Upstream information

CVE-2017-3731 at MITRE

Description

If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. For OpenSSL 1.1.0, the crash can be triggered when using CHACHA20/POLY1305; users should upgrade to 1.1.0d. For Openssl 1.0.2, the crash can be triggered when using RC4-MD5; users who have not disabled that algorithm should update to 1.0.2k.

SUSE information

Overall state of this security issue: Running

This issue is currently rated as having moderate severity.

CVSS v2 Scores
  National Vulnerability Database SUSE
Base Score 5 4.3
Vector AV:N/AC:L/Au:N/C:N/I:N/A:P AV:N/AC:M/Au:N/C:N/I:N/A:P
Access Vector Network Network
Access Complexity Low Medium
Authentication None None
Confidentiality Impact None None
Integrity Impact None None
Availability Impact Partial Partial
CVSS v3 Scores
  National Vulnerability Database
Base Score 7.5
Vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Access Vector Network
Access Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Impact None
Integrity Impact None
Availability Impact High

Note from the SUSE Security Team

This problem only affects openssl 1.0.1 and newer, older versions do not contain the affected code.

SUSE Bugzilla entries: 1021641 [RESOLVED / FIXED], 1022085 [RESOLVED / FIXED], 1025347 [CONFIRMED], 1025354 [RESOLVED / WORKSFORME], 1064118 [IN_PROGRESS], 1064119 [IN_PROGRESS]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
SUSE Enterprise Storage 4
  • nodejs4 >= 4.7.3-14.1
Patchnames:
SUSE-Storage-4-2017-476
SUSE Linux Enterprise Desktop 12 SP1
  • libopenssl1_0_0 >= 1.0.1i-54.5.1
  • libopenssl1_0_0-32bit >= 1.0.1i-54.5.1
  • openssl >= 1.0.1i-54.5.1
Patchnames:
SUSE-SLE-DESKTOP-12-SP1-2017-236
SUSE Linux Enterprise Desktop 12 SP2
  • libopenssl-devel >= 1.0.2j-59.1
  • libopenssl1_0_0 >= 1.0.2j-59.1
  • libopenssl1_0_0-32bit >= 1.0.2j-59.1
  • openssl >= 1.0.2j-59.1
Patchnames:
SUSE-SLE-DESKTOP-12-SP2-2017-228
SUSE Linux Enterprise Desktop 12 SP3
  • libopenssl-devel >= 1.0.2j-59.1
  • libopenssl1_0_0 >= 1.0.2j-59.1
  • libopenssl1_0_0-32bit >= 1.0.2j-59.1
  • openssl >= 1.0.2j-59.1
Patchnames:
SUSE Linux Enterprise Desktop 12 SP3 GA libopenssl-devel
SUSE Linux Enterprise Module for Containers 12
  • sles12sp1-docker-image >= 1.0.7-20171002
  • sles12sp2-docker-image >= 1.0.2-20171006
Patchnames:
SUSE-SLE-Module-Containers-12-2017-1673
SUSE-SLE-Module-Containers-12-2017-1674
SUSE Linux Enterprise Module for Web Scripting 12
  • nodejs4 >= 4.7.3-14.1
  • nodejs4-devel >= 4.7.3-14.1
  • nodejs4-docs >= 4.7.3-14.1
  • nodejs6 >= 6.9.5-7.1
  • nodejs6-devel >= 6.9.5-7.1
  • nodejs6-docs >= 6.9.5-7.1
  • npm4 >= 4.7.3-14.1
  • npm6 >= 6.9.5-7.1
Patchnames:
SUSE Linux Enterprise Module for Web Scripting 12 GA nodejs6
SUSE-SLE-Module-Web-Scripting-12-2017-221
SUSE-SLE-Module-Web-Scripting-12-2017-476
