Check Point response to OpenSSL CVE-2022-3602 and CVE-2022-3786

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk180206
Technical Level
Product	Quantum Security Gateways, Quantum Security Management, Threat Emulation, Threat Extraction, IPS, Application Control, URL Filtering
Version	R80.40, R81, R81.10, R81.20
Date Created	01-Nov-2022
Last Modified	20-Dec-2022

Symptoms

On Tuesday, 1 November 2022, the OpenSSL project team released OpenSSL 3.0.7 update as a security-fix release (OpenSSL Advisory).

This release includes 2 HIGH severity vulnerabilities and was assigned to CVE-2022-3602 (Reduced from Critical) and CVE-2022-3786. These buffer overflow vulnerabilities in the Certificate could result in a denial of service or potentially remote code execution on affected versions.

The update affects only OpenSSL versions 3.0.0 through 3.0.6. (Version 3.0 was first released in September 2021). OpenSSL version 1.x is not affected by this vulnerability, therefore older operating systems and devices are safe.

Solution

Check Point Products are not affected except CloudGuard AppSec.
For CloudGuard AppSec, some agent deployments use a vulnerable OpenSSL library as SSL clients (whereas the vulnerability mainly impacts server side usage of SSL). Regardless, an updated version of those agents is published. Customers with agent upgrade mode set to "Automatic", receive the fixed version automatically. For additional information, refer to this article.

Check Point provides preventive behavioral protections for these vulnerabilities:

Quantum IPS protections
Check Point released this IPS protection to its Optimized and Strict profiles in PREVENT mode (by default) for both vulnerabilities: OpenSSL Buffer Overflow (CVE-2022-3602).
NVD info: CVE-2022-3602, CVE-2022-3786

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating