Bug 1022084 - (CVE-2017-3730) VUL-0: CVE-2017-3730: openssl: Bad (EC)DHE parameters cause a client crash
VUL-0: CVE-2017-3730: openssl: Bad (EC)DHE parameters cause a client crash
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P5 - None : Normal
: ---
Assigned To: Vítězslav Čížek
Security Team bot
Depends on:
Blocks: 1021641
  Show dependency treegraph
Reported: 2017-01-26 14:18 UTC by Andreas Stieger
Modified: 2017-01-26 15:52 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2017-01-26 14:18:12 UTC

Bad (EC)DHE parameters cause a client crash (CVE-2017-3730)

Severity: Moderate

If a malicious server supplies bad parameters for a DHE or ECDHE key exchange
then this can result in the client attempting to dereference a NULL pointer
leading to a client crash. This could be exploited in a Denial of Service

OpenSSL 1.1.0 users should upgrade to 1.1.0d

This issue does not affect OpenSSL version 1.0.2.

Note that this issue was fixed prior to it being recognised as a security
concern. This means the git commit with the fix does not contain the CVE
identifier. The relevant fix commit can be identified by commit hash efbe126e3.

This issue was reported to OpenSSL on 14th January 2017 by Guido Vranken. The
fix was developed by Matt Caswell of the OpenSSL development team.
Comment 2 Marcus Meissner 2017-01-26 14:39:48 UTC
posted note for cve page
Comment 3 Andreas Stieger 2017-01-26 15:52:12 UTC
This issue only affects OpenSSL 1.1 series. Currently no SUSE or openSUSE version includes openssl 1.1.