SUSE Linux Enterprise Server 11-SECURITY
  • libopenssl1-devel >= 1.0.1g-0.57.1
  • libopenssl1_0_0 >= 1.0.1g-0.57.1
  • libopenssl1_0_0-32bit >= 1.0.1g-0.57.1
  • libopenssl1_0_0-x86 >= 1.0.1g-0.57.1
  • openssl1 >= 1.0.1g-0.57.1
  • openssl1-doc >= 1.0.1g-0.57.1
Patchnames:
secsp3-openssl1-12991
SUSE Linux Enterprise Server 12 SP1
  • libopenssl1_0_0 >= 1.0.1i-54.5.1
  • libopenssl1_0_0-32bit >= 1.0.1i-54.5.1
  • libopenssl1_0_0-hmac >= 1.0.1i-54.5.1
  • libopenssl1_0_0-hmac-32bit >= 1.0.1i-54.5.1
  • openssl >= 1.0.1i-54.5.1
  • openssl-doc >= 1.0.1i-54.5.1
Patchnames:
SUSE-SLE-SERVER-12-SP1-2017-236
SUSE Linux Enterprise Server 12 SP2
  • libopenssl-devel >= 1.0.2j-59.1
  • libopenssl1_0_0 >= 1.0.2j-59.1
  • libopenssl1_0_0-32bit >= 1.0.2j-59.1
  • libopenssl1_0_0-hmac >= 1.0.2j-59.1
  • libopenssl1_0_0-hmac-32bit >= 1.0.2j-59.1
  • openssl >= 1.0.2j-59.1
  • openssl-doc >= 1.0.2j-59.1
Patchnames:
SUSE-SLE-SERVER-12-SP2-2017-228
SUSE Linux Enterprise Server 12 SP3
  • libopenssl-devel >= 1.0.2j-59.1
  • libopenssl1_0_0 >= 1.0.2j-59.1
  • libopenssl1_0_0-32bit >= 1.0.2j-59.1
  • libopenssl1_0_0-hmac >= 1.0.2j-59.1
  • libopenssl1_0_0-hmac-32bit >= 1.0.2j-59.1
  • openssl >= 1.0.2j-59.1
  • openssl-doc >= 1.0.2j-59.1
Patchnames:
SUSE Linux Enterprise Server 12 SP3 GA libopenssl-devel
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2
  • libopenssl-devel >= 1.0.2j-59.1
  • libopenssl1_0_0 >= 1.0.2j-59.1
  • libopenssl1_0_0-hmac >= 1.0.2j-59.1
  • openssl >= 1.0.2j-59.1
  • openssl-doc >= 1.0.2j-59.1
Patchnames:
SUSE-SLE-RPI-12-SP2-2017-228
SUSE Linux Enterprise Software Development Kit 12 SP1
  • libopenssl-devel >= 1.0.1i-54.5.1
  • openssl >= 1.0.1i-54.5.1
Patchnames:
SUSE-SLE-SDK-12-SP1-2017-236
SUSE Linux Enterprise Software Development Kit 12 SP2
  • libopenssl-devel >= 1.0.2j-59.1
  • openssl >= 1.0.2j-59.1
Patchnames:
SUSE-SLE-SDK-12-SP2-2017-228
SUSE Linux Enterprise Software Development Kit 12 SP3
  • libopenssl-devel >= 1.0.2j-59.1
Patchnames:
SUSE Linux Enterprise Software Development Kit 12 SP3 GA libopenssl-devel
openSUSE Leap 42.1
  • libopenssl-devel >= 1.0.1i-21.1
  • libopenssl-devel-32bit >= 1.0.1i-21.1
  • libopenssl1_0_0 >= 1.0.1i-21.1
  • libopenssl1_0_0-32bit >= 1.0.1i-21.1
  • libopenssl1_0_0-debuginfo >= 1.0.1i-21.1
  • libopenssl1_0_0-debuginfo-32bit >= 1.0.1i-21.1
  • libopenssl1_0_0-hmac >= 1.0.1i-21.1
  • libopenssl1_0_0-hmac-32bit >= 1.0.1i-21.1
  • nodejs >= 4.7.3-39.1
  • nodejs-debuginfo >= 4.7.3-39.1
  • nodejs-debugsource >= 4.7.3-39.1
  • nodejs-devel >= 4.7.3-39.1
  • nodejs-docs >= 4.7.3-39.1
  • npm >= 4.7.3-39.1
  • openssl >= 1.0.1i-21.1
  • openssl-debuginfo >= 1.0.1i-21.1
  • openssl-debugsource >= 1.0.1i-21.1
  • openssl-doc >= 1.0.1i-21.1
Patchnames:
openSUSE-2017-255
openSUSE-2017-284
