Support Center > Search Results > SecureKnowledge Details
Status of OpenSSL CVEs Technical Level
Solution

This article applies to all Check Point software products, unless stated otherwise for specific CVE.

Note: This article does not list all the known CVEs for OpenSSL - only those that were explicitly checked by Check Point.

CVE Comment
2023
CVE-2023-0401 Not relevant for Quantum products. Other products are under analysis.
CVE-2023-0286 Not vulnerable for Quantum products. Other products are under analysis.
CVE-2023-0217 Not relevant for Quantum products. Other products are under analysis.
CVE-2023-0216 Not relevant for Quantum products. Other products are under analysis.
CVE-2023-0215 Not vulnerable for Quantum products. Other products are under analysis.
CVE-2022-4450 Under analysis
CVE-2022-4304 Under analysis
CVE-2022-4203 Not relevant for Quantum products. Other products are under analysis.
2022
CVE-2022-3786 Refer to sk180206 - Check Point response to OpenSSL CVE-2022-3602 and CVE-2022-3786.
CVE-2022-3602 Refer to sk180206 - Check Point response to OpenSSL CVE-2022-3602 and CVE-2022-3786.
CVE-2022-3358 Not relevant
CVE-2022-2097 Not relevant
CVE-2022-2274 Not relevant
CVE-2022-2068 Not relevant
CVE-2022-1473 Not relevant
CVE-2022-1434 Not relevant
CVE-2022-1343 Not relevant
CVE-2022-1292 Not vulnerable
CVE-2022-0778 Refer to sk178411 - Check Point response to OpenSSL CVE-2022-0778.
2021
CVE-2021-4160 Not vulnerable. Relevant for MIPS platforms only.
CVE-2021-3711 Not vulnerable. Check Point products do not use/allow SM2 ciphers.
CVE-2021-3712 Not vulnerable. Check Point code never directly construct ASN1_STRING.
CVE-2021-3450 Not vulnerable. In order to be affected, an application must set the X509_V_FLAG_X509_STRICT flag explicitly. There is no use of the flag mentioned above in the Check Point code.
CVE-2021-3449 Refer to sk172983 - Check Point Response to OpenSSL CVE-2021-3449.
CVE-2021-23841 Not vulnerable
CVE-2021-23840 Not vulnerable (Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases, where the input length is close to the maximum permissible length for an integer on the platform,
We call these functions only with a small or limited input length, which prevents the overflow.)
CVE-2021-23839 Not vulnerable
2020
CVE-2020-1971 Not vulnerable
CVE-2020-1968 Not vulnerable
CVE-2020-1967 Not vulnerable. Check Point products do not make use of the vulnerable function (SSL_check_chain).
2019
CVE-2019-1563 Not vulnerable
CVE-2019-1547 Not vulnerable
2018
CVE-2018-0739 Not vulnerable
CVE-2018-0733 Not vulnerable
2017
CVE-2017-3733 Not vulnerable
CVE-2017-3732 Not relevant. Check Point products do not use the FFDHE cipher suite
CVE-2017-3731 Relevant only when using an RC4-MD5 ciphersuite, which all customers should have disabled by now
per sk106478 - Check Point response to CVE-2015-2808 (Bar Mitzvah)
CVE-2017-3730 Not relevant. Check Point products do not use the affected versions 1.1.0 prior to 1.1.0d
2016
CVE-2016-6309 Not vulnerable
CVE-2016-6308 Not vulnerable (refer to sk113500)
CVE-2016-6307 Not vulnerable (refer to sk113500)
CVE-2016-6306 Refer to sk113500 - Check Point response to OpenSSL Security advisory 22 September 2016
CVE-2016-6305 Not vulnerable (refer to sk113500)
CVE-2016-6304 Refer to sk113500 - Check Point response to OpenSSL Security advisory 22 September 2016
CVE-2016-6303 Not vulnerable (refer to sk113500)
CVE-2016-6302 Not vulnerable (refer to sk113500)
CVE-2016-2182 Not vulnerable (refer to sk113500)
CVE-2016-2181 Not vulnerable (refer to sk113500)
CVE-2016-2180 Not vulnerable (refer to sk113500)
CVE-2016-2178 Not vulnerable (refer to sk113500)
CVE-2016-2177 Not vulnerable (refer to sk113500)
CVE-2016-2176 Not vulnerable

Exception: LOM card firmware lower than 2.30 on 13000 / 21000 / Smart-1 series appliances is vulnerable (refer to sk101241)
CVE-2016-2109 Not vulnerable

Exception: LOM card firmware lower than 2.30 on 13000 / 21000 / Smart-1 series appliances is vulnerable (refer to sk101241)
CVE-2016-2108 Not vulnerable

