

vendor:opensslmodel:opensslscope:eqversion:1.0.2

Trust: 1.0

vendor:opensslmodel:opensslscope:eqversion:1.0.2b

Trust: 1.0

vendor:opensslmodel:opensslscope:eqversion:1.0.2d

Trust: 1.0

vendor:opensslmodel:opensslscope:eqversion:1.0.2e

Trust: 1.0

vendor:opensslmodel:opensslscope:eqversion:1.0.2h

Trust: 1.0

vendor:nodejsmodel:node.jsscope:gteversion:5.0.0

Trust: 1.0

vendor:nodejsmodel:node.jsscope:ltversion:7.5.0

Trust: 1.0

vendor:nodejsmodel:node.jsscope:gteversion:4.0.0

Trust: 1.0

vendor:nodejsmodel:node.jsscope:gteversion:7.0.0

Trust: 1.0

vendor:nodejsmodel:node.jsscope:gteversion:6.0.0

Trust: 1.0

vendor:opensslmodel:opensslscope:eqversion:1.1.0a

Trust: 1.0

vendor:nodejsmodel:node.jsscope:lteversion:4.1.2

Trust: 1.0

vendor:opensslmodel:opensslscope:eqversion:1.1.0c

Trust: 1.0

vendor:opensslmodel:opensslscope:eqversion:1.1.0b

Trust: 1.0

vendor:opensslmodel:opensslscope:eqversion:1.0.2a

Trust: 1.0

vendor:opensslmodel:opensslscope:eqversion:1.0.2i

Trust: 1.0

vendor:nodejsmodel:node.jsscope:gteversion:4.2.0

Trust: 1.0

vendor:nodejsmodel:node.jsscope:ltversion:6.9.5

Trust: 1.0

vendor:nodejsmodel:node.jsscope:lteversion:5.12.0

Trust: 1.0

vendor:hitachimodel:jp1/automatic job management system 3scope:eqversion:- manager web console

Trust: 0.8

vendor:hitachimodel:jp1/integrated managementscope:eqversion:- service support starter edition

Trust: 0.8

vendor:opensslmodel:opensslscope:eqversion:1.1.0d

Trust: 0.8

vendor:hitachimodel:jp1/it desktop managementscope:eqversion:2 - operations director

Trust: 0.8

vendor:hitachimodel:ucosminexus application serverscope:eqversion:(64)

Trust: 0.8

vendor:opensslmodel:opensslscope:ltversion:1.1.0

Trust: 0.8

vendor:necmodel:systemdirector enterprisescope: - version: -

Trust: 0.8

vendor:necmodel:enterprisedirectoryserverscope:eqversion:all versions

Trust: 0.8

vendor:hitachimodel:job management partner 1/integrated managementscope:eqversion:- service support

Trust: 0.8

vendor:necmodel:webotx application serverscope:eqversion:foundation

Trust: 0.8

vendor:hitachimodel:job management partner 1/it desktop managementscope:eqversion:2 - smart device manager

Trust: 0.8

vendor:hitachimodel:jp1/performance managementscope:eqversion:- web console

Trust: 0.8

vendor:necmodel:express5800scope:eqversion:/sg all versions

Trust: 0.8

vendor:necmodel:webotx enterprise service busscope: - version: -

Trust: 0.8

vendor:opensslmodel:opensslscope:eqversion:1.0.2k

Trust: 0.8

vendor:hitachimodel:ucosminexus service platformscope:eqversion:(64)

Trust: 0.8

vendor:hitachimodel:jp1/performance managementscope:eqversion:- manager

Trust: 0.8

vendor:hitachimodel:jp1/it desktop management - managerscope: - version: -

Trust: 0.8

vendor:hitachimodel:jp1/automatic operationscope: - version: -

Trust: 0.8

vendor:hitachimodel:job management partner 1/performance management - web consolescope: - version: -

Trust: 0.8

vendor:hitachimodel:job management partner 1/it desktop managementscope:eqversion:2 - manager

Trust: 0.8

vendor:necmodel:webotx application serverscope:eqversion:st ard

Trust: 0.8

vendor:hitachimodel:ucosminexus application serverscope:eqversion:none

Trust: 0.8

vendor:hitachimodel:jp1/it desktop managementscope:eqversion:2 - smart device manager

