CVE-2017-3732 in Access Managerinfo

Summary

There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL 1.0.2 before 1.0.2k and 1.1.0 before 1.1.0d. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. For example this can occur by default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very similar to CVE-2015-3193 but must be treated as a separate problem.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Reservation

12/16/2016

Disclosure

05/04/2017

Status

Confirmed

Entries

VulDB provides additional information and datapoints for this CVE:

ID	Vulnerability	CWE	Exp	Cou	CVE
112026	Oracle Access Manager Web Server Plugin information disclosure	200	Not defined	Official fix	CVE-2017-3732
108246	Oracle Agile Engineering Data Management OpenSSL information disclosure	200	Not defined	Official fix	CVE-2017-3732
108167	Oracle JD Edwards World Security OpenSSL information disclosure	200	Not defined	Official fix	CVE-2017-3732
108166	Oracle JD Edwards EnterpriseOne Tools OpenSSL information disclosure	200	Not defined	Official fix	CVE-2017-3732
108028	Oracle Communications EAGLE LNP Application Processor OpenSSL information disclosure	200	Not defined	Official fix	CVE-2017-3732
104090	Oracle Explorer OpenSSL information disclosure	200	Not defined	Official fix	CVE-2017-3732
104067	Oracle MySQL Server OpenSSL information disclosure	200	Not defined	Official fix	CVE-2017-3732
104066	Oracle MySQL Connectors OpenSSL information disclosure	200	Not defined	Official fix	CVE-2017-3732
104065	Oracle MySQL Connectors OpenSSL information disclosure	200	Not defined	Official fix	CVE-2017-3732
103914	Oracle Communications Network Charging/Control OpenSSL information disclosure	200	Not defined	Official fix	CVE-2017-3732
103902	Oracle Commerce Guided Search/Commerce Experience Manager Platform Services information disclosure	200	Not defined	Official fix	CVE-2017-3732
103866	Oracle Transportation Management Apache Webserver information disclosure	200	Not defined	Official fix	CVE-2017-3732
103837	Oracle Enterprise Manager Ops Center Networking information disclosure	200	Not defined	Official fix	CVE-2017-3732
103836	Oracle Enterprise Manager Base Platform Discovery information disclosure	200	Not defined	Official fix	CVE-2017-3732
103824	Oracle Tuxedo OpenSSL information disclosure	200	Not defined	Official fix	CVE-2017-3732
103823	Oracle Endeca Server OpenSSL information disclosure	200	Not defined	Official fix	CVE-2017-3732
103822	Oracle API Gateway OAG OpenSSL information disclosure	200	Not defined	Official fix	CVE-2017-3732
100210	Oracle MySQL Enterprise Backup ENTRBACK information disclosure	200	Not defined	Official fix	CVE-2017-3732
100149	Oracle Primavera P6 Enterprise Project Portfolio Management Project Manager information disclosure	200	Not defined	Official fix	CVE-2017-3732
100038	Oracle Communications Security Gateway Routing information disclosure	200	Not defined	Official fix	CVE-2017-3732
96038	OpenSSL RSA/DSA/DH BN_mod_exp Private Key information disclosure	200	Not defined	Official fix	CVE-2017-3732

Description

CPE

CWE

CVSS

Exploits

History

Diff

Relate

Threat Intelligence

API JSON

API XML

API CSV

Sources

◂ PreviousOverviewNext ▸

Want to stay up to date on a daily basis?

Enable the mail alert feature now!