Exception: LOM card firmware lower than 2.30 on 13000 / 21000 / Smart-1 series appliances is vulnerable (refer to sk101241)
CVE-2016-2107 Not vulnerable

Exception: LOM card firmware lower than 2.30 on 13000 / 21000 / Smart-1 series appliances is vulnerable (refer to sk101241)
CVE-2016-2106 Not vulnerable

Exception: LOM card firmware lower than 2.30 on 13000 / 21000 / Smart-1 series appliances is vulnerable (refer to sk101241)
CVE-2016-2105 Not vulnerable

Exception: LOM card firmware lower than 2.30 on 13000 / 21000 / Smart-1 series appliances is vulnerable (refer to sk101241)
CVE-2016-0800

  • HTTPS Portals on Gaia OS / SecurePlatform OS are not vulnerable

  • HTTPS Portals on Gaia Embedded OS (600/700/1100/1200R/1400 appliances) are not vulnerable

  • IPSO Network Voyager (over HTTPS) is not vulnerable

  • Recommendations for Security Gateway configured as Mail Transfer Agent (MTA) and used as the organization MX record:

    1. [Preferred] On the Security Gateway configured as Mail Transfer Agent (MTA), use a dedicated SSL certificate that is not used anywhere else.

    2. [Optional, but recommended] Use the IPS protection "Secure Sockets Layer Version 2.0" to block SSLv2 connections.

    3. [Optional, but recommended] Use the IPS protection "Non Compliant SSL" to block SSLv2 connections on TCP port 25:

      1. In SmartDashboard, go to IPS tab
      2. In the left upper pane, click on Protections
      3. Search for Non Compliant SSL
      4. Double-click on this protection
      5. Double-click on the IPS profile
      6. Select Override IPS Policy with - select Prevent
      7. Check the box Protect SMTPS over SMTP Port (TCP/25)
      8. Click on OK
      9. Repeat Steps E - H for each IPS Profile
      10. Click on OK
      11. Install policy

    4. Follow the sk102989 -
      section "(III) Configuration recommendations for Check Point Portals and OS" -
      sub-section "Recommendations for Mail Transfer Agent (MTA)" -
      disable SSLv2 and SSLv3 (and use only TLSv1).
      Note: Has wide impact - will also block reception of clear text e-mails over SMTP.

  • LOM card firmware lower than 2.30 on 13000 / 21000 / Smart-1 series appliances is vulnerable (refer to sk101241)
CVE-2016-0799 Not vulnerable

Exception: LOM card firmware lower than 2.30 on 13000 / 21000 / Smart-1 series appliances is vulnerable (refer to sk101241)
CVE-2016-0798 Not vulnerable

Exception: LOM card firmware lower than 2.30 on 13000 / 21000 / Smart-1 series appliances is vulnerable (refer to sk101241)
CVE-2016-0797 Not vulnerable

Exception: LOM card firmware lower than 2.30 on 13000 / 21000 / Smart-1 series appliances is vulnerable (refer to sk101241)
CVE-2016-0705 Not vulnerable

Exception: LOM card firmware lower than 2.30 on 13000 / 21000 / Smart-1 series appliances is vulnerable (refer to sk101241)
CVE-2016-0704 Not vulnerable

Exception: LOM card firmware lower than 2.30 on 13000 / 21000 / Smart-1 series appliances is vulnerable (refer to sk101241)
CVE-2016-0703

  • HTTPS Portals on Gaia OS / SecurePlatform OS are not vulnerable

  • HTTPS Portals on Gaia OS Embedded (600/700/1100/1200R/1400 appliances) are not vulnerable

  • IPSO Network Voyager (over HTTPS) is not vulnerable

  • For Security Gateway configured as Mail Transfer Agent (MTA) and used as the organization MX record, refer to sk102989 -
    section "(III) Configuration recommendations for Check Point Portals and OS" -
    sub-section "Recommendations for Mail Transfer Agent (MTA)" -
    disable SSLv2 and SSLv3 (and use only TLSv1)

  • LOM card firmware lower than 2.30 on 13000 / 21000 / Smart-1 series appliances is vulnerable (refer to sk101241)
CVE-2016-0702 Not vulnerable

Exception: LOM card firmware lower than 2.30 on 13000 / 21000 / Smart-1 series appliances is vulnerable (refer to sk101241)
CVE-2016-0701 Not vulnerable
2015
CVE-2015-3197 Not vulnerable
CVE-2015-3196 Not vulnerable
CVE-2015-3195 Not vulnerable
CVE-2015-3194 Not vulnerable
CVE-2015-3193 Not vulnerable
CVE-2015-2808 Refer to sk106499 - Check Point response to CVE-2015-2808 (Bar Mitzvah) and OpenSSL CVE-2015-1789
CVE-2015-1794 Not vulnerable
CVE-2015-1793 Not vulnerable
CVE-2015-1792

