On February 16, 2017, OpenSSL released a security publication, announcing that the OpenSSL development team had fixed a severe DoS vulnerability, CVE-2017-3733.
This vulnerability was reported by Red Hat’s Joe Orton on January 31. It is an Encrypt-Then-MAC renegotiation crash vulnerability.
See the following for more information about the vulnerability.
OpenSSL Encrypt-Then-Mac renegotiation DDoS vulnerability
During a renegotiation handshake, if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice versa), then this can cause OpenSSL to crash (dependent on the ciphersuite), affecting both clients and servers.
Condition and method of exploitation
This vulnerability can be exploited to run code remotely.
Unaffected version: 1.0.2
How to fix or mitigate
The latest version openssl-1.1.0e.tar.gz has been released officially. Upgrade your OpenSSL to the latest version as soon as possible.