Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Pawel_Szetela
Contributor

CVE-2021-3449

Hello Everyone,

Is there any news on the CVE-2021-3449 in Check Point products?

https://www.openssl.org/news/vulnerabilities.html

Regards,

17 Replies
genisis__
Advisor

Not 100% but I believe Open SSL was updated to v1.1.1i in the following:

R81 JHFA13

R80.40 JHFA100

 Not aware of another fix so it sounds like Checkpoint may included this in a later fix  after they confirm Checkpoint appliances are affected.

0 Kudos
Pawel_Szetela
Contributor

Fixed in OpenSSL 1.1.1k - Affected 1.1.1-1.1.1j

0 Kudos
genisis__
Advisor

Sounds like Checkpoint need to release a new Jumbo, may I suggest raising a TAC case to help speed this up.

0 Kudos
JozkoMrkvicka
Leader
Leader

Relevant sk where should be all OpenSSL CVEs is not yet updated:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Kind regards,
Jozko Mrkvicka
0 Kudos
_Val_
Admin
Admin

We are planning to fix it in the upcoming Jumbo. If you need immediate targeted fix, please open a case with TAC.

0 Kudos
genisis__
Advisor

Will this be integrated into JHF100 FOR r80.40 as this is still ongoing take? and equal in JHFA23 for R81?

0 Kudos
_Val_
Admin
Admin

Still ongoing for both. More details can be available from TAC through a case.

0 Kudos
matangi
Employee
Employee

Hi all,

We just updated sk92447, we will keep updating it once we complete the analysis for CVE-2021-3449

Pawel_Szetela
Contributor

Hello,

2 weeks and still no news about CVE-2021-3449?

Regards,

genisis__
Advisor

When will the analysis phase be completed? Consider Checkpoint are a Security vendor its pretty poor show that this is taking so long to either fix or confirm there product is not vulnerable.

More interesting question, if a vendor device is compromised, after the vendor has acknowledge said issue but not yet resolved it, could they be liable for any loss of earnings or reputation damage...interest scenario to think of.

Is there a legal grace period in which the vendor would have to analysis, and release a statement, which would cover them and customers?

0 Kudos
JanVC
Collaborator

0 Kudos
_Val_
Admin
Admin

There is an official statement now available:  Response to OpenSSL CVE-2021-3449

0 Kudos
Benedikt_Weissl
Advisor

Just to be sure: Gaia embedded is not vulnerable?

0 Kudos
genisis__
Advisor

Thanks All.

0 Kudos
matangi
Employee
Employee

Gaia embedded is not vulnerable 
R80.20 based versions are not vulnerable

 

genisis__
Advisor

Take 102 has now been release which addresses this CVE

Manning
Employee
Employee

Do you mean R80.40 or R80.20? Was this a typo? 

0 Kudos