Bug 1523504 (CVE-2017-3737) - CVE-2017-3737 openssl: Read/write after SSL object in error state
Summary: CVE-2017-3737 openssl: Read/write after SSL object in error state
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-3737
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1523511 1523513 1524795 1524796 1525029 1525347 1527300 1544443
Blocks: 1523515
TreeView+ depends on / blocked
 
Reported: 2017-12-08 07:36 UTC by Andrej Nemec
Modified: 2021-06-10 13:52 UTC (History)
58 users (show)

Fixed In Version: openssl 1.0.2n
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-08 03:32:55 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:0998 0 None None None 2018-04-10 08:40:04 UTC
Red Hat Product Errata RHSA-2018:2185 0 None None None 2018-07-12 16:18:26 UTC
Red Hat Product Errata RHSA-2018:2186 0 None None None 2018-07-12 16:15:56 UTC
Red Hat Product Errata RHSA-2018:2187 0 None None None 2018-07-12 16:06:22 UTC

Description Andrej Nemec 2017-12-08 07:36:43 UTC
OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state"
mechanism. The intent was that if a fatal error occurred during a handshake then
OpenSSL would move into the error state and would immediately fail if you
attempted to continue the handshake. This works as designed for the explicit
handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()),
however due to a bug it does not work correctly if SSL_read() or SSL_write() is
called directly. In that scenario, if the handshake fails then a fatal error
will be returned in the initial function call. If SSL_read()/SSL_write() is
subsequently called by the application for the same SSL object then it will
succeed and the data is passed without being decrypted/encrypted directly from
the SSL/TLS record layer.

In order to exploit this issue an application bug would have to be present that
resulted in a call to SSL_read()/SSL_write() being issued after having already
received a fatal error.

External References:

https://www.openssl.org/news/secadv/20171207.txt

Comment 1 Andrej Nemec 2017-12-08 07:41:44 UTC
Created mingw-openssl tracking bugs for this issue:

Affects: epel-7 [bug 1523513]
Affects: fedora-all [bug 1523511]


Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1523512]

Comment 7 Ravindra Patil 2018-01-15 20:49:07 UTC
Any ETA for release of fix for openssl ?

Comment 9 mis 2018-02-20 18:32:13 UTC
Any ETA on this... Failing PCI Scans because of this...

Comment 10 Doug Cox 2018-02-26 19:46:13 UTC
I'm also have PCI scans fail and the Treasurer is not happy!  Any ETA would be helpful.  Thanks

Comment 13 mis 2018-03-02 14:40:59 UTC
Can anyone from Redhat provide feedback on where this issue sits?

An ETA has been requested multiple times, with no response.

Feedback, with an ETA would be extremely helpful.

Comment 15 mis 2018-04-03 12:59:40 UTC
It's now been almost 4 months since this bug was identified, and there is still no updated package, and no ETA on an updated package.

What's the problem here?

Can we all get an ETA on this update?

Comment 16 Calvin Smith 2018-04-10 00:18:58 UTC
Per https://bugzilla.redhat.com/show_bug.cgi?id=1544443, this is fixed in RHEL 7.5

Comment 17 errata-xmlrpc 2018-04-10 08:39:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0998 https://access.redhat.com/errata/RHSA-2018:0998

Comment 18 errata-xmlrpc 2018-07-12 16:05:55 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2018:2187 https://access.redhat.com/errata/RHSA-2018:2187

Comment 19 errata-xmlrpc 2018-07-12 16:15:39 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 6

Via RHSA-2018:2186 https://access.redhat.com/errata/RHSA-2018:2186

Comment 20 errata-xmlrpc 2018-07-12 16:18:00 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7

Via RHSA-2018:2185 https://access.redhat.com/errata/RHSA-2018:2185


Note You need to log in before you can comment on or make changes to this bug.