openSUSE Leap 42.2
  • libmysql56client18 >= 5.6.38-24.12.1
  • libmysql56client18-32bit >= 5.6.38-24.12.1
  • libmysql56client18-debuginfo >= 5.6.38-24.12.1
  • libmysql56client18-debuginfo-32bit >= 5.6.38-24.12.1
  • libmysql56client_r18 >= 5.6.38-24.12.1
  • libmysql56client_r18-32bit >= 5.6.38-24.12.1
  • libopenssl-devel >= 1.0.2j-4.1
  • libopenssl-devel-32bit >= 1.0.2j-4.1
  • libopenssl1_0_0 >= 1.0.2j-4.1
  • libopenssl1_0_0-32bit >= 1.0.2j-4.1
  • libopenssl1_0_0-debuginfo >= 1.0.2j-4.1
  • libopenssl1_0_0-debuginfo-32bit >= 1.0.2j-4.1
  • libopenssl1_0_0-hmac >= 1.0.2j-4.1
  • libopenssl1_0_0-hmac-32bit >= 1.0.2j-4.1
  • mysql-community-server >= 5.6.38-24.12.1
  • mysql-community-server-bench >= 5.6.38-24.12.1
  • mysql-community-server-bench-debuginfo >= 5.6.38-24.12.1
  • mysql-community-server-client >= 5.6.38-24.12.1
  • mysql-community-server-client-debuginfo >= 5.6.38-24.12.1
  • mysql-community-server-debuginfo >= 5.6.38-24.12.1
  • mysql-community-server-debugsource >= 5.6.38-24.12.1
  • mysql-community-server-errormessages >= 5.6.38-24.12.1
  • mysql-community-server-test >= 5.6.38-24.12.1
  • mysql-community-server-test-debuginfo >= 5.6.38-24.12.1
  • mysql-community-server-tools >= 5.6.38-24.12.1
  • mysql-community-server-tools-debuginfo >= 5.6.38-24.12.1
  • nodejs4 >= 4.7.3-5.3.1
  • nodejs4-debuginfo >= 4.7.3-5.3.1
  • nodejs4-debugsource >= 4.7.3-5.3.1
  • nodejs4-devel >= 4.7.3-5.3.1
  • nodejs4-docs >= 4.7.3-5.3.1
  • npm4 >= 4.7.3-5.3.1
  • openssl >= 1.0.2j-4.1
  • openssl-debuginfo >= 1.0.2j-4.1
  • openssl-debugsource >= 1.0.2j-4.1
  • openssl-doc >= 1.0.2j-4.1
Patchnames:
openSUSE-2017-1196
openSUSE-2017-256
openSUSE-2017-442
openSUSE Leap 42.3
  • libmysql56client18 >= 5.6.38-30.1
  • libmysql56client18-32bit >= 5.6.38-30.1
  • libmysql56client18-debuginfo >= 5.6.38-30.1
  • libmysql56client18-debuginfo-32bit >= 5.6.38-30.1
  • libmysql56client_r18 >= 5.6.38-30.1
  • libmysql56client_r18-32bit >= 5.6.38-30.1
  • libopenssl-devel >= 1.0.2j-7.3
  • libopenssl1_0_0 >= 1.0.2j-7.3
  • libopenssl1_0_0-32bit >= 1.0.2j-7.3
  • mysql-community-server >= 5.6.38-30.1
  • mysql-community-server-bench >= 5.6.38-30.1
  • mysql-community-server-bench-debuginfo >= 5.6.38-30.1
  • mysql-community-server-client >= 5.6.38-30.1
  • mysql-community-server-client-debuginfo >= 5.6.38-30.1
  • mysql-community-server-debuginfo >= 5.6.38-30.1
  • mysql-community-server-debugsource >= 5.6.38-30.1
  • mysql-community-server-errormessages >= 5.6.38-30.1
  • mysql-community-server-test >= 5.6.38-30.1
  • mysql-community-server-test-debuginfo >= 5.6.38-30.1
  • mysql-community-server-tools >= 5.6.38-30.1
  • mysql-community-server-tools-debuginfo >= 5.6.38-30.1
  • openssl >= 1.0.2j-7.3
Patchnames:
openSUSE Leap 42.3 GA libopenssl-devel
openSUSE-2017-1196

