CVE-2017-3731
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2017-3731
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-3731.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2017-3731
- Downstream
- Related
- Published
- 2017-05-04T19:29:00Z
- Modified
- 2025-09-19T09:03:07.440331Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. For OpenSSL 1.1.0, the crash can be triggered when using CHACHA20/POLY1305; users should upgrade to 1.1.0d. For Openssl 1.0.2, the crash can be triggered when using RC4-MD5; users who have not disabled that algorithm should update to 1.0.2k.
- References
-
- http://rhn.redhat.com/errata/RHSA-2017-0286.html
- http://www.debian.org/security/2017/dsa-3773
- http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
- http://www.securityfocus.com/bid/95813
- http://www.securitytracker.com/id/1037717
- https://access.redhat.com/errata/RHSA-2018:2185
- https://access.redhat.com/errata/RHSA-2018:2186
- https://access.redhat.com/errata/RHSA-2018:2187
- https://github.com/openssl/openssl/commit/00d965474b22b54e4275232bc71ee0c699c5cd21
- https://security.FreeBSD.org/advisories/FreeBSD-SA-17:02.openssl.asc
- https://security.gentoo.org/glsa/201702-07
- https://security.netapp.com/advisory/ntap-20171019-0002/
- https://security.paloaltonetworks.com/CVE-2017-3731
- https://source.android.com/security/bulletin/pixel/2017-11-01
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03838en_us
- https://www.openssl.org/news/secadv/20170126.txt
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
- https://www.tenable.com/security/tns-2017-04
- https://security.alpinelinux.org/vuln/CVE-2017-3731
Affected packages
Alpine:v3.2 / openssl
Package
- Name
- openssl
- Purl
- pkg:apk/alpine/openssl?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.0.2k-r0
Affected versions
0.*
0.9.8i-r0
0.9.8j-r0
0.9.8k-r0
0.9.8k-r1
0.9.8k-r2
0.9.8k-r3
0.9.8k-r4
0.9.8k-r5
0.9.8k-r6
0.9.8k-r7
0.9.8l-r0
0.9.8l-r1
0.9.8m-r0
0.9.8n-r0
0.9.8n-r1
1.*
1.0.0-r0
1.0.0a-r0
1.0.0a-r1
1.0.0a-r2
1.0.0a-r3
1.0.0a-r4
1.0.0b-r0
1.0.0c-r0
1.0.0d-r0
1.0.0e-r0
1.0.0f-r0
1.0.0g-r0
1.0.0h-r0
1.0.1-r0
1.0.1a-r0
1.0.1b-r0
1.0.1c-r0
1.0.1c-r1
1.0.1c-r2
1.0.1c-r3
1.0.1d-r0
1.0.1d-r1
1.0.1e-r0
1.0.1e-r1
1.0.1e-r2
1.0.1e-r3
1.0.1e-r4
1.0.1e-r5
1.0.1e-r6
1.0.1e-r7
1.0.1f-r0
1.0.1g-r0
1.0.1g-r1
1.0.1g-r2
1.0.1g-r3
1.0.1h-r0
1.0.1i-r0
1.0.1i-r1
1.0.1i-r2
1.0.1i-r3
1.0.1j-r0
1.0.1k-r0
1.0.1l-r0
1.0.2-r0
1.0.2a-r0
1.0.2a-r1
1.0.2b-r0
1.0.2c-r0
1.0.2d-r0
1.0.2e-r0
1.0.2f-r0
1.0.2g-r0
1.0.2h-r0
1.0.2h-r1
1.0.2h-r2
1.0.2h-r3
1.0.2h-r4
1.0.2i-r0
1.0.2j-r0
Alpine:v3.3 / openssl
Package
- Name
- openssl
- Purl