Trust: 0.8

vendor:hitachimodel:jp1/integrated managementscope:eqversion:- service support

Trust: 0.8

vendor:hitachimodel:ucosminexus primary serverscope:eqversion:base

Trust: 0.8

vendor:hitachimodel:ucosminexus primary serverscope:eqversion:base(64)

Trust: 0.8

vendor:hitachimodel:job management partner 1/integrated managementscope:eqversion:- service support advanced edition

Trust: 0.8

vendor:hitachimodel:ucosminexus service platformscope:eqversion:none

Trust: 0.8

vendor:hitachimodel:it operations directorscope: - version: -

Trust: 0.8

vendor:hitachimodel:jp1/service supportscope:eqversion:none

Trust: 0.8

vendor:hitachimodel:jp1/operations analyticsscope: - version: -

Trust: 0.8

vendor:hitachimodel:jp1/service supportscope:eqversion:starter edition

Trust: 0.8

vendor:hitachimodel:cosminexus http serverscope: - version: -

Trust: 0.8

vendor:hitachimodel:ucosminexus application serverscope:eqversion:-r

Trust: 0.8

vendor:hitachimodel:jp1/it desktop managementscope:eqversion:2 - manager

Trust: 0.8

vendor:hitachimodel:job management partner 1/it desktop management - managerscope: - version: -

Trust: 0.8

vendor:hitachimodel:ucosminexus service architectscope: - version: -

Trust: 0.8

vendor:necmodel:webotx application serverscope:eqversion:express

Trust: 0.8

vendor:necmodel:esmpro/serveragentservicescope:eqversion:all versions (linux edition )

Trust: 0.8

vendor:hitachimodel:jp1/performance managementscope:eqversion:- manager web console

Trust: 0.8

vendor:opensslmodel:opensslscope:ltversion:1.0.2

Trust: 0.8

vendor:necmodel:webotx portalscope: - version: -

Trust: 0.8

vendor:hitachimodel:ucosminexus developerscope: - version: -

Trust: 0.8

vendor:necmodel:webotx application serverscope:eqversion:enterprise

Trust: 0.8

vendor:hitachimodel:jp1/integrated managementscope:eqversion:- service support advanced edition

Trust: 0.8

sources: JVNDB: JVNDB-2017-003156 // NVD: CVE-2017-3732

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-3732
value: MEDIUM

Trust: 1.0

NVD: CVE-2017-3732
value: MEDIUM

Trust: 0.8

VULMON: CVE-2017-3732
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-3732
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

nvd@nist.gov: CVE-2017-3732
baseSeverity: MEDIUM
baseScore: 5.9
vectorString: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.2
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2017-3732
baseSeverity: MEDIUM
baseScore: 5.9
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULMON: CVE-2017-3732 // JVNDB: JVNDB-2017-003156 // NVD: CVE-2017-3732

