Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
G_W_Albrecht
Legend
Legend
Jump to solution

SMB OpenSSL Fixes for CVE-2022-0778 are ready for 1500 1600 1800

Upgrade OpenSSL to fix CVE-2022-0778 Refer to sk178411 - Check Point response to OpenSSL CVE-2022-0778.

CCSE CCTE CCSM SMB Specialist
0 Kudos
1 Solution

Accepted Solutions
G_W_Albrecht
Legend
Legend

YES - according to R&D the solution is:

The "# cpopenssl version" command applies to R80.40 and above. In R80.30 versions (and below), we do not upgrade the openSSL version but manually port the fix for the CVE. Although there is no easy way to make sure that openSSL was upgraded on these versions, it will be after you install the Hotfix. 

CCSE CCTE CCSM SMB Specialist

View solution in original post

0 Kudos
12 Replies
G_W_Albrecht
Legend
Legend

I would suggest to not install this fix - i found a serious bug in APPI updates making APCL work no more...

--> as stated this is not an issue of this firmware, only mine 😎

CCSE CCTE CCSM SMB Specialist
0 Kudos
G_W_Albrecht
Legend
Legend
pt bladeUpdateStatus
3 (2002) =
modified = nil
lastSuccessfulCheckTime = 1647770804
installedUpdateVersion = 0
availableUpdateVersion = 22030801
isOfflineUpdate = false
lastInstallStartedAt = 1647770803
installStatus = BLADE_INSTALL_STATUS.CONNECTING
id = 2002
lastInstallResult = BLADE_INSTALL_RESULT.INSTALL_ERROR
bladeCode = BLADE.APPLICATION_CONTROL
lastSuccessfulInstallTime = nil
upToDateConfirmedAt = nil
CCSE CCTE CCSM SMB Specialist
0 Kudos
G_W_Albrecht
Legend
Legend

I have reverted back to  R80.20.35_992002613, but Update & APPI is still not working 😞

CCSE CCTE CCSM SMB Specialist
0 Kudos
G_W_Albrecht
Legend
Legend

APCL update status is not displayed, but on clicking the Apply button, APCL tries to update, that is to reach the server, but fails - update is never started !

CCSE CCTE CCSM SMB Specialist
0 Kudos
_Val_
Admin
Admin

Did you open a TAC case yet?

0 Kudos
G_W_Albrecht
Legend
Legend

I just gave feedback to the SK - my wife is watching TV so i can do no debugs 😉.

CCSE CCTE CCSM SMB Specialist
0 Kudos
_Val_
Admin
Admin

never heard that excuse before, lol

0 Kudos
G_W_Albrecht
Legend
Legend

I have resolved the issue 😎

CCSE CCTE CCSM SMB Specialist
0 Kudos
G_W_Albrecht
Legend
Legend

That seems not to be the only issue here - in GAiA after patching, R81.10 and R80.40 show:

# cpopenssl version
OpenSSL 1.1.1n 15 Mar 2022

This is the fixed OpenSSL version !

But 1550 R80.20.35_992002639:


# cpopenssl version
OpenSSL 1.0.2r 26 Feb 2019

This is the same version as in R80.20.35_992002613. That should be fixed OpenSSL version 1.0.2zd according to CVE-2022-0778.

So does this firmware fix the issue at all ?

CCSE CCTE CCSM SMB Specialist
0 Kudos
Amir_Ayalon
Employee
Employee

Hi Guys

we didn't see any bug in APPI. in fact there was no change in this region, so I'll be surprise if there is a bug.

As for why OpenSSL in not 1.1.1n. the issue was fixed within the same OpenSSL version.

 

0 Kudos
G_W_Albrecht
Legend
Legend

I think that my APPI issue has nothing to do with the firmware version - OpenSSL 1.0.2r 26 Feb 2019 is a fixed version ?

CCSE CCTE CCSM SMB Specialist
0 Kudos
G_W_Albrecht
Legend
Legend

YES - according to R&D the solution is:

The "# cpopenssl version" command applies to R80.40 and above. In R80.30 versions (and below), we do not upgrade the openSSL version but manually port the fix for the CVE. Although there is no easy way to make sure that openSSL was upgraded on these versions, it will be after you install the Hotfix. 

CCSE CCTE CCSM SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events