Home

CVE-2017-3736

Description

There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL before 1.0.2m and 1.1.0 before 1.1.0g. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. This only affects processors that support the BMI1, BMI2 and ADX extensions like Intel Broadwell (5th generation) and later or AMD Ryzen.

Risk Information

Base Score
6.5
MODERATE
Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score
Exploitation Probability
6.716

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2017-3736,CVE-2017-3735 are fixed in OpenSSL (x64) 1.0.2mWindows
Vulnerabilities CVE-2017-3736,CVE-2017-3735 are fixed in OpenSSL (x64) 1.1.0gWindows
Vulnerabilities CVE-2017-3736 are fixed in Updates for Oracle VM VirtualBox (5.2.4)Windows
Multiple vulnerabilities are fixed in IBM HTTP 9.0.0.5Windows
Multiple vulnerabilities are fixed in IBM HTTP 9.0.0.8Windows
Multiple vulnerabilities are fixed in IBM HTTP 8.5.5.14Windows
Multiple vulnerabilities are fixed in IBM HTTP 7.0.0.45Windows
Multiple vulnerabilities are fixed in IBM WebSphere 8.5.5.15Windows
Multiple vulnerabilities are fixed in IBM WebSphere 9.0.0.9Windows
Vulnerabilities CVE-2017-3735,CVE-2017-3736 are fixed in Nessus 6.11.3Windows
Vulnerabilities CVE-2017-3735,CVE-2017-3736 are fixed in Tenable Nessus 6.11.3Windows
Multiple Vulnerabilities are affected in IBM TXSeries for Multiplatforms 8.1Windows
Multiple Vulnerabilities are affected in IBM TXSeries for Multiplatforms 9.1Windows
Multiple Vulnerabilities are affected in IBM Planning Analytics Local 2.0.0Windows
Multiple vulnerabilities are affected in Oracle PeopleSoft Enterprise PeopleTools 8.54Windows
Multiple vulnerabilities are affected in Oracle PeopleSoft Enterprise PeopleTools 8.55Windows
Multiple vulnerabilities are affected in Oracle PeopleSoft Enterprise PeopleTools 8.56Windows
Multiple Vulnerabilities are affected in IBM Tivoli Monitoring 6.2.3Windows
Multiple Vulnerabilities are affected in IBM Tivoli Monitoring 6.3.0Windows
Multiple Vulnerabilities are affected in IBM Cognos Controller 10.2.0Windows
Multiple Vulnerabilities are affected in IBM Cognos Controller 10.2.1Windows
Multiple Vulnerabilities are affected in IBM Cognos Controller 10.3.0Windows
Multiple Vulnerabilities are affected in IBM Cognos Controller 10.3.1Windows
Multiple Vulnerabilities are affected in IBM Cognos Controller 10.4.0Windows
Multiple Vulnerabilities are affected in IBM Sterling B2B Integrator 5.2.6.3Windows
Multiple Vulnerabilities are affected in IBM Cognos Analytics 11.0Windows
Multiple Vulnerabilities are affected in IBM Cognos Analytics 11.1Windows
Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.5Windows
Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.6Windows
Multiple Vulnerabilities are affected in IBM TXSeries for Multiplatforms 7.1Windows
Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.7Windows
Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.8Windows
Multiple Vulnerabilities are affected in IBM Planning Analytics Local 2.0.1Windows
Multiple Vulnerabilities are affected in IBM Planning Analytics Local 2.0.2Windows
Multiple Vulnerabilities are affected in IBM Planning Analytics Local 2.0.3Windows
Multiple Vulnerabilities are affected in IBM Planning Analytics Local 2.0.4Windows
Multiple Vulnerabilities are affected in IBM MQ 9.0.4Windows
Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.9Windows
Multiple Vulnerabilities are affected in IBM Personal Communications 12.0Windows
Multiple Vulnerabilities are affected in IBM TXSeries for Multiplatforms 8.2Windows