PROBLEMTYPE DATA

problemtype:CWE-200

Trust: 1.8

sources: JVNDB: JVNDB-2017-003156 // NVD: CVE-2017-3732

THREAT TYPE

remote

Trust: 0.2

sources: PACKETSTORM: 148524 // PACKETSTORM: 140850

TYPE

sql injection

Trust: 0.1

sources: PACKETSTORM: 148524

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-003156

PATCH
title:hitachi-sec-2018-103url:http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2018-103/index.html
Trust: 0.8
title:hitachi-sec-2017-115url:http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2017-115/index.html
Trust: 0.8
title:NV17-011url:http://jpn.nec.com/security-info/secinfo/nv17-011.html
Trust: 0.8
title:BN_mod_exp may produce incorrect results on x86_64url:https://www.openssl.org/news/secadv/20170126.txt
Trust: 0.8
title:hitachi-sec-2018-103url:http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/hitachi-sec-2018-103/index.html
Trust: 0.8
title:hitachi-sec-2017-115url:http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/hitachi-sec-2017-115/index.html
Trust: 0.8
title:The Registerurl:https://www.theregister.co.uk/2017/01/31/openssl_patches/
Trust: 0.2
title:Red Hat: Moderate: Red Hat JBoss Core Services Apache HTTP Server 2.4.29  RHEL 7 security updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20182185 - Security Advisory
Trust: 0.1
title:Red Hat: Important: java-1.8.0-ibm security updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20182575 - Security Advisory
Trust: 0.1
title:Red Hat: Moderate: Red Hat JBoss Core Services Apache HTTP Server 2.4.29 RHEL 6 security updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20182186 - Security Advisory
Trust: 0.1
title:Red Hat: Moderate: java-1.8.0-ibm security updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20182713 - Security Advisory
Trust: 0.1
title:Red Hat: Important: java-1.8.0-ibm security updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20182568 - Security Advisory
Trust: 0.1
title:Red Hat: Moderate: Red Hat JBoss Core Services Apache HTTP Server 2.4.29 security updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20182187 - Security Advisory
Trust: 0.1
title:Red Hat: CVE-2017-3732url:https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database&qid=CVE-2017-3732
Trust: 0.1
title:Arch Linux Issues: url:https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues&qid=CVE-2017-3732
Trust: 0.1
title:IBM: Security Bulletin: OpenSSL vulnerabilites impacting IBM Aspera Connect 3.7.4 and earlier (CVE-2017-3732, CVE-2016-7055)url:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=030cb7ac9266aec85453c1d2339fbc00
Trust: 0.1
title:Ubuntu Security Notice: openssl vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-3181-1
Trust: 0.1
title:Arch Linux Advisories: [ASA-201701-37] openssl: multiple issuesurl:https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories&qid=ASA-201701-37
Trust: 0.1
title:Huawei Security Advisories: Security Advisory - Three OpenSSL Vulnerabilities in Huawei Productsurl:https://vulmon.com/vendoradvisory?qidtp=huawei_security_advisories&qid=1181e052a6a83786d4182d45ddb56d5d
Trust: 0.1
title:Symantec Security Advisories: SA141 : OpenSSL Vulnerabilities 26-Jan-2017url:https://vulmon.com/vendoradvisory?qidtp=symantec_security_advisories&qid=117bc0d26e74d755d85acf15af842eaf
Trust: 0.1
title:Arch Linux Advisories: [ASA-201701-36] lib32-openssl: multiple issuesurl:https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories&qid=ASA-201701-36
Trust: 0.1
title:IBM: IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Spectrum Protect Operations Center and Client Management Service (CVE-2016-0705, CVE-2017-3732, CVE-2017-3736, CVE-2018-1656, CVE-2018-12539)url:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=3d9ab13c871ea2142681c7977b25c5ff
Trust: 0.1
title:IBM: IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Jul 2018 – Includes Oracle Jul 2018 CPU affects DB2 Recovery Expert for Linux, Unix and Windowsurl:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=af4ddb95056d65a4af347aec0f652f0e
Trust: 0.1
title:Cisco: Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017url:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-20170130-openssl
Trust: 0.1
title:IBM: IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Planningurl:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=62ef85c9034c17315b7d0a712483c5ea
Trust: 0.1
title:IBM: IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Reporting for Development Intelligenceurl:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=03b0267d78cd8ac1bbb43afc737474f0
Trust: 0.1
title:IBM: IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM InfoSphere Information Serverurl:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=63bbfc68418161b36080acd59a541d45
Trust: 0.1
title:IBM: IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Privileged Identity Managerurl:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=42a34f9348fc5f34065c6d25764eb2a2
Trust: 0.1
title:Debian CVElist Bug Report Logs: Security fixes from the July 2017 CPUurl:https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=adc1e0c986afd5f2f3b0797ba936d072
Trust: 0.1
title:IBM: IBM Security Bulletin: IBM Cognos Controller 2019Q2 Security Updater: Multiple vulnerabilities have been identified in IBM Cognos Controllerurl:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=38227211accce022b0a3d9b56a974186
Trust: 0.1
title:Forcepoint Security Advisories: CVE-2017-3730, -3731, -3732 OpenSSL Vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=forcepoint_security_advisories&qid=16a227df38f44014c9520f3b6cb5344e
Trust: 0.1
title:Oracle Solaris Third Party Bulletins: Oracle Solaris Third Party Bulletin - January 2017url:https://vulmon.com/vendoradvisory?qidtp=oracle_solaris_third_party_bulletins&qid=a2bac27fb002bed513645d4775c7275b
Trust: 0.1
title:Tenable Security Advisories: [R5] SecurityCenter 5.4.3 Fixes Multiple Vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=tenable_security_advisories&qid=TNS-2017-04
Trust: 0.1
title:Oracle Solaris Third Party Bulletins: Oracle Solaris Third Party Bulletin - April 2017url:https://vulmon.com/vendoradvisory?qidtp=oracle_solaris_third_party_bulletins&qid=a31bff03e9909229fd67996884614fdf
Trust: 0.1
title:Oracle: Oracle Critical Patch Update Advisory - July 2017url:https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=2f446a7e1ea263c0c3a365776c6713f2
Trust: 0.1
title:Oracle: Oracle Critical Patch Update Advisory - July 2018url:https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=5f8c525f1408011628af1792207b2099
Trust: 0.1
title:Oracle Solaris Third Party Bulletins: Oracle Solaris Third Party Bulletin - July 2018url:https://vulmon.com/vendoradvisory?qidtp=oracle_solaris_third_party_bulletins&qid=586e6062440cdd312211d748e028164e
Trust: 0.1
title:IBM: IBM Security Bulletin: IBM Security Privileged Identity Manager is affected by multiple vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=dd8c9d5928cc3b1ac8c35b4b24703e38
Trust: 0.1
title:Oracle: Oracle Critical Patch Update Advisory - April 2017url:https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=143b3fb255063c81571469eaa3cf0a87
Trust: 0.1
title:Oracle: Oracle Critical Patch Update Advisory - October 2017url:https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=523d3f220a64ff01dd95e064bd37566a
Trust: 0.1
title:Oracle: Oracle Critical Patch Update Advisory - January 2018url:https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=e2a7f287e9acc8c64ab3df71130bc64d
Trust: 0.1
title:IBM: Security Bulletin: Multiple vulnerabilities in IBM Java affect IBM Netezza Analytics for NPSurl:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=c36fc403a4c2c6439b732d2fca738f58
Trust: 0.1
title:Oracle Solaris Third Party Bulletins: Oracle Solaris Third Party Bulletin - January 2018url:https://vulmon.com/vendoradvisory?qidtp=oracle_solaris_third_party_bulletins&qid=525e4e31765e47b9e53b24e880af9d6e
Trust: 0.1
title:Oracle Solaris Third Party Bulletins: Oracle Solaris Third Party Bulletin - October 2017url:https://vulmon.com/vendoradvisory?qidtp=oracle_solaris_third_party_bulletins&qid=6283337cd31f81f24d445925f2138c0e
Trust: 0.1
sources:
            
