On 22 September 2016 OpenSSL released a security advisory for the following CVEs:

• CVE-2016-6305 - SSL_peek() hang on empty record
• CVE-2016-6307 - tls_get_message_header
• CVE-2016-6308 - Excessive allocation of memory in dtls1_preprocess_fragment
• CVE-2016-6303 - OOB write in MDC2_Update
• CVE-2016-6302 - Malformed SHA512 ticket DoS
• CVE-2016-2182 - OOB write in BN_bn2dec
• CVE-2016-2180 - OOB read in TS_OBJ_print_bio
• CVE-2016-2177 - Pointer arithmetic undefined behaviour
• CVE-2016-2178 - Constant time flag not preserved in DSA signing
• CVE-2016-2181 - CVE-2016-2179 – (D)TLS flaws

Check Point products are not vulnerable to these CVE's.

Notes:

• CVE-2016-6304 - OCSP Status Request extension unbounded memory growth: Check Point is vulnerable, but only to the internal facing Endpoint Management Server on version R77.30.01/ R77.30.01 HFA1 and IPSO's Voyager portal on version MR5 (these are internal facing and therefore exploitability is low). 
  

  Endpoint Management Server

  • Endpoint Management Server running Gaia OS on R77.30.01 should upgrade to R77.30.02.
  • Endpoint Management Server running Windows OS on R77.30.01 and R77.30.01 HFA1 should install the hotfix provided at: Check Point Endpoint Management Server R77.30.01 HFA1 Hotfix for Windows OS.
    
    • Note: This hotfix must be installed on top of R77.30.01 HFA1. For details on R77.30.01 HFA1, refer to sk110852.
  • Other Endpoint Security releases are not vulnerable.

  IPSO Voyager

  • Only MR5 is vulnerable. MR6 will fix this and will be released in the coming months.
  • To mitigate: limit HTTPS access to the gateway.


• CVE-2016-6306 - Certificate message OOB reads: Check Point is vulnerable, but only to the internal facing ICA portal (in addition to the fact that the CVE is rated low (since the effect is mostly meaningless), this server is internal facing and therefore exploitability is even lower). A fix will be provided in one of the next upcoming Jumbo HFs.