All Products
Document Center

[Vulnerability notice] CVE-2017-3733: Encrypt-Then-Mac renegotiation DDoS vulnerability in OpenSSL

Last Updated: Jan 13, 2020

On February 16, 2017, OpenSSL released a security publication, announcing that the OpenSSL development team had fixed a severe DoS vulnerability, CVE-2017-3733.

This vulnerability was reported by Red Hat’s Joe Orton on January 31. It is an Encrypt-Then-MAC renegotiation crash vulnerability.

See the following for more information about the vulnerability.

CVE identifier


Vulnerability name

OpenSSL Encrypt-Then-Mac renegotiation DDoS vulnerability

Vulnerability rating


Vulnerability description

During a renegotiation handshake, if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice versa), then this can cause OpenSSL to crash (dependent on the ciphersuite), affecting both clients and servers.

Condition and method of exploitation

This vulnerability can be exploited to run code remotely.

Affected scope

OpenSSL 1.1.0

Unaffected version: 1.0.2

How to fix or mitigate

The latest version openssl-1.1.0e.tar.gz has been released officially. Upgrade your OpenSSL to the latest version as soon as possible.