Red Hat Bugzilla – Bug 1523504
CVE-2017-3737 openssl: Read/write after SSL object in error state
Last modified: 2018-10-19 17:44:59 EDT
OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state" mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. External References: https://www.openssl.org/news/secadv/20171207.txt
Created mingw-openssl tracking bugs for this issue: Affects: epel-7 [bug 1523513] Affects: fedora-all [bug 1523511] Created openssl tracking bugs for this issue: Affects: fedora-all [bug 1523512]
Any ETA for release of fix for openssl ?
Any ETA on this... Failing PCI Scans because of this...
I'm also have PCI scans fail and the Treasurer is not happy! Any ETA would be helpful. Thanks
Can anyone from Redhat provide feedback on where this issue sits? An ETA has been requested multiple times, with no response. Feedback, with an ETA would be extremely helpful.
Upstream Patch: https://github.com/openssl/openssl/commit/898fb884b706aaeb283de4812340bb0bde8476dc
It's now been almost 4 months since this bug was identified, and there is still no updated package, and no ETA on an updated package. What's the problem here? Can we all get an ETA on this update?
Per https://bugzilla.redhat.com/show_bug.cgi?id=1544443, this is fixed in RHEL 7.5
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:0998 https://access.redhat.com/errata/RHSA-2018:0998
This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2018:2187 https://access.redhat.com/errata/RHSA-2018:2187
This issue has been addressed in the following products: JBoss Core Services on RHEL 6 Via RHSA-2018:2186 https://access.redhat.com/errata/RHSA-2018:2186
This issue has been addressed in the following products: JBoss Core Services on RHEL 7 Via RHSA-2018:2185 https://access.redhat.com/errata/RHSA-2018:2185