SA143 : OpenSSL Vulnerabilities 16-Feb-2017

Click to Subscribe
Security Advisory ID: 
Published Date: 
Feb 23, 2017
Advisory Status: 
Advisory Severity: 
CVSS v2 base score: TBD
CVE Number: 

Symantec Network Protection products using affected versions of OpenSSL are susceptible to a denial of service vulnerability.  A remote attacker can exploit this vulnerability to cause denial of service through application crashes.

CVSS v2 base scores will be provided when the National Vulnerability Database (NVD) scoring is complete.  The advisory severity may be adjusted once the CVSS v2 base scores become available.

Affected Products:

No Symantec Network Protection products are vulnerable to CVE-2017-3733.

The following products are not vulnerable:
Advanced Secure Gateway
Android Mobile Agent
Symantec HSM Agent for the Luna SP
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand

Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
Content Analysis
General Auth Connector Login Application
IntelligenceCenter Data Collector
Mail Threat Defense
Malware Analysis
Management Center
Norman Shark Industrial Control System Protection
Norman Shark Network Protection
Norman Shark SCADA Protection
PacketShaper S-Series
PolicyCenter S-Series
ProxyAV ConLog and ConLogXP
Security Analytics
SSL Visibility
Unified Agent
X-Series XOS

Symantec no longer provides vulnerability information for the following products:

Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

Advisory Details: 

This Security Advisory addresses a denial of service vulnerability announced in OpenSSL Security Advisory [16 Feb 2017].  No Symantec Network Protection products have been found vulnerable at this time.

CVE-2017-3733 is a flaw in the SSL/TLS client and server implementation that handles session renegotiation and the Encrypt-Then-Mac TLS extension.  A remote attacker can renegotiate an established SSL session with a different cipher suite and added or removed Encrypt-Than-Mac TLS extension to cause an application crash, resulting in denial of service.

Symantec Network Protection products that use a native installation of OpenSSL but do not install or maintain that implementation are not vulnerable to CVE-2017-3733.  However, the underlying platform or application that installs and maintains OpenSSL may be vulnerable.  Symantec urges our customers to update the versions of OpenSSL that are natively installed for Client Connector for OS X, Proxy Client for OS X, and Reporter 9.x for Linux.


No Symantec Network Protection products are vulnerable.


No Symantec Network Protection products are vulnerable.

Advisory History: 

2017-02-23 initial public release