CVE-2017-3737

Description

OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state" mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. OpenSSL version 1.0.2b-1.0.2m are affected. Fixed in OpenSSL 1.0.2n. OpenSSL 1.1.0 is not affected.

Category

5.9
CVSS
Severity: Medium
CVSS 3.0 •
CVSS 2.0 •
EPSS 33.75% Top 5%
Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory FreeBSD.org Vendor Advisory gentoo.org Vendor Advisory redhat.com Vendor Advisory debian.org Vendor Advisory redhat.com Vendor Advisory openssl.org
Affected: OpenSSL Software Foundation OpenSSL
Published at:
Updated at:

References

Link Tags
https://access.redhat.com/errata/RHSA-2018:2185 vendor advisory
https://access.redhat.com/errata/RHSA-2018:2186 vendor advisory
https://github.com/openssl/openssl/commit/898fb884b706aaeb283de4812340bb0bde8476dc
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
https://security.netapp.com/advisory/ntap-20180419-0002/
https://security.FreeBSD.org/advisories/FreeBSD-SA-17:12.openssl.asc third party advisory vendor advisory
https://security.gentoo.org/glsa/201712-03 third party advisory vendor advisory
http://www.securitytracker.com/id/1039978 third party advisory vdb entry
https://www.openssl.org/news/secadv/20171207.txt vendor advisory
https://www.digitalmunition.me/2017/12/cve-2017-3737-openssl-security-bypass-vulnerability/ third party advisory
https://access.redhat.com/errata/RHSA-2018:0998 vendor advisory
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
https://www.debian.org/security/2017/dsa-4065 third party advisory vendor advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-179516.pdf
http://www.securityfocus.com/bid/102103 third party advisory vdb entry
https://www.tenable.com/security/tns-2017-16
https://access.redhat.com/errata/RHSA-2018:2187 vendor advisory
https://security.netapp.com/advisory/ntap-20180117-0002/
https://security.netapp.com/advisory/ntap-20171208-0001/ third party advisory
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Frequently Asked Questions

What is the severity of CVE-2017-3737?
CVE-2017-3737 has been scored as a medium severity vulnerability.
How to fix CVE-2017-3737?
To fix CVE-2017-3737, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2017-3737 being actively exploited in the wild?
It is possible that CVE-2017-3737 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~34% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2017-3737?
CVE-2017-3737 affects OpenSSL Software Foundation OpenSSL.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.