Vulnerability Details : CVE-2017-3730
In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this can result in the client attempting to dereference a NULL pointer leading to a client crash. This could be exploited in a Denial of Service attack.
Vulnerability category: Denial of service
Products affected by CVE-2017-3730
- cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:agile_engineering_data_management:6.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:agile_engineering_data_management:6.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_operations_monitor:3.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_operations_monitor:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_application_session_controller:3.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_application_session_controller:3.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_eagle_lnp_application_processor:10.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_eagle_lnp_application_processor:10.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_eagle_lnp_application_processor:10.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:jd_edwards_world_security:a9.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:jd_edwards_world_security:a9.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:jd_edwards_world_security:a9.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:jd_edwards_world_security:a9.3:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.1.0a:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.1.0b:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.1.0c:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-3730
95.42%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 99 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-3730
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2017-3730
-
The product dereferences a pointer that it expects to be valid but is NULL.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-3730
-
http://www.securitytracker.com/id/1037717
OpenSSL Multiple Bugs Let Remote Users Deny Service and Obtain Potentially Sensitive Information - SecurityTrackerThird Party Advisory;VDB Entry
-
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
Oracle Critical Patch Update - January 2018Patch
-
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03838en_us
HPESBHF03838 rev.1 - HPE iMC and Comware 7-based Switches and Routers using OpenSSL, Multiple Remote VulnerabilitiesThird Party Advisory
-
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
Oracle Critical Patch Update - October 2017Patch
-
https://www.exploit-db.com/exploits/41192/
OpenSSL 1.1.0 - Remote Client Denial of ServiceExploit;Third Party Advisory;VDB Entry
-
http://www.securityfocus.com/bid/95812
OpenSSL CVE-2017-3730 NULL Pointer Dereference Denial of Service VulnerabilityBroken Link;Third Party Advisory;VDB Entry
-
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
Oracle Critical Patch Update - April 2019Patch
-
https://security.gentoo.org/glsa/201702-07
OpenSSL: Multiple vulnerabilities (GLSA 201702-07) — Gentoo securityThird Party Advisory
-
https://github.com/openssl/openssl/commit/efbe126e3ebb9123ac9d058aa2bb044261342aaa
Fix missing NULL checks in CKE processing · openssl/openssl@efbe126 · GitHubPatch;Third Party Advisory
-
https://www.openssl.org/news/secadv/20170126.txt
Patch;Vendor Advisory
Jump to