            
            VULMON: CVE-2017-3732 // 
            
            
            
            JVNDB: JVNDB-2017-003156

EXTERNAL IDS
db:NVDid:CVE-2017-3732
Trust: 2.6
db:SECTRACKid:1037717
Trust: 1.1
db:BIDid:95814
Trust: 1.1
db:TENABLEid:TNS-2017-04
Trust: 1.1
db:JVNid:JVNVU92830136
Trust: 0.8
db:JVNDBid:JVNDB-2017-003156
Trust: 0.8
db:VULMONid:CVE-2017-3732
Trust: 0.1
db:PACKETSTORMid:169650
Trust: 0.1
db:PACKETSTORMid:169655
Trust: 0.1
db:PACKETSTORMid:141025
Trust: 0.1
db:PACKETSTORMid:149403
Trust: 0.1
db:PACKETSTORMid:148524
Trust: 0.1
db:PACKETSTORMid:141255
Trust: 0.1
db:PACKETSTORMid:140850
Trust: 0.1
sources:
            
            
            VULMON: CVE-2017-3732 // 
            
            
            
            PACKETSTORM: 169650 // 
            
            
            
            PACKETSTORM: 169655 // 
            
            
            
            PACKETSTORM: 141025 // 
            
            
            
            PACKETSTORM: 149403 // 
            
            
            
            PACKETSTORM: 148524 // 
            
            
            
            PACKETSTORM: 141255 // 
            
            
            
            PACKETSTORM: 140850 // 
            
            
            
            JVNDB: JVNDB-2017-003156 // 
            
            
            