- pkg:apk/alpine/openssl?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.0.2k-r0
Affected versions
0.*
0.9.8i-r0
0.9.8j-r0
0.9.8k-r0
0.9.8k-r1
0.9.8k-r2
0.9.8k-r3
0.9.8k-r4
0.9.8k-r5
0.9.8k-r6
0.9.8k-r7
0.9.8l-r0
0.9.8l-r1
0.9.8m-r0
0.9.8n-r0
0.9.8n-r1
1.*
1.0.0-r0
1.0.0a-r0
1.0.0a-r1
1.0.0a-r2
1.0.0a-r3
1.0.0a-r4
1.0.0b-r0
1.0.0c-r0
1.0.0d-r0
1.0.0e-r0
1.0.0f-r0
1.0.0g-r0
1.0.0h-r0
1.0.1-r0
1.0.1a-r0
1.0.1b-r0
1.0.1c-r0
1.0.1c-r1
1.0.1c-r2
1.0.1c-r3
1.0.1d-r0
1.0.1d-r1
1.0.1e-r0
1.0.1e-r1
1.0.1e-r2
1.0.1e-r3
1.0.1e-r4
1.0.1e-r5
1.0.1e-r6
1.0.1e-r7
1.0.1f-r0
1.0.1g-r0
1.0.1g-r1
1.0.1g-r2
1.0.1g-r3
1.0.1h-r0
1.0.1i-r0
1.0.1i-r1
1.0.1i-r2
1.0.1i-r3
1.0.1j-r0
1.0.1k-r0
1.0.1l-r0
1.0.2-r0
1.0.2a-r0
1.0.2a-r1
1.0.2b-r0
1.0.2c-r0
1.0.2d-r0
1.0.2e-r0
1.0.2f-r0
1.0.2g-r0
1.0.2h-r0
1.0.2h-r1
1.0.2h-r2
1.0.2h-r3
1.0.2h-r4
1.0.2i-r0
1.0.2j-r0
Alpine:v3.4 / openssl
Package
- Name
- openssl
- Purl
- pkg:apk/alpine/openssl?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.0.2k-r0
Affected versions
0.*
0.9.8i-r0
0.9.8j-r0
0.9.8k-r0
0.9.8k-r1
0.9.8k-r2
0.9.8k-r3
0.9.8k-r4
0.9.8k-r5
0.9.8k-r6
0.9.8k-r7
0.9.8l-r0
0.9.8l-r1
0.9.8m-r0
0.9.8n-r0
0.9.8n-r1
1.*
1.0.0-r0
1.0.0a-r0
1.0.0a-r1
1.0.0a-r2
1.0.0a-r3
1.0.0a-r4
1.0.0b-r0
1.0.0c-r0
1.0.0d-r0
1.0.0e-r0
1.0.0f-r0
1.0.0g-r0
1.0.0h-r0
1.0.1-r0
1.0.1a-r0
1.0.1b-r0
1.0.1c-r0
1.0.1c-r1
1.0.1c-r2
1.0.1c-r3
1.0.1d-r0
1.0.1d-r1
1.0.1e-r0
1.0.1e-r1
1.0.1e-r2
1.0.1e-r3
1.0.1e-r4
1.0.1e-r5
1.0.1e-r6
1.0.1e-r7
1.0.1f-r0
1.0.1g-r0
1.0.1g-r1
1.0.1g-r2
1.0.1g-r3
1.0.1h-r0
1.0.1i-r0
1.0.1i-r1
1.0.1i-r2
1.0.1i-r3
1.0.1j-r0
1.0.1k-r0
1.0.1l-r0
1.0.2-r0
1.0.2a-r0
1.0.2a-r1
1.0.2b-r0
1.0.2c-r0
1.0.2d-r0
1.0.2e-r0
1.0.2e-r1
1.0.2f-r0
1.0.2f-r1
1.0.2f-r2
1.0.2g-r0
1.0.2g-r1
1.0.2g-r2
1.0.2g-r3
1.0.2h-r0
1.0.2h-r1
1.0.2h-r2
1.0.2h-r3
1.0.2h-r4
1.0.2i-r0
1.0.2j-r0
Git / github.com/nodejs/node
Affected ranges
- Type
- GIT
- Repo
- https://github.com/nodejs/node
- Events
- Type
- GIT
- Repo
- https://github.com/openssl/openssl
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
Other
BEFORE_engine
OpenSSL_0_9_1c
OpenSSL_0_9_2b
OpenSSL_0_9_3
OpenSSL_0_9_3a
OpenSSL_0_9_3beta2
OpenSSL_0_9_4
OpenSSL_0_9_5a
OpenSSL_0_9_5a-beta1
OpenSSL_0_9_5a-beta2
OpenSSL_0_9_5beta1
OpenSSL_0_9_5beta2
OpenSSL_0_9_6-beta3
OpenSSL_1_1_0
OpenSSL_1_1_0-pre1
OpenSSL_1_1_0-pre2
OpenSSL_1_1_0-pre3
OpenSSL_1_1_0-pre4
OpenSSL_1_1_0-pre5
OpenSSL_1_1_0-pre6
OpenSSL_1_1_0a
OpenSSL_1_1_0b
OpenSSL_1_1_0c
master-post-auto-reformat
master-post-reformat
master-pre-auto-reformat
master-pre-reformat
v4.*
v4.2.0
v4.2.1
v4.2.2
v4.2.3
v4.2.4
v4.2.5
v4.2.6
v4.3.0
v4.3.1
v4.3.2
v4.4.0
v4.4.1
v4.4.2
v4.4.3
v4.4.4
v4.4.5
v4.4.6
v4.4.7
v4.5.0
v4.6.0
