Home

CVE-2017-3732

Description

There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL 1.0.2 before 1.0.2k and 1.1.0 before 1.1.0d. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. For example this can occur by default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very similar to CVE-2015-3193 but must be treated as a separate problem.

Risk Information

Base Score
5.9
MODERATE
Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score
Exploitation Probability
7.535

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2017-3732,CVE-2017-3731,CVE-2016-7055 are fixed in OpenSSL (x64) 1.0.2kWindows
Vulnerabilities CVE-2017-3732,CVE-2017-3731,CVE-2017-3730 are fixed in OpenSSL (x64) 1.1.0dWindows
Multiple vulnerabilities affected in Mysql 5.6.21Windows
Multiple vulnerabilities affected in Mysql 5.6.22Windows
Multiple vulnerabilities affected in Mysql 5.6.23Windows
Multiple vulnerabilities affected in Mysql 5.6.24Windows
Multiple vulnerabilities affected in Mysql 5.6.25Windows
Multiple vulnerabilities affected in Mysql 5.6.26Windows
Multiple vulnerabilities affected in Mysql 5.6.35Windows
Multiple vulnerabilities affected in Mysql 5.6.9Windows
Multiple vulnerabilities are fixed in IBM HTTP 9.0.0.5Windows
Multiple vulnerabilities are fixed in IBM HTTP 9.0.0.8Windows
Multiple vulnerabilities are fixed in IBM HTTP 8.5.5.14Windows
Multiple vulnerabilities are fixed in IBM HTTP 7.0.0.45Windows
Multiple vulnerabilities are fixed in IBM WebSphere 8.5.5.15Windows
Multiple vulnerabilities are fixed in IBM WebSphere 9.0.0.9Windows
Multiple vulnerabilities are affected in Mysql earlierWindows
Multiple Vulnerabilities are affected in IBM TXSeries for Multiplatforms 8.1Windows
Multiple Vulnerabilities are affected in IBM TXSeries for Multiplatforms 9.1Windows
Multiple Vulnerabilities are affected in IBM Cognos Analytics 11.0.12.0Windows
Multiple Vulnerabilities are affected in IBM Sterling B2B Integrator 5.2Windows
Multiple Vulnerabilities are affected in IBM Planning Analytics Local 2.0.0Windows
Multiple vulnerabilities are affected in Oracle Primavera P6 Enterprise Project Portfolio Management 8.3Windows
Multiple vulnerabilities are affected in Oracle Primavera P6 Enterprise Project Portfolio Management 8.4Windows
Multiple vulnerabilities are affected in Oracle Primavera P6 Enterprise Project Portfolio Management 15.1Windows
Multiple vulnerabilities are affected in Oracle Primavera P6 Enterprise Project Portfolio Management 15.2Windows
Multiple vulnerabilities are affected in Oracle Primavera P6 Enterprise Project Portfolio Management 16.1Windows
Multiple vulnerabilities are affected in Oracle Primavera P6 Enterprise Project Portfolio Management 16.2Windows
Multiple Vulnerabilities are affected in IBM Tivoli Monitoring 6.2.3Windows
Multiple Vulnerabilities are affected in IBM Tivoli Monitoring 6.3.0Windows
Multiple Vulnerabilities are affected in IBM Cognos Controller 10.2.0Windows
Multiple Vulnerabilities are affected in IBM Cognos Controller 10.2.1Windows
Multiple Vulnerabilities are affected in IBM Cognos Controller 10.3.0Windows
Multiple Vulnerabilities are affected in IBM Cognos Controller 10.3.1Windows
Multiple Vulnerabilities are affected in IBM Cognos Controller 10.4.0Windows
Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.5Windows
Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.6Windows
Multiple Vulnerabilities are affected in IBM TXSeries for Multiplatforms 7.1Windows
Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.7Windows
Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.8Windows
Multiple Vulnerabilities are affected in IBM Planning Analytics Local 2.0.1Windows
Multiple Vulnerabilities are affected in IBM Planning Analytics Local 2.0.2Windows
Multiple Vulnerabilities are affected in IBM Planning Analytics Local 2.0.3Windows
Multiple Vulnerabilities are affected in IBM Planning Analytics Local 2.0.4Windows
Multiple Vulnerabilities are affected in IBM MQ 9.0.4Windows
Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.9Windows
Multiple Vulnerabilities are affected in IBM Personal Communications 12.0Windows
Multiple Vulnerabilities are affected in IBM TXSeries for Multiplatforms 8.2Windows
(RHSA-2018:2568) java-1.8.0-ibm security update java-1.8.0-ibm-1.8.0.5.20-1jpp.1.el7.x86_64.rpmLinux
(RHSA-2018:2568) java-1.8.0-ibm security update java-1.8.0-ibm-demo-1.8.0.5.20-1jpp.1.el7.x86_64.rpmLinux
(RHSA-2018:2568) java-1.8.0-ibm security update java-1.8.0-ibm-devel-1.8.0.5.20-1jpp.1.el7.x86_64.rpmLinux
(RHSA-2018:2568) java-1.8.0-ibm security update java-1.8.0-ibm-jdbc-1.8.0.5.20-1jpp.1.el7.x86_64.rpmLinux
(RHSA-2018:2568) java-1.8.0-ibm security update java-1.8.0-ibm-plugin-1.8.0.5.20-1jpp.1.el7.x86_64.rpmLinux
(RHSA-2018:2568) java-1.8.0-ibm security update java-1.8.0-ibm-src-1.8.0.5.20-1jpp.1.el7.x86_64.rpmLinux
(RHSA-2018:2575) java-1.8.0-ibm security update java-1.8.0-ibm-1.8.0.5.20-1jpp.1.el6_10.i686.rpmLinux
(RHSA-2018:2575) java-1.8.0-ibm security update java-1.8.0-ibm-1.8.0.5.20-1jpp.1.el6_10.x86_64.rpmLinux
(RHSA-2018:2575) java-1.8.0-ibm security update java-1.8.0-ibm-demo-1.8.0.5.20-1jpp.1.el6_10.i686.rpmLinux
(RHSA-2018:2575) java-1.8.0-ibm security update java-1.8.0-ibm-demo-1.8.0.5.20-1jpp.1.el6_10.x86_64.rpmLinux
(RHSA-2018:2575) java-1.8.0-ibm security update java-1.8.0-ibm-devel-1.8.0.5.20-1jpp.1.el6_10.i686.rpmLinux
(RHSA-2018:2575) java-1.8.0-ibm security update java-1.8.0-ibm-devel-1.8.0.5.20-1jpp.1.el6_10.x86_64.rpmLinux
