Support Content Notification - Support Portal

SA143 : OpenSSL Vulnerabilities 16-Feb-2017

Product/Component

Notification Id

1396

Last Updated

04 May 2021

Initial Publication Date

23 February 2017

Status

CLOSED

Severity

Medium

CVSS Base Score

CVSS v2: 5.0

WorkAround

Affected CVE

SUMMARY

Symantec Network Protection products using affected versions of OpenSSL are susceptible to a denial of service vulnerability. A remote attacker can exploit this vulnerability to cause denial of service through application crashes.

AFFECTED PRODUCTS

No Symantec Network Protection products are vulnerable to CVE-2017-3733.

ADDITIONAL PRODUCT INFORMATION

Symantec Network Protection products that use a native installation of OpenSSL but do not install or maintain that implementation are not vulnerable to CVE-2017-3733. However, the underlying platform or application that installs and maintains OpenSSL may be vulnerable. Symantec urges our customers to update the versions of OpenSSL that are natively installed for Client Connector for OS X, Proxy Client for OS X, and Reporter 9.x for Linux.

The following products are not vulnerable:
Advanced Secure Gateway
Android Mobile Agent
AuthConnector
BCAAA
Symantec HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
Content Analysis
Director
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Mail Threat Defense
Malware Analysis
Management Center
Norman Shark Industrial Control System Protection
Norman Shark Network Protection
Norman Shark SCADA Protection
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyClient
ProxyAV
ProxyAV ConLog and ConLogXP
ProxySG
Reporter
Security Analytics
SSL Visibility
Unified Agent
X-Series XOS

Symantec no longer provides vulnerability information for the following products:

DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

ISSUES

CVE-2017-3733
Severity / CVSSv2	Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
References	SecurityFocus: BID 96269 / NVD: CVE-2017-3733
Impact	Denial of service
Description	A flaw in the SSL/TLS client and server implementation that allows a remote attacker to renegotiate an established SSL session with a different cipher suite and added/removed Encrypt-Than-Mac TLS extension to cause an application crash, resulting in denial of service.

REFERENCES

OpenSSL Security Advisory - https://www.openssl.org/news/secadv/20170216.txt

REVISION

2018-01-11 Added NVD CVSS v2 score. Adjusted advisory severity to Medium based on CVSS v2 score. Moved advisory status to Final.
2017-02-23 initial public release