            NVD: CVE-2017-3732

REFERENCES
url:https://nvd.nist.gov/vuln/detail/cve-2017-3732
Trust: 1.5
url:https://www.openssl.org/news/secadv/20170126.txt
Trust: 1.3
url:https://access.redhat.com/errata/rhsa-2018:2185
Trust: 1.2
url:https://access.redhat.com/errata/rhsa-2018:2713
Trust: 1.2
url:http://www.securityfocus.com/bid/95814
Trust: 1.1
url:https://security.gentoo.org/glsa/201702-07
Trust: 1.1
url:http://www.securitytracker.com/id/1037717
Trust: 1.1
url:http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Trust: 1.1
url:http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
Trust: 1.1
url:https://www.tenable.com/security/tns-2017-04
Trust: 1.1
url:https://security.freebsd.org/advisories/freebsd-sa-17:02.openssl.asc
Trust: 1.1
url:http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
Trust: 1.1
url:https://github.com/openssl/openssl/commit/a59b90bf491410f1f2bc4540cc21f1980fd14c5b
Trust: 1.1
url:https://access.redhat.com/errata/rhsa-2018:2187
Trust: 1.1
url:https://access.redhat.com/errata/rhsa-2018:2186
Trust: 1.1
url:https://support.hpe.com/hpsc/doc/public/display?doclocale=en_us&docid=emr_na-hpesbhf03838en_us
Trust: 1.1
url:https://access.redhat.com/errata/rhsa-2018:2568
Trust: 1.1
url:https://access.redhat.com/errata/rhsa-2018:2575
Trust: 1.1
url:https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-3732
Trust: 0.9
url:https://jvn.jp/vu/jvnvu92830136/
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2016-7055
Trust: 0.5
url:https://nvd.nist.gov/vuln/detail/cve-2017-3731
Trust: 0.5
url:https://nvd.nist.gov/vuln/detail/cve-2017-3736
Trust: 0.3
url:https://www.openssl.org/policies/secpolicy.html
Trust: 0.2
url:https://nvd.nist.gov/vuln/detail/cve-2015-3193
Trust: 0.2
url:https://nvd.nist.gov/vuln/detail/cve-2017-3738
Trust: 0.2
url:https://nvd.nist.gov/vuln/detail/cve-2017-3737
Trust: 0.2
url:https://access.redhat.com/articles/11258
Trust: 0.2
url:https://access.redhat.com/security/team/contact/
Trust: 0.2
url:https://www.redhat.com/mailman/listinfo/rhsa-announce
Trust: 0.2
url:https://access.redhat.com/security/cve/cve-2017-3732
Trust: 0.2
url:https://bugzilla.redhat.com/):
Trust: 0.2
url:https://access.redhat.com/security/updates/classification/#moderate
Trust: 0.2
url:https://access.redhat.com/security/cve/cve-2017-3736
Trust: 0.2
url:https://access.redhat.com/security/team/key/
Trust: 0.2
url:https://cwe.mitre.org/data/definitions/200.html
Trust: 0.1
url:https://tools.cisco.com/security/center/viewalert.x?alertid=52438
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://usn.ubuntu.com/3181-1/
Trust: 0.1
url:https://www.openssl.org/news/secadv/20161110.txt
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-3730
Trust: 0.1
url:https://www.openssl.org/news/secadv/20171207.txt
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2016-0701
Trust: 0.1
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-7055
Trust: 0.1
url:http://slackware.com
Trust: 0.1
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-3731
Trust: 0.1
url:http://osuosl.org)
Trust: 0.1
url:http://slackware.com/gpg-key
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2018-2940
Trust: 0.1
url:https://access.redhat.com/security/cve/cve-2018-2952
Trust: 0.1
url:https://access.redhat.com/security/cve/cve-2018-12539
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2016-0705
Trust: 0.1
url:https://access.redhat.com/security/cve/cve-2016-0705
Trust: 0.1
url:https://access.redhat.com/security/cve/cve-2018-2973
Trust: 0.1
url:https://access.redhat.com/security/cve/cve-2018-1656
Trust: 0.1
url:https://access.redhat.com/security/cve/cve-2018-2940
Trust: 0.1
url:https://access.redhat.com/security/cve/cve-2018-1517
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2018-1517
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2018-2952
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2018-1656
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2018-2973
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2018-12539
Trust: 0.1
url:https://issues.jboss.org/):
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2016-2182
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2016-6302
Trust: 0.1
url:https://access.redhat.com/security/cve/cve-2017-3731
Trust: 0.1
url:https://access.redhat.com/security/cve/cve-2017-3737
Trust: 0.1
url:https://access.redhat.com/security/cve/cve-2016-6306
Trust: 0.1
url:https://access.redhat.com/security/cve/cve-2017-3738
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2016-6306
Trust: 0.1
url:https://access.redhat.com/documentation/en-us/red_hat_jboss_core_services/2.4.29/
Trust: 0.1
url:https://access.redhat.com/security/cve/cve-2016-2182
Trust: 0.1
url:https://access.redhat.com/security/cve/cve-2016-7055
Trust: 0.1
url:https://access.redhat.com/security/cve/cve-2016-6302
Trust: 0.1
url:https://www.freebsd.org/handbook/makeworld.html>.
Trust: 0.1
url:https://security.freebsd.org/>.
Trust: 0.1
url:https://www.openssl.org/news/secadv/20170126.txt>
Trust: 0.1
url:https://security.freebsd.org/patches/sa-17:02/openssl-11.patch.asc
Trust: 0.1
url:https://security.freebsd.org/advisories/freebsd-sa-17:02.openssl.asc>
Trust: 0.1
url:https://security.freebsd.org/patches/sa-17:02/openssl-11.patch
Trust: 0.1
url:https://security.freebsd.org/patches/sa-17:02/openssl-10.patch
Trust: 0.1
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-3732>
Trust: 0.1
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-3731>
Trust: 0.1
url:https://security.freebsd.org/patches/sa-17:02/openssl-10.patch.asc
Trust: 0.1
url:https://svnweb.freebsd.org/base?view=revision&revision=nnnnnn>
Trust: 0.1
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-7055>
Trust: 0.1
url:https://launchpad.net/ubuntu/+source/openssl/1.0.2g-1ubuntu4.6
Trust: 0.1
url:https://launchpad.net/ubuntu/+source/openssl/1.0.2g-1ubuntu9.1
Trust: 0.1
url:https://launchpad.net/ubuntu/+source/openssl/1.0.1f-1ubuntu2.22
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2016-2177
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2016-8610
Trust: 0.1
url:https://launchpad.net/ubuntu/+source/openssl/1.0.1-4ubuntu5.39
Trust: 0.1
url:http://www.ubuntu.com/usn/usn-3181-1
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2016-7056
Trust: 0.1
sources:
            