(RHSA-2018:2575) java-1.8.0-ibm security update java-1.8.0-ibm-jdbc-1.8.0.5.20-1jpp.1.el6_10.i686.rpmLinux
(RHSA-2018:2575) java-1.8.0-ibm security update java-1.8.0-ibm-jdbc-1.8.0.5.20-1jpp.1.el6_10.x86_64.rpmLinux
(RHSA-2018:2575) java-1.8.0-ibm security update java-1.8.0-ibm-plugin-1.8.0.5.20-1jpp.1.el6_10.i686.rpmLinux
(RHSA-2018:2575) java-1.8.0-ibm security update java-1.8.0-ibm-plugin-1.8.0.5.20-1jpp.1.el6_10.x86_64.rpmLinux
(RHSA-2018:2575) java-1.8.0-ibm security update java-1.8.0-ibm-src-1.8.0.5.20-1jpp.1.el6_10.i686.rpmLinux
(RHSA-2018:2575) java-1.8.0-ibm security update java-1.8.0-ibm-src-1.8.0.5.20-1jpp.1.el6_10.x86_64.rpmLinux
SUSE-SU-2018:2839-1(SUSE Linux Enterprise Server 12-SP3 ) java-1_8_0-ibm-1.8.0_sr5.20-30.36.1.x86_64.rpmLinux
SUSE-SU-2018:2839-1(SUSE Linux Enterprise Server 12-SP3 ) java-1_8_0-ibm-alsa-1.8.0_sr5.20-30.36.1.x86_64.rpmLinux
SUSE-SU-2018:2839-1(SUSE Linux Enterprise Server 12-SP3 ) java-1_8_0-ibm-plugin-1.8.0_sr5.20-30.36.1.x86_64.rpmLinux
Multiple vulnerabilities affected in Mysql 5.6.21 (For Linux)Linux
Multiple vulnerabilities affected in Mysql 5.6.22 (For Linux)Linux
Multiple vulnerabilities affected in Mysql 5.6.23 (For Linux)Linux
Multiple vulnerabilities affected in Mysql 5.6.24 (For Linux)Linux
Multiple vulnerabilities affected in Mysql 5.6.25 (For Linux)Linux
Multiple vulnerabilities affected in Mysql 5.6.26 (For Linux)Linux
Multiple vulnerabilities affected in Mysql 5.6.35 (For Linux)Linux
Multiple vulnerabilities affected in Mysql 5.6.9 (For Linux)Linux
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017 For Cisco Application Policy Infrastructure Controller (APIC)NCM
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017 For Cisco Emergency ResponderNCM
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017 For Cisco FinesseNCM
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017 For Cisco Jabber for WindowsNCM
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017 For Cisco Jabber GuestNCM
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017 For Cisco Jabber Software Development KitNCM
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017 For Cisco MediaSenseNCM
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017 For Cisco Prime InfrastructureNCM
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017 For Cisco Prime OpticalNCM
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017 For Cisco Prime Performance ManagerNCM
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017 For Cisco UCS DirectorNCM
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017 For Cisco Unified Contact Center ExpressNCM
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017 For Cisco Unified Intelligence CenterNCM
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017 For Cisco Unity ConnectionNCM
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017 For Cisco ASR 5000 SeriesNCM
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017 For Cisco Firepower Management Center Virtual ApplianceNCM
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017 For Cisco IronPort Security Management Appliance SoftwareNCM
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017 For Cisco Data Center Network ManagerNCM
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017 For CiscoPro Workgroup EtherSwitch SoftwareNCM
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017 For Cisco Unified Computing SystemNCM
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017 For Cisco Network RegistrarNCM
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017 For Cisco Access RegistrarNCM
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017 For Cisco Wireless Network Management Software SuiteNCM
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017 For Cisco Prime Network Analysis Module SoftwareNCM
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017 For Cisco Virtual Wireless ControllerNCM
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017 For Cisco Network Convergence System 540 Series RoutersNCM
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017 For Cisco Digital Media ManagerNCM
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017 For Cisco Unified Communications LicensingNCM
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017 For Cisco Telepresence Integrator C SeriesNCM
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017 For Cisco TelePresence Video Communication Server SoftwareNCM
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017 For Cisco Video Surveillance ManagerNCM
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017 For Cisco Identity Services EngineNCM
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017 For Cisco WAN Automation Engine (WAE)NCM
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017 For NCM
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017 For Cisco 1000 Series Connected Grid RoutersNCM
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017 For Cisco Unified Attendant ConsolesNCM
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017 For Cisco Hosted Collaboration Solution (HCS)NCM
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017 For Cisco Prime CollaborationNCM
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017 For Cisco Unified Communications Manager (CallManager)NCM
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017 For Cisco SIP IP Phone SoftwareNCM
Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-3732)NCM

