Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 

R81.20 Jumbo Hotfix Accumulator take #65 has been released today

gadt
Employee
Employee
0 20 2,432

gadt_0-1717411424203.png

 

Hi All

 

R81.20 Jumbo Hotfix Accumulator take #65 has been released today, and is available for download.

 

Please note the following:

  •        Availability:

o   Available to download the via Jumbo documentation R81.20 

o   Available for download via CPUSE by using package identifier.

o   Can be provided by customer support

 

Content included in this take:

 

  • PRJ-55496 - CVE-2024-24919 - Quantum Security Gateway Information Disclosure. Refer to sk182336.
  • PRJ-55471 - Remote Access VPN for local accounts authenticated only with Check Point password created in R80.20 or lower and not updated after the upgrade to R80.30 is blocked until the password is reset. Refer to sk182336.
  • List of resolved issues in this take can be found in the Jumbo documentation R81.20 

 

Note:

  • Central Deployment allows you to perform a batch deployment of Hotfixes on your Security Gateways and clusters from SmartConsole!! For more information, see sk168597.

 

Thanks,

Release Operations Group

20 Comments
the_rock
Legend
Legend

Will install it in the lab and report back.

Andy

the_rock
Legend
Legend

K, just installed, rebooted, lets give it 24 hours and see if all is well.

Best,

Andy

the_rock
Legend
Legend

Just installed it on lab gw, ran script for CVE in question from https://support.checkpoint.com/results/sk/sk182336 and still shows vulnerable. Its the one named CP-gateway as per below

 

[Expert@CP-gw:0]# cpinfo -y fw1

This is Check Point CPinfo Build 914000239 for GAIA
[FW1]
HOTFIX_R81_20_JHF_T54_BLOCK_PORTAL_MAIN Take: 2
HOTFIX_R80_40_MAAS_TUNNEL_AUTOUPDATE
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 65
HOTFIX_PUBLIC_CLOUD_CA_BUNDLE_AUTOUPDATE
HOTFIX_GOT_TPCONF_AUTOUPDATE

FW1 build number:
This is Check Point's software version R81.20 - Build 030
kernel: R81.20 - Build 038

[Expert@CP-gw:0]#

Andy

 

CVE-2024-24919.png

Norbert_Bohusch
Advisor

There is a big misunderstanding.

The script only checks if remoteaccess or mobileaccess is enabled on a gateway and lists it as "possibly" vulnerable.

The patch or JHF will not change the output of the script!

the_rock
Legend
Legend

@Norbert_Bohusch Ah, I see, my bad. I thought if installed would get rid of it, as it shows fix is included in this jumbo, but suppose I was mistaken.

Andy

PhoneBoy
Admin
Admin

Reminder from sk182336:

image.png

 

the_rock
Legend
Legend

Thanks @PhoneBoy 

MattGo
Participant

I might be misunderstanding things but the release notes no longer seem to give prominence to a "Recommended" take.  Is JHF recommended or is that still JHF 53?

MatanYanay
Employee
Employee

@MattGo 

we recommend that all customers upgrade to take 65 -- as it includes the CVE fix 

we aim to move the take to be recommended formally very quickly 

Thanks 

Matan.

the_rock
Legend
Legend

@MatanYanay I also mentioned this to few customers and they totally understood. Normally, most people would wait until jumbo is recommended, but given the circumstances, this is a bit different.

Cheers mate.

Andy

Mlinko
Contributor

Hi Andy,

we are planning to install the Take 65 on Saturday, did you have any problems with the new take?

Thank you for your feedback!

Cheers

Rok

the_rock
Legend
Legend

Hey Rok,

No issues so far that I noticed in the lab. As a matter of fact, contrary to it, all seems BETTER! 

Andy

the_rock
Legend
Legend

@Mlinko We installed jumbo 65 for one client last night, no issues so far, though its not business hours in EST time zone yet, but Im sure it will be fine. We are doing another one that has S1C mgmt server tonight as well. Im literally "forcing" everyone to install this newest take, because while yes, its not recommended yet, but I dont care, given the circumstances, it has to be done.

Best,

Andy

Alex-
Leader Leader
Leader

We installed this Take on a SecureXL cluster and SNX won't start.

The fix consisting of editing the two phpincs files has been re-applied but no luck there, the Connect button cycles for some time and then nothing happens.

Multiple PC tested and so on. We quickly switched to Endpoint as workaround.

the_rock
Legend
Legend

@Mlinko Updated another customer last night, they are super happy, all good!

Chris_Atkinson
Employee Employee
Employee

@Alex- Are you referring to sk181805?

Pauli
Participant

@MatanYanay 

Hello,
is the date already known when the T65 as GA will be available?
Thanks!!

the_rock
Legend
Legend

@Pauli I would NOT wait for that. Again, given the circumstances, Im telling everyone to install it. Just make sure none of these apply to you.

Andy

https://sc1.checkpoint.com/documents/Jumbo_HFA/R81.20/R81.20/Important-Notes.htm?tocpath=_____2

Alex-
Leader Leader
Leader

@Chris_Atkinson Yes, although we're checking again if it was implemented completely. It was a good opportunity to flash-migrate to Endpoint VPN since this customer already uses HEP, though.

Mlinko
Contributor

We also updated all the GWs and MGMTs and didn't have any issues until now.

KR
Rok

Labels