            
            VULMON: CVE-2017-3732 // 
            
            
            
            PACKETSTORM: 169650 // 
            
            
            
            PACKETSTORM: 169655 // 
            
            
            
            PACKETSTORM: 141025 // 
            
            
            
            PACKETSTORM: 149403 // 
            
            
            
            PACKETSTORM: 148524 // 
            
            
            
            PACKETSTORM: 141255 // 
            
            
            
            PACKETSTORM: 140850 // 
            
            
            
            JVNDB: JVNDB-2017-003156 // 
            
            
            
            NVD: CVE-2017-3732

CREDITS
Red Hat
Trust: 0.2
sources:
            
            
            PACKETSTORM: 149403 // 
            
            
            
            PACKETSTORM: 148524

SOURCES
db:VULMONid:CVE-2017-3732
db:PACKETSTORMid:169650
db:PACKETSTORMid:169655
db:PACKETSTORMid:141025
db:PACKETSTORMid:149403
db:PACKETSTORMid:148524
db:PACKETSTORMid:141255
db:PACKETSTORMid:140850
db:JVNDBid:JVNDB-2017-003156
db:NVDid:CVE-2017-3732

LAST UPDATE DATE
2025-09-25T22:20:26.721000+00:00

SOURCES UPDATE DATE
db:VULMONid:CVE-2017-3732date:2022-08-29T00:00:00
db:JVNDBid:JVNDB-2017-003156date:2018-02-07T00:00:00
db:NVDid:CVE-2017-3732date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:VULMONid:CVE-2017-3732date:2017-05-04T00:00:00
db:PACKETSTORMid:169650date:2017-01-26T12:12:12
db:PACKETSTORMid:169655date:2017-12-07T12:12:12
db:PACKETSTORMid:141025date:2017-02-13T16:38:20
db:PACKETSTORMid:149403date:2018-09-18T02:18:55
db:PACKETSTORMid:148524date:2018-07-12T21:48:49
db:PACKETSTORMid:141255date:2017-02-23T17:14:20
db:PACKETSTORMid:140850date:2017-02-01T00:36:45
db:JVNDBid:JVNDB-2017-003156date:2017-05-18T00:00:00
db:NVDid:CVE-2017-3732date:2017-05-04T19:29:00.400