(Oracle Issues Fix for Oracle Linux) OpenSSL Multiple Bugs Let Remote Users Deny Service and Obtain Potentially Sensitive Information
SecurityTracker Alert ID: 1037862|
SecurityTracker URL: http://securitytracker.com/id/1037862
(Links to External Site)
Date: Feb 21 2017
Denial of service via network, Disclosure of system information, Disclosure of user information|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): prior to versions 1.0.2k, 1.1.0d|
Several vulnerabilities were reported in OpenSSL. A remote user can cause the target service to crash. A remote user can obtain potentially sensitive information on the target system.|
A remote user can send a specially crafted truncated packet to the target server or client running on a 32-bit host and using a specific cipher to trigger an out-of-bounds memory read error and cause the service to crash [CVE-2017-3731]. CHACHA20/POLY1305 is affected on version 1.1.0. RC4-MD5 is affected on version 1.0.2.
The vendor was notified on November 13, 2016.
Robert Swiecki of Google reported this vulnerability.
A remote server can supply specially crafted parameters for a DHE or ECDHE key exchange to trigger a null pointer dereference and cause the target client service to crash [CVE-2017-3730]. Version 1.1.0 is affected.
The vendor was notified on January 14, 2017.
Guido Vranken reported this vulnerability.
A remote user can exploit a carry propagation flaw in BN_mod_exp() to potentially determine information about the private key in certain situations [CVE-2017-3732].
Systems configured for persistent DH parameters and sharing a private key between multiple clients are affected.
The vendor was notified on January 15, 201.
The OSS-Fuzz project reported this vulnerability.
A remote user can cause the target service to crash.|
A remote user can obtain potentially sensitive information on the target system.
Oracle has issued a fix for CVE-2017-3731.|
The Oracle Linux advisory is available at:
Vendor URL: linux.oracle.com/errata/ELSA-2017-0286.html (Links to External Site)
Access control error|
|Underlying OS: Linux (Oracle)|
|Underlying OS Comments: 6, 7|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Subject: [El-errata] ELSA-2017-0286 Moderate: Oracle Linux 7 openssl security update|
Oracle Linux Security Advisory ELSA-2017-0286
The following updated rpms for Oracle Linux 7 have been uploaded to the
Unbreakable Linux Network:
Description of changes:
- fix CVE-2017-3731 - DoS via truncated packets with RC4-MD5 cipher
- fix CVE-2016-8610 - DoS of single-threaded servers via excessive alerts
El-errata mailing list