Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2017-3738

There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732 and CVE-2015-3193. OpenSSL version 1.0.2-1.0.2m and 1.1.0-1.1.0g are affected. Fixed in OpenSSL 1.0.2n. Due to the low severity of this issue we are not issuing a new release of OpenSSL 1.1.0 at this time. The fix will be included in OpenSSL 1.1.0h when it becomes available. The fix is also available in commit e502cc86d in the OpenSSL git repository.

Security Impact Summary

This vulnerability carries a MEDIUM severity rating with a CVSS v3.1 score of 5.9, indicating it can be exploited remotely over the network but requires specific conditions to be met without requiring user interaction and does not require pre-existing privileges . The vulnerability impacts confidentiality (data exposure), for affected systems. Impacting 3 products from openssl, from debian, from nodejs organizations running these solutions should prioritize assessment and patching.

Historical Context

First disclosed in 2017, this vulnerability was reported during a period defined by widespread IoT adoption challenges, mobile security concerns, and the emergence of advanced persistent threat (APT) techniques. Contemporary mitigation strategies focused on secure development practices and third-party component vetting.

Published

2017-12-07T16:29:00.240

Last Modified

2025-04-20T01:37:25.860

Status

Deferred

Source

[email protected]

Severity

CVSSv3.1: 5.9 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

8.6

Impact Score

2.9

Weaknesses

Type: Primary
CWE-200

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	openssl	openssl	1.0.2	Yes
Application	openssl	openssl	1.0.2	Yes
Application	openssl	openssl	1.0.2	Yes
Application	openssl	openssl	1.0.2	Yes
Application	openssl	openssl	1.0.2a	Yes
Application	openssl	openssl	1.0.2b	Yes
Application	openssl	openssl	1.0.2c	Yes
Application	openssl	openssl	1.0.2d	Yes
Application	openssl	openssl	1.0.2e	Yes
Application	openssl	openssl	1.0.2f	Yes
Application	openssl	openssl	1.0.2g	Yes
Application	openssl	openssl	1.0.2h	Yes
Application	openssl	openssl	1.0.2i	Yes
Application	openssl	openssl	1.0.2j	Yes
Application	openssl	openssl	1.0.2k	Yes
Application	openssl	openssl	1.0.2l	Yes
Application	openssl	openssl	1.0.2m	Yes
Application	openssl	openssl	1.1.0	Yes
Application	openssl	openssl	1.1.0a	Yes
Application	openssl	openssl	1.1.0b	Yes
Application	openssl	openssl	1.1.0c	Yes
Application	openssl	openssl	1.1.0d	Yes
Application	openssl	openssl	1.1.0e	Yes
Application	openssl	openssl	1.1.0f	Yes
Application	openssl	openssl	1.1.0g	Yes
Operating System	debian	debian_linux	8.0	Yes
Operating System	debian	debian_linux	9.0	Yes
Application	nodejs	node.js	≤ 4.1.2	Yes
Application	nodejs	node.js	< 4.8.7	Yes
Application	nodejs	node.js	≤ 6.8.1	Yes
Application	nodejs	node.js	< 6.12.2	Yes
Application	nodejs	node.js	≤ 8.8.1	Yes
Application	nodejs	node.js	< 8.9.3	Yes
Application	nodejs	node.js	< 9.2.1	Yes

References

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html Patch, Third Party Advisory ([email protected])
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html Patch, Third Party Advisory ([email protected])
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html Patch, Third Party Advisory ([email protected])
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html Patch, Third Party Advisory ([email protected])
http://www.securityfocus.com/bid/102118 Third Party Advisory, VDB Entry ([email protected])
http://www.securitytracker.com/id/1039978 Third Party Advisory, VDB Entry ([email protected])
https://access.redhat.com/errata/RHSA-2018:0998 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2018:2185 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2018:2186 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2018:2187 Third Party Advisory ([email protected])
https://github.com/openssl/openssl/commit/e502cc86df9dafded1694fceb3228ee34d11c11a Patch, Third Party Advisory ([email protected])
https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/ Vendor Advisory ([email protected])
https://security.FreeBSD.org/advisories/FreeBSD-SA-17:12.openssl.asc Third Party Advisory ([email protected])
https://security.gentoo.org/glsa/201712-03 Third Party Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20171208-0001/ Third Party Advisory ([email protected])
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03881en_us Third Party Advisory ([email protected])
https://www.debian.org/security/2017/dsa-4065 Third Party Advisory ([email protected])
https://www.debian.org/security/2018/dsa-4157 Third Party Advisory ([email protected])
https://www.openssl.org/news/secadv/20171207.txt Vendor Advisory ([email protected])
https://www.openssl.org/news/secadv/20180327.txt Vendor Advisory ([email protected])
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html Patch, Third Party Advisory ([email protected])
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html Patch, Third Party Advisory ([email protected])
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html Patch, Third Party Advisory ([email protected])
https://www.tenable.com/security/tns-2017-16 Third Party Advisory ([email protected])
https://www.tenable.com/security/tns-2018-04 Third Party Advisory ([email protected])
https://www.tenable.com/security/tns-2018-06 Third Party Advisory ([email protected])
https://www.tenable.com/security/tns-2018-07 Third Party Advisory ([email protected])
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/102118 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://www.securitytracker.com/id/1039978 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2018:0998 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2018:2185 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2018:2186 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2018:2187 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/openssl/openssl/commit/e502cc86df9dafded1694fceb3228ee34d11c11a Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/ Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.FreeBSD.org/advisories/FreeBSD-SA-17:12.openssl.asc Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.gentoo.org/glsa/201712-03 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20171208-0001/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03881en_us Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.debian.org/security/2017/dsa-4065 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.debian.org/security/2018/dsa-4157 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.openssl.org/news/secadv/20171207.txt Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.openssl.org/news/secadv/20180327.txt Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.tenable.com/security/tns-2017-16 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.tenable.com/security/tns-2018-04 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.tenable.com/security/tns-2018-06 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.tenable.com/security/tns-2018-07 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)

How SecUtils Interprets This CVE

SecUtils normalizes and enriches National Vulnerability Database (NVD) records by standardizing vendor and product identifiers, aggregating vulnerability metadata from both NVD and MITRE sources, and providing structured context for security teams. For openssl's affected products, we extract Common Platform Enumeration (CPE) data, Common Weakness Enumeration (CWE) classifications, CVSS severity metrics, and reference data to enable rapid vulnerability prioritization and asset correlation. This record contains no exploit code, proof-of-concept instructions, or attack methodologies—only defensive intelligence necessary for patch management, risk assessment, and security operations.