topic Re: SMB OpenSSL Fixes for CVE-2022-0778 are ready for 1500 1600 1800 in Spark Firewall (SMB)

SMB OpenSSL Fixes for CVE-2022-0778 are ready for 1500 1600 1800

G_W_Albrecht — Fri, 18 Mar 2022 11:57:42 GMT

Upgrade OpenSSL to fix CVE-2022-0778 Refer to sk178411 - Check Point response to OpenSSL CVE-2022-0778.

Re: SMB OpenSSL Fixes for CVE-2022-0778 are ready for 1500 1600 1800

G_W_Albrecht — Mon, 21 Mar 2022 18:49:46 GMT

I would suggest to not install this fix - i found a serious bug in APPI updates making APCL work no more...

--> as stated this is not an issue of this firmware, only mine 8)

Re: SMB OpenSSL Fixes for CVE-2022-0778 are ready for 1500 1600 1800

G_W_Albrecht — Sun, 20 Mar 2022 10:38:45 GMT

`pt bladeUpdateStatus`

3 (2002) =
modified = nil
lastSuccessfulCheckTime = 1647770804
installedUpdateVersion = 0
availableUpdateVersion = 22030801
isOfflineUpdate = false
lastInstallStartedAt = 1647770803
installStatus = BLADE_INSTALL_STATUS.CONNECTING
id = 2002
lastInstallResult = BLADE_INSTALL_RESULT.INSTALL_ERROR
bladeCode = BLADE.APPLICATION_CONTROL
lastSuccessfulInstallTime = nil
upToDateConfirmedAt = nil

Re: SMB OpenSSL Fixes for CVE-2022-0778 are ready for 1500 1600 1800

G_W_Albrecht — Mon, 21 Mar 2022 09:38:45 GMT

That seems not to be the only issue here - in GAiA after patching, R81.10 and R80.40 show:

# cpopenssl version
OpenSSL 1.1.1n 15 Mar 2022

This is the fixed OpenSSL version !

But 1550 R80.20.35_992002639:

# cpopenssl version
OpenSSL 1.0.2r 26 Feb 2019

This is the same version as in R80.20.35_992002613. That should be fixed OpenSSL version 1.0.2zd according to CVE-2022-0778.

So does this firmware fix the issue at all ?

Re: SMB OpenSSL Fixes for CVE-2022-0778 are ready for 1500 1600 1800

G_W_Albrecht — Mon, 21 Mar 2022 10:12:26 GMT

I have reverted back to R80.20.35_992002613, but Update & APPI is still not working 😞

Re: SMB OpenSSL Fixes for CVE-2022-0778 are ready for 1500 1600 1800

G_W_Albrecht — Mon, 21 Mar 2022 10:51:28 GMT

(view in My Videos)

APCL update status is not displayed, but on clicking the Apply button, APCL tries to update, that is to reach the server, but fails - update is never started !

Re: SMB OpenSSL Fixes for CVE-2022-0778 are ready for 1500 1600 1800

_Val_ — Mon, 21 Mar 2022 10:49:55 GMT

Did you open a TAC case yet?

Re: SMB OpenSSL Fixes for CVE-2022-0778 are ready for 1500 1600 1800

G_W_Albrecht — Mon, 21 Mar 2022 10:53:19 GMT

I just gave feedback to the SK - my wife is watching TV so i can do no debugs 😉.

Re: SMB OpenSSL Fixes for CVE-2022-0778 are ready for 1500 1600 1800

_Val_ — Mon, 21 Mar 2022 11:05:06 GMT

never heard that excuse before, lol

Re: SMB OpenSSL Fixes for CVE-2022-0778 are ready for 1500 1600 1800

Amir_Ayalon — Mon, 21 Mar 2022 16:58:21 GMT

Hi Guys

we didn't see any bug in APPI. in fact there was no change in this region, so I'll be surprise if there is a bug.

As for why OpenSSL in not 1.1.1n. the issue was fixed within the same OpenSSL version.

Re: SMB OpenSSL Fixes for CVE-2022-0778 are ready for 1500 1600 1800

G_W_Albrecht — Mon, 21 Mar 2022 18:48:24 GMT

I think that my APPI issue has nothing to do with the firmware version - OpenSSL 1.0.2r 26 Feb 2019 is a fixed version ?

Re: SMB OpenSSL Fixes for CVE-2022-0778 are ready for 1500 1600 1800

G_W_Albrecht — Mon, 21 Mar 2022 18:51:37 GMT

YES - according to R&D the solution is:

The "# cpopenssl version" command applies to R80.40 and above. In R80.30 versions (and below), we do not upgrade the openSSL version but manually port the fix for the CVE. Although there is no easy way to make sure that openSSL was upgraded on these versions, it will be after you install the Hotfix.

Re: SMB OpenSSL Fixes for CVE-2022-0778 are ready for 1500 1600 1800

G_W_Albrecht — Tue, 22 Mar 2022 09:06:25 GMT

I have resolved the issue 8)