List of packages in QA

Product(s) Package(s)
SUSE Linux Enterprise Server 12-LTSS
  • libopenssl1_0_0 >= 1.0.1i-27.24.2
  • libopenssl1_0_0-32bit >= 1.0.1i-27.24.2
  • libopenssl1_0_0-debuginfo >= 1.0.1i-27.24.2
  • libopenssl1_0_0-debuginfo-32bit >= 1.0.1i-27.24.2
  • libopenssl1_0_0-hmac >= 1.0.1i-27.24.2
  • libopenssl1_0_0-hmac-32bit >= 1.0.1i-27.24.2
  • openssl >= 1.0.1i-27.24.2
  • openssl-debuginfo >= 1.0.1i-27.24.2
  • openssl-debugsource >= 1.0.1i-27.24.2
  • openssl-doc >= 1.0.1i-27.24.2


List of planned updates

The following information is the current evaluation information for this security issue. It might neither be accurate nor complete, Use at own risk.
Product(s) Source package
  • SUSE Linux Enterprise Desktop 12 SP2
  • SUSE Linux Enterprise Desktop 12 SP3
  • SUSE Linux Enterprise SDK 12 SP2
  • SUSE Linux Enterprise SDK 12 SP3
  • SUSE Linux Enterprise Server 12 GA LTSS
  • SUSE Linux Enterprise Server 12 SP1 LTSS
  • SUSE Linux Enterprise Server 12 SP2
  • SUSE Linux Enterprise Server 12 SP3
  • SUSE Linux Enterprise Workstation Extension 12 SP2
  • SUSE Linux Enterprise Workstation Extension 12 SP3
  • SUSE Openstack Cloud 7
mariadb
  • SUSE Linux Enterprise SDK 11 SP4
  • SUSE Linux Enterprise Server 11 SP3 LTSS
  • SUSE Linux Enterprise Server 11 SP4
mysql


Status of this issue by product and package

Product(s) Source package State
SUSE Linux Enterprise Desktop 12 SP1 compat-openssl098 Unsupported
SUSE Linux Enterprise Desktop 12 SP1 openssl Released
SUSE Linux Enterprise Desktop 12 SP2 compat-openssl098 Not affected
SUSE Linux Enterprise Desktop 12 SP2 openssl Released
SUSE Linux Enterprise Module for Legacy Software 12 compat-openssl098 Not affected
SUSE Linux Enterprise SDK 11 SP4 openssl Not affected
SUSE Linux Enterprise SDK 12 SP1 openssl Released
SUSE Linux Enterprise SDK 12 SP2 openssl Released
SUSE Linux Enterprise Security Module 11.3 GA openssl1 Released
SUSE Linux Enterprise Server 11 SP4 openssl Not affected
SUSE Linux Enterprise Server 12 GA LTSS openssl In progress
SUSE Linux Enterprise Server 12 SP1 openssl Released
SUSE Linux Enterprise Server 12 SP2 openssl Released
SUSE Linux Enterprise Server 12 SP2 for Raspberry PI openssl Released
SUSE Linux Enterprise Server for SAP 11 SP3 compat-openssl097g Not affected
SUSE Linux Enterprise Server for SAP 12 SP2 compat-openssl098 Not affected
SUSE Studio Onsite 1.3 openssl Not affected