topic Re: CVE-2021-3449 in General Topics

CVE-2021-3449

Pawel_Szetela — Thu, 25 Mar 2021 18:21:29 GMT

Hello Everyone,

Is there any news on the CVE-2021-3449 in Check Point products?

https://www.openssl.org/news/vulnerabilities.html

Regards,

Re: CVE-2021-3449

genisis__ — Thu, 25 Mar 2021 20:09:56 GMT

Not 100% but I believe Open SSL was updated to v1.1.1i in the following:

R81 JHFA13

R80.40 JHFA100

Not aware of another fix so it sounds like Checkpoint may included this in a later fix after they confirm Checkpoint appliances are affected.

Re: CVE-2021-3449

Pawel_Szetela — Thu, 25 Mar 2021 20:16:33 GMT

Fixed in OpenSSL 1.1.1k - Affected 1.1.1-1.1.1j

Re: CVE-2021-3449

genisis__ — Thu, 25 Mar 2021 20:18:21 GMT

Sounds like Checkpoint need to release a new Jumbo, may I suggest raising a TAC case to help speed this up.

Re: CVE-2021-3449

JozkoMrkvicka — Thu, 25 Mar 2021 21:33:44 GMT

Relevant sk where should be all OpenSSL CVEs is not yet updated:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk92447

Re: CVE-2021-3449

_Val_ — Fri, 26 Mar 2021 10:16:30 GMT

We are planning to fix it in the upcoming Jumbo. If you need immediate targeted fix, please open a case with TAC.

Re: CVE-2021-3449

genisis__ — Fri, 26 Mar 2021 10:25:11 GMT

Will this be integrated into JHF100 FOR r80.40 as this is still ongoing take? and equal in JHFA23 for R81?

Re: CVE-2021-3449

_Val_ — Fri, 26 Mar 2021 10:57:41 GMT

Still ongoing for both. More details can be available from TAC through a case.

Re: CVE-2021-3449

matangi — Mon, 29 Mar 2021 11:42:12 GMT

Hi all,

We just updated sk92447, we will keep updating it once we complete the analysis for CVE-2021-3449

Re: CVE-2021-3449

Pawel_Szetela — Fri, 09 Apr 2021 06:13:34 GMT

Hello,

2 weeks and still no news about CVE-2021-3449?

Regards,

Re: CVE-2021-3449

genisis__ — Sun, 11 Apr 2021 09:33:04 GMT

When will the analysis phase be completed? Consider Checkpoint are a Security vendor its pretty poor show that this is taking so long to either fix or confirm there product is not vulnerable.

More interesting question, if a vendor device is compromised, after the vendor has acknowledge said issue but not yet resolved it, could they be liable for any loss of earnings or reputation damage...interest scenario to think of.

Is there a legal grace period in which the vendor would have to analysis, and release a statement, which would cover them and customers?

Re: CVE-2021-3449

JanVC — Mon, 12 Apr 2021 06:54:04 GMT

https://supportcontent.checkpoint.com/solutions?id=sk172983

statement released

Re: CVE-2021-3449

_Val_ — Mon, 12 Apr 2021 07:06:52 GMT

There is an official statement now available: Response to OpenSSL CVE-2021-3449

Re: CVE-2021-3449

Benedikt_Weissl — Mon, 12 Apr 2021 08:07:26 GMT

Just to be sure: Gaia embedded is not vulnerable?

Re: CVE-2021-3449

genisis__ — Mon, 12 Apr 2021 08:13:51 GMT

Thanks All.

Re: CVE-2021-3449

matangi — Mon, 12 Apr 2021 08:14:13 GMT

Gaia embedded is not vulnerable
R80.20 based versions are not vulnerable

Re: CVE-2021-3449

genisis__ — Wed, 14 Apr 2021 12:48:59 GMT

Take 102 has now been release which addresses this CVE

Re: CVE-2021-3449

Manning — Mon, 26 Apr 2021 20:55:30 GMT

Do you mean R80.40 or R80.20? Was this a typo?