CVE-2017-3990 - Unpatched OpenSSL Vulnerability

UNKNOWN No Patch (2837 days)
buffer-overflowcryptoopensslssl

Threat Intelligence

Low Risk
🔍 Detection Tools: None available in major open-source tools
⚔️ Exploit Availability: No public exploits found

How we test →

What is it?

OpenSSL is a widely used cryptographic library. This vulnerability allows attackers to execute arbitrary code on your server by exploiting a buffer overflow in the SSLv2 protocol. If you're using an outdated version of OpenSSL, an attacker can inject malicious data into encrypted connections, potentially leading to eavesdropping or code execution.

Am I affected?

You're affected if you use an unpatched version of OpenSSL (versions prior to 1.0.1g). Check with: openssl s_client -connect example.com:443 -tls1.0

Note: This vulnerability is similar to CVE-2014-0160, but it's a different issue in the same library.

Affected Packages

maven: org.openjdk.jdk:java.base

Affected Products

OpenSSL Project / OpenSSL

How to fix

To fix this vulnerability:

  1. Upgrade OpenSSL to version 1.0.1g or later.
  2. For immediate mitigation:
  3. Disable SSLv2 protocol support (openssl s_client -connect example.com:443 -no-tls1.0)
  4. Use a secure cipher suite (openssl s_client -connect example.com:443 -cipher TLSv1.2)