Information Exposure Affecting openssl package, versions >=1.0.200, <1.0.211
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-COCOAPODS-OPENSSL-471080
- published 2 Oct 2019
- disclosed 22 Nov 2017
- credit Unknown
Introduced: 22 Nov 2017
CVE-2017-3738 Open this link in a new tabHow to fix?
Upgrade OpenSSL to version 1.0.211 or higher.
Overview
OpenSSL is a SSL/TLS and Crypto toolkit. Deprecated in Mac OS and gone in iOS, this spec gives your project non-deprecated OpenSSL support.
Affected versions of this package are vulnerable to Information Exposure. OpenSSL is vulnerable to an overflow error in AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. This bug can be used to compromise private key information for certain situations and DH1024.
It does affect processors supporting AVX2 but not ADX extensions (e.g., Intel Haswell (4th generation)). This bug cannot be exploited for EC algorithms.
References
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- Debian Security Advisory
- Debian Security Advisory
- FREEBSD
- Gentoo Security Advisory
- GitHub Commit
- Netapp Security Advisory
- OpenSSL Security Advisory
- OpenSSL Security Advisory
- Oracle Security Advisory
- Oracle Security Advisory
- Oracle Security Advisory
- Oracle Security Advisory
- Oracle Security Advisory
- Oracle Security Advisory
- RHSA Security Advisory
- RHSA Security Advisory
- RHSA Security Advisory
- RHSA Security Advisory
- Security Focus
- Security Tracker