v4.6.1
v4.6.2
v4.7.0
v4.7.1
v4.7.2
Database specific
{
"vanir_signatures": [
{
"id": "CVE-2017-3731-1941b72b",
"digest": {
"length": 1781.0,
"function_hash": "221735333621247249205544300326653651031"
},
"signature_type": "Function",
"deprecated": false,
"target": {
"file": "crypto/evp/e_aes.c",
"function": "aes_ccm_ctrl"
},
"signature_version": "v1",
"source": "https://github.com/openssl/openssl/commit/00d965474b22b54e4275232bc71ee0c699c5cd21"
},
{
"id": "CVE-2017-3731-41add88c",
"digest": {
"line_hashes": [
"258332393461523318300772418283316247240",
"139455449470853885843312740408088404667",
"299560138836707757772546515239509527055",
"196819153725239350090704975974326428859",
"107191961654897997411654721196022093301",
"15996322021237148727573568799963605600",
"57798510971080246332159561077791581992",
"151878145502330302568752946372148960554",
"147327775481107408714039356309321399255",
"21217088637283268914316745231029260860",
"33610301170652250267779137292753224093",
"199725929091931850549957399955877992477"
],
"threshold": 0.9
},
"signature_type": "Line",
"deprecated": false,
"target": {
"file": "crypto/evp/e_aes.c"
},
"signature_version": "v1",
"source": "https://github.com/openssl/openssl/commit/00d965474b22b54e4275232bc71ee0c699c5cd21"
},
{
"id": "CVE-2017-3731-9e5d08af",
"digest": {
"length": 2576.0,
"function_hash": "190075725278115512198961705506710166462"
},
"signature_type": "Function",
"deprecated": false,
"target": {
"file": "crypto/evp/e_chacha20_poly1305.c",
"function": "chacha20_poly1305_ctrl"
},
"signature_version": "v1",
"source": "https://github.com/openssl/openssl/commit/00d965474b22b54e4275232bc71ee0c699c5cd21"
},
{
"id": "CVE-2017-3731-d1cf9f8d",
"digest": {
"line_hashes": [
"249268130122618982221397096100961611788",
"49308803901569287939821745393558810880",
"102123395012805653234972220826876345324",
"287229816695624475669447046210770439239",
"163478244482245408513206232913317490644",
"338244759701655409950710234690089770936",
"95801878201965267387487323207020864476"
],
"threshold": 0.9
},
"signature_type": "Line",
"deprecated": false,
"target": {
"file": "crypto/evp/e_chacha20_poly1305.c"
},
"signature_version": "v1",
"source": "https://github.com/openssl/openssl/commit/00d965474b22b54e4275232bc71ee0c699c5cd21"
},
{
"id": "CVE-2017-3731-f46e33f4",
"digest": {
"length": 2923.0,
"function_hash": "263680761763399615688609265863755459005"
},
"signature_type": "Function",
"deprecated": false,
"target": {
"file": "crypto/evp/e_aes.c",
"function": "aes_gcm_ctrl"
},
"signature_version": "v1",
"source": "https://github.com/openssl/openssl/commit/00d965474b22b54e4275232bc71ee0c699c5cd21"
}
]
}