Patch Details

Click to see the patches provided by ManageEngine for this CVE
Patch IDPatch Description
PATCH-1706006Security Update for Cisco Application Policy Infrastructure Controller (APIC) 1.3(2k)
PATCH-1706049Security Update for Cisco Emergency Responder 12.0(0.98000.50)
PATCH-1705887Security Update for Cisco Finesse 11.5(0.98000.126)
PATCH-1705811Security Update for Cisco Jabber for Windows 11.6(1.38147)
PATCH-1705783Security Update for Cisco Jabber Guest 10.6(11)
PATCH-1706051Security Update for Cisco Jabber Software Development Kit 11.8(2)
PATCH-1705879Security Update for Cisco MediaSense 11.5(1.10000.6)
PATCH-1705595Security Update for Cisco Prime Infrastructure 2.2(2)
PATCH-1706040Security Update for Cisco Prime Optical 10.6(1)
PATCH-1706037Security Update for Cisco Prime Performance Manager 1.7(0.1703)
PATCH-1705947Security Update for Cisco UCS Director 6.0(1.0)
PATCH-1706052Security Update for Cisco Unified Contact Center Express 11.6(1)
PATCH-1705886Security Update for Cisco Unified Intelligence Center 11.5(0.98000.126)
PATCH-1706048Security Update for Cisco Unity Connection 12.0(0.97000.184)
PATCH-1706032Security Update for Cisco ASR 5000 Series 21.3.A0.66703
PATCH-1705938Security Update for Cisco Firepower Management Center Virtual Appliance 6.1.0.1
PATCH-1706033Security Update for Cisco IronPort Security Management Appliance Software 11.0.1-152
PATCH-1706034Security Update for Cisco Data Center Network Manager 10.1(1.158)S0
PATCH-1706035Security Update for CiscoPro Workgroup EtherSwitch Software 6.0(2)A8(4)
PATCH-1706036Security Update for Cisco Unified Computing System 3.2(1d)
PATCH-1706038Security Update for Cisco Network Registrar 9.1
PATCH-1706039Security Update for Cisco Access Registrar 8.0
PATCH-1705952Security Update for Cisco Wireless Network Management Software Suite 8.0(150)
PATCH-1706008Security Update for Cisco Prime Network Analysis Module Software 6.2(3)
PATCH-1705937Security Update for Cisco Virtual Wireless Controller 8.3(15.155)
PATCH-1706041Security Update for Cisco Network Convergence System 540 Series Routers 6.4.1.8i.BASE
PATCH-1705797Security Update for Cisco Digital Media Manager 5.6.3
PATCH-1706042Security Update for Cisco Unified Communications Licensing 11.5(1.12001.2)
PATCH-1706043Security Update for Cisco Telepresence Integrator C Series 9.1.1
PATCH-1706044Security Update for Cisco TelePresence Video Communication Server Software X8.9.2
PATCH-1706045Security Update for Cisco Video Surveillance Manager 7.10
PATCH-1706002Security Update for Cisco Identity Services Engine 2.0(0.905)
PATCH-1706046Security Update for Cisco WAN Automation Engine (WAE) v6.4.6dev-43-g887096e25e6
PATCH-1706026Security Update for CAF-1.2.0.0
PATCH-1705873Security Update for Cisco 1000 Series Connected Grid Routers 15.6(3.0q)M
PATCH-1706047Security Update for Cisco Unified Attendant Consoles 11.0(2)
PATCH-1706050Security Update for Cisco Hosted Collaboration Solution (HCS) 11.5(1.93540.24)
PATCH-1705997Security Update for Cisco Prime Collaboration 11.0(0.815)
PATCH-1706016Security Update for Cisco Unified Communications Manager (CallManager) CUP.11.5(1.12900.25)
PATCH-1705918Security Update for Cisco SIP IP Phone Software 11.7(1)MN19

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234