Search for vulnerabilities
Vulnerability details: VCID-w3xz-a1z2-aaaf
Vulnerability ID VCID-w3xz-a1z2-aaaf
Aliases CVE-2017-3731
VC-OPENSSL-20170126-CVE-2017-3731
Summary If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. For OpenSSL 1.1.0, the crash can be triggered when using CHACHA20/POLY1305; users should upgrade to 1.1.0d. For Openssl 1.0.2, the crash can be triggered when using RC4-MD5; users who have not disabled that algorithm should update to 1.0.2k.
Status Published
Exploitability 0.5
Weighted Severity 7.0
Risk 3.5
Affected and Fixed Packages Package Details
Weaknesses (2)
CWE-125 Out-of-bounds Read
CWE-190 Integer Overflow or Wraparound
System Score Found at
generic_textual Medium http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-3731.html
rhas Moderate https://access.redhat.com/errata/RHSA-2017:0286
rhas Moderate https://access.redhat.com/errata/RHSA-2018:2185
rhas Moderate https://access.redhat.com/errata/RHSA-2018:2186
rhas Moderate https://access.redhat.com/errata/RHSA-2018:2187
cvssv3 5.9 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-3731.json
epss 0.04552 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.04552 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.04552 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.04552 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.04552 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.04552 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.04552 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.04552 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.04552 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.04552 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.04552 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.05568 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.05568 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.05568 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.05568 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.14905 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
epss 0.17642 https://api.first.org/data/v1/epss?cve=CVE-2017-3731
rhbs medium https://bugzilla.redhat.com/show_bug.cgi?id=1416852
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7056
generic_textual Low https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8610
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3731
cvssv2 4.3 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv2 5.0 https://nvd.nist.gov/vuln/detail/CVE-2017-3731
cvssv3 7.5 https://nvd.nist.gov/vuln/detail/CVE-2017-3731
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2017-3731
archlinux Medium https://security.archlinux.org/AVG-154
archlinux Medium https://security.archlinux.org/AVG-155
generic_textual Medium https://source.android.com/security/bulletin/pixel/2017-11-01
generic_textual Medium https://ubuntu.com/security/notices/USN-3181-1
generic_textual Moderate https://www.openssl.org/news/secadv/20170126.txt
cvssv3.1 9.8 https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
generic_textual LOW https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
cvssv3.1 7.5 http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
generic_textual HIGH http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
cvssv3.1 9.8 http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
generic_textual CRITICAL http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
cvssv3.1 7.5 http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
generic_textual HIGH http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
Reference id Reference type URL
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-3731.html
http://rhn.redhat.com/errata/RHSA-2017-0286.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-3731.json
https://api.first.org/data/v1/epss?cve=CVE-2017-3731
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7056
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8610
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3731
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/openssl/openssl/commit/00d965474b22b54e4275232bc71ee0c699c5cd21
https://github.com/openssl/openssl/commit/51d009043670a627d6abe66894126851cf3690e9
https://security.FreeBSD.org/advisories/FreeBSD-SA-17:02.openssl.asc
https://security.gentoo.org/glsa/201702-07
https://security.netapp.com/advisory/ntap-20171019-0002/
https://security.paloaltonetworks.com/CVE-2017-3731
https://source.android.com/security/bulletin/pixel/2017-11-01
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03838en_us
https://ubuntu.com/security/notices/USN-3181-1
https://www.openssl.org/news/secadv/20170126.txt
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
https://www.tenable.com/security/tns-2017-04
http://www.debian.org/security/2017/dsa-3773
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
http://www.securityfocus.com/bid/95813
http://www.securitytracker.com/id/1037717
1416852 https://bugzilla.redhat.com/show_bug.cgi?id=1416852
ASA-201701-36 https://security.archlinux.org/ASA-201701-36
ASA-201701-37 https://security.archlinux.org/ASA-201701-37
AVG-154 https://security.archlinux.org/AVG-154
AVG-155 https://security.archlinux.org/AVG-155
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.2:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2a:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.2a:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2b:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.2b:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2:beta1:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.2:beta1:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2:beta2:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.2:beta2:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2:beta3:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.2:beta3:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2c:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.2c:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2d:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.2d:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2e:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.2e:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2f:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.2f:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2h:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.2h:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2i:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.2i:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2j:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.2j:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.0a:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.1.0a:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.0b:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.1.0b:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.0c:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.1.0c:*:*:*:*:*:*:*
CVE-2017-3731 https://nvd.nist.gov/vuln/detail/CVE-2017-3731
RHSA-2017:0286 https://access.redhat.com/errata/RHSA-2017:0286
RHSA-2018:2185 https://access.redhat.com/errata/RHSA-2018:2185
RHSA-2018:2186 https://access.redhat.com/errata/RHSA-2018:2186
RHSA-2018:2187 https://access.redhat.com/errata/RHSA-2018:2187
USN-3181-1 https://usn.ubuntu.com/3181-1/
No exploits are available.
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-3731.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2017-3731
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2017-3731
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2017-3731
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.92716
EPSS Score 0.04552
Published At Nov. 1, 2024, midnight
Date Actor Action Source VulnerableCode Version
There are no relevant records.