Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
G_W_Albrecht
Legend Legend
Legend
Jump to solution

SMB OpenSSL Fixes for CVE-2022-0778 are ready for 1500 1600 1800

Upgrade OpenSSL to fix CVE-2022-0778 Refer to sk178411 - Check Point response to OpenSSL CVE-2022-0778.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
1 Solution

Accepted Solutions
G_W_Albrecht
Legend Legend
Legend

YES - according to R&D the solution is:

The "# cpopenssl version" command applies to R80.40 and above. In R80.30 versions (and below), we do not upgrade the openSSL version but manually port the fix for the CVE. Although there is no easy way to make sure that openSSL was upgraded on these versions, it will be after you install the Hotfix. 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

12 Replies
G_W_Albrecht
Legend Legend
Legend

I would suggest to not install this fix - i found a serious bug in APPI updates making APCL work no more...

--> as stated this is not an issue of this firmware, only mine 😎

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
G_W_Albrecht
Legend Legend
Legend
pt bladeUpdateStatus
3 (2002) =
modified = nil
lastSuccessfulCheckTime = 1647770804
installedUpdateVersion = 0
availableUpdateVersion = 22030801
isOfflineUpdate = false
lastInstallStartedAt = 1647770803
installStatus = BLADE_INSTALL_STATUS.CONNECTING
id = 2002
lastInstallResult = BLADE_INSTALL_RESULT.INSTALL_ERROR
bladeCode = BLADE.APPLICATION_CONTROL
lastSuccessfulInstallTime = nil
upToDateConfirmedAt = nil
CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
G_W_Albrecht
Legend Legend
Legend

I have reverted back to  R80.20.35_992002613, but Update & APPI is still not working 😞

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
G_W_Albrecht
Legend Legend
Legend

APPI.mov
Video Player is loading.
Current Time 0:00
Duration 0:00
Loaded: 0%
Stream Type LIVE
Remaining Time 0:00
 
1x
    • Chapters
    • descriptions off, selected
    • captions off, selected
      (view in My Videos)

      APCL update status is not displayed, but on clicking the Apply button, APCL tries to update, that is to reach the server, but fails - update is never started !

      CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
      _Val_
      Admin
      Admin

      Did you open a TAC case yet?

      G_W_Albrecht
      Legend Legend
      Legend

      I just gave feedback to the SK - my wife is watching TV so i can do no debugs 😉.

      CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
      _Val_
      Admin
      Admin

      never heard that excuse before, lol

      G_W_Albrecht
      Legend Legend
      Legend

      I have resolved the issue 😎

      CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
      G_W_Albrecht
      Legend Legend
      Legend

      That seems not to be the only issue here - in GAiA after patching, R81.10 and R80.40 show:

      # cpopenssl version
      OpenSSL 1.1.1n 15 Mar 2022

      This is the fixed OpenSSL version !

      But 1550 R80.20.35_992002639:


      # cpopenssl version
      OpenSSL 1.0.2r 26 Feb 2019

      This is the same version as in R80.20.35_992002613. That should be fixed OpenSSL version 1.0.2zd according to CVE-2022-0778.

      So does this firmware fix the issue at all ?

      CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
      Amir_Ayalon
      Employee
      Employee

      Hi Guys

      we didn't see any bug in APPI. in fact there was no change in this region, so I'll be surprise if there is a bug.

      As for why OpenSSL in not 1.1.1n. the issue was fixed within the same OpenSSL version.

       

      G_W_Albrecht
      Legend Legend
      Legend

      I think that my APPI issue has nothing to do with the firmware version - OpenSSL 1.0.2r 26 Feb 2019 is a fixed version ?

      CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
      G_W_Albrecht
      Legend Legend
      Legend

      YES - according to R&D the solution is:

      The "# cpopenssl version" command applies to R80.40 and above. In R80.30 versions (and below), we do not upgrade the openSSL version but manually port the fix for the CVE. Although there is no easy way to make sure that openSSL was upgraded on these versions, it will be after you install the Hotfix. 

      CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

      Leaderboard

      Epsum factorial non deposit quid pro quo hic escorol.

      Upcoming Events

        CheckMates Events