CVE-2017-3733

Description

During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this can cause OpenSSL 1.1.0 before 1.1.0e to crash (dependent on ciphersuite). Both clients and servers are affected.

How to fix CVE-2017-3733

To remediate CVE-2017-3733, upgrade the affected package to a fixed version below.

Debian/openssl—upgrade to 1.1.0e-1 or later

Is CVE-2017-3733 being exploited?

Low — EPSS is 3.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.1.0e-1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2017-3733