CVE-2017-3737

Name of the Vulnerable Software and Affected Versions: OpenSSL versions 1.0.2b through 1.0.2m MySQL Server versions 5.6.38 and earlier MySQL Server versions 5.7.20 and earlier

Description: The issue is related to the incorrect handling of the "error state" mechanism in OpenSSL when SSL read() or SSL write() functions are called directly. This can lead to the transmission of unencrypted confidential data over the network at the SSL/TLS level. The vulnerability can be exploited if an application bug results in a call to SSL read() or SSL write() after a fatal error has been received.

Recommendations: For OpenSSL versions 1.0.2b through 1.0.2m, update to OpenSSL 1.0.2n to resolve the issue. For MySQL Server versions 5.6.38 and earlier, and 5.7.20 and earlier, consider restricting access to the affected MySQL Server component until a patch is available. As a temporary workaround, consider disabling the use of SSL read() and SSL write() functions directly in applications until the issue is resolved.