Carry propagation issue in Oracle Communications EAGLE Software
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2017-3736 |
| CWE-ID | CWE-310 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Oracle Communications EAGLE Software Server applications / Conferencing, Collaboration and VoIP solutions |
| Vendor | Oracle |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Carry propagation issue
EUVDB-ID: #VU9109
Risk: Low
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3736
CWE-ID:
CWE-310 - Cryptographic Issues
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to decrypt data.
The vulnerability exists due to carry propagating bug in the x86_64 Montgomery squaring procedure (bn_sqrx8x_internal). A remote attacker can decrypt encrypted data. The vulnerability affects processors that support the BMI1, BMI2 and ADX extensions like
Intel Broadwell (5th generation) and later or AMD Ryzen.
Install update from vendor's website.
Vulnerable software versionsOracle Communications EAGLE Software: 46.5.0 - 46.7.0
CPE2.3- cpe:2.3:a:oracle:eagle:46.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:eagle:46.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:eagle:46.7.0:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpujul2019.html?917290
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