Secure Socket Layer (SSL) cryptographic library and tools (USN-3475-1) libssl1.0.0_1.0.2g-1ubuntu4.9_i386.debLinux
Secure Socket Layer (SSL) cryptographic library and tools (USN-3475-1) libssl1.0.0_1.0.2g-1ubuntu4.9_amd64.debLinux
Secure Socket Layer (SSL) cryptographic library and tools (USN-3475-1) libssl1.0.0_1.0.1f-1ubuntu2.23_i386.debLinux
Secure Socket Layer (SSL) cryptographic library and tools (USN-3475-1) libssl1.0.0_1.0.1f-1ubuntu2.23_amd64.debLinux
Secure Socket Layer (SSL) cryptographic library and tools (USN-3475-1) libssl1.0.0_1.0.2g-1ubuntu11.3_i386.debLinux
Secure Socket Layer (SSL) cryptographic library and tools (USN-3475-1) libssl1.0.0_1.0.2g-1ubuntu11.3_amd64.debLinux
Secure Socket Layer (SSL) cryptographic library and tools (USN-3475-1) libssl1.0.0_1.0.2g-1ubuntu13.2_i386.debLinux
Secure Socket Layer (SSL) cryptographic library and tools (USN-3475-1) libssl1.0.0_1.0.2g-1ubuntu13.2_amd64.debLinux
openssl security update(DSA-4018-1) openssl_1.1.0f-3+deb9u1_i386.debLinux
openssl security update(DSA-4018-1) openssl_1.1.0f-3+deb9u1_amd64.debLinux
(RHSA-2018:2568) java-1.8.0-ibm security update java-1.8.0-ibm-1.8.0.5.20-1jpp.1.el7.x86_64.rpmLinux
(RHSA-2018:2568) java-1.8.0-ibm security update java-1.8.0-ibm-demo-1.8.0.5.20-1jpp.1.el7.x86_64.rpmLinux
(RHSA-2018:2568) java-1.8.0-ibm security update java-1.8.0-ibm-devel-1.8.0.5.20-1jpp.1.el7.x86_64.rpmLinux
(RHSA-2018:2568) java-1.8.0-ibm security update java-1.8.0-ibm-jdbc-1.8.0.5.20-1jpp.1.el7.x86_64.rpmLinux
(RHSA-2018:2568) java-1.8.0-ibm security update java-1.8.0-ibm-plugin-1.8.0.5.20-1jpp.1.el7.x86_64.rpmLinux
(RHSA-2018:2568) java-1.8.0-ibm security update java-1.8.0-ibm-src-1.8.0.5.20-1jpp.1.el7.x86_64.rpmLinux
(RHSA-2018:2575) java-1.8.0-ibm security update java-1.8.0-ibm-1.8.0.5.20-1jpp.1.el6_10.i686.rpmLinux
(RHSA-2018:2575) java-1.8.0-ibm security update java-1.8.0-ibm-1.8.0.5.20-1jpp.1.el6_10.x86_64.rpmLinux
(RHSA-2018:2575) java-1.8.0-ibm security update java-1.8.0-ibm-demo-1.8.0.5.20-1jpp.1.el6_10.i686.rpmLinux
(RHSA-2018:2575) java-1.8.0-ibm security update java-1.8.0-ibm-demo-1.8.0.5.20-1jpp.1.el6_10.x86_64.rpmLinux
(RHSA-2018:2575) java-1.8.0-ibm security update java-1.8.0-ibm-devel-1.8.0.5.20-1jpp.1.el6_10.i686.rpmLinux
(RHSA-2018:2575) java-1.8.0-ibm security update java-1.8.0-ibm-devel-1.8.0.5.20-1jpp.1.el6_10.x86_64.rpmLinux
(RHSA-2018:2575) java-1.8.0-ibm security update java-1.8.0-ibm-jdbc-1.8.0.5.20-1jpp.1.el6_10.i686.rpmLinux
(RHSA-2018:2575) java-1.8.0-ibm security update java-1.8.0-ibm-jdbc-1.8.0.5.20-1jpp.1.el6_10.x86_64.rpmLinux
(RHSA-2018:2575) java-1.8.0-ibm security update java-1.8.0-ibm-plugin-1.8.0.5.20-1jpp.1.el6_10.i686.rpmLinux
(RHSA-2018:2575) java-1.8.0-ibm security update java-1.8.0-ibm-plugin-1.8.0.5.20-1jpp.1.el6_10.x86_64.rpmLinux
(RHSA-2018:2575) java-1.8.0-ibm security update java-1.8.0-ibm-src-1.8.0.5.20-1jpp.1.el6_10.i686.rpmLinux
(RHSA-2018:2575) java-1.8.0-ibm security update java-1.8.0-ibm-src-1.8.0.5.20-1jpp.1.el6_10.x86_64.rpmLinux
SUSE-SU-2018:2839-1(SUSE Linux Enterprise Server 12-SP3 ) java-1_8_0-ibm-1.8.0_sr5.20-30.36.1.x86_64.rpmLinux
SUSE-SU-2018:2839-1(SUSE Linux Enterprise Server 12-SP3 ) java-1_8_0-ibm-alsa-1.8.0_sr5.20-30.36.1.x86_64.rpmLinux
SUSE-SU-2018:2839-1(SUSE Linux Enterprise Server 12-SP3 ) java-1_8_0-ibm-plugin-1.8.0_sr5.20-30.36.1.x86_64.rpmLinux
Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-3736)NCM

Patch Details

Click to see the patches provided by ManageEngine for this CVE
Patch IDPatch Description
PATCH-310858Oracle VM VirtualBox (6.0.12)

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234