LOM card firmware is vulnerable on the following appliances:

  • 4000 series - lower than 2.1.2 is vulnerable (refer to sk97621)
  • 12000 series - lower than 2.1.2 is vulnerable (refer to sk97621)
  • 13000 series - lower than 2.30 is vulnerable (refer to sk101241)
  • 21000 series - lower than 2.30 is vulnerable (refer to sk101241)
  • Smart-1 series - lower than 2.30 is vulnerable (refer to sk101241)
Note: All other Check Point products are not vulnerable (because they do not use OpenSSL CMS code)
CVE-2015-1789 Refer to sk106499 - Check Point response to CVE-2015-2808 (Bar Mitzvah) and OpenSSL CVE-2015-1789
CVE-2015-1788

Not relevant

Note: Check Point products do not use OpenSSL ECParameters code
CVE-2015-1787 Not vulnerable - refer to sk105284 - Check Point response to OpenSSL Security advisory 19 March 2015
CVE-2015-0293 Not vulnerable - refer to sk105284 - Check Point response to OpenSSL Security advisory 19 March 2015
CVE-2015-0292 Not vulnerable - refer to sk105284 - Check Point response to OpenSSL Security advisory 19 March 2015
CVE-2015-0291 Not vulnerable - refer to sk105284 - Check Point response to OpenSSL Security advisory 19 March 2015
CVE-2015-0290 Not vulnerable - refer to sk105284 - Check Point response to OpenSSL Security advisory 19 March 2015
CVE-2015-0289 Not vulnerable - refer to sk105284 - Check Point response to OpenSSL Security advisory 19 March 2015
CVE-2015-0288 Not vulnerable - refer to sk105284 - Check Point response to OpenSSL Security advisory 19 March 2015
CVE-2015-0287 Not vulnerable - refer to sk105284 - Check Point response to OpenSSL Security advisory 19 March 2015
CVE-2015-0286 Not vulnerable - refer to sk105284 - Check Point response to OpenSSL Security advisory 19 March 2015
CVE-2015-0285 Not vulnerable - refer to sk105284 - Check Point response to OpenSSL Security advisory 19 March 2015
CVE-2015-0209 Not vulnerable - refer to sk105284 - Check Point response to OpenSSL Security advisory 19 March 2015
CVE-2015-0208 Not vulnerable - refer to sk105284 - Check Point response to OpenSSL Security advisory 19 March 2015
CVE-2015-0207 Not vulnerable - refer to sk105284 - Check Point response to OpenSSL Security advisory 19 March 2015
CVE-2015-0206 Not vulnerable
CVE-2015-0205 Not vulnerable
CVE-2015-0204 Refer to:
 
2014
CVE-2014-8275 Not vulnerable
CVE-2014-8176

Not vulnerable. Check Point products do not use OpenSSL DTLS code
CVE-2014-5139 Not vulnerable
CVE-2014-3572 Not vulnerable
CVE-2014-3571 Not vulnerable
CVE-2014-3570 Not vulnerable
CVE-2014-3569

Not relevant. Follow sk102989 - Check Point response to the POODLE Bites vulnerability

Note: This CVE was created after fixing the CVE-2014-3568. Check Point is not vulnerable to CVE-2014-3568, so the fix for CVE-2014-3568 is not included.
CVE-2014-3568 Not vulnerable. Follow sk102989 - Check Point response to the POODLE Bites vulnerability

Note: Check Point openSSL is not compiled with "-no-ssl3"
CVE-2014-3567 Not vulnerable. Follow sk102989 - Check Point response to the POODLE Bites vulnerability
CVE-2014-3513 Not relevant. Check Point products do not use OpenSSL DTLS code
CVE-2014-3512 Not vulnerable. Check Point products do not support Secure Remote Password (SRP)
CVE-2014-3511 Not vulnerable
CVE-2014-3510 Not relevant. Check Point products do not use OpenSSL DTLS code
CVE-2014-3509 Not vulnerable
CVE-2014-3508

Not relevant. Check Point products do not use OpenSSL's pretty print and Check Point logs are kept private
CVE-2014-3507

Not relevant. Check Point products do not use OpenSSL DTLS code
CVE-2014-3506

Not relevant. Check Point products do not use OpenSSL DTLS code
CVE-2014-3505

Not relevant. Check Point products do not use OpenSSL DTLS code
CVE-2014-3470 Not vulnerable (this CVE does not affect the versions used by Check Point products)
CVE-2014-0224 Refer to sk101186 - SSL/TLS MITM vulnerability
CVE-2014-0221 Not vulnerable (this CVE does not affect the versions used by Check Point products)
CVE-2014-0198 Not vulnerable (this CVE does not affect the versions used by Check Point products)
CVE-2014-0195 Not vulnerable (this CVE does not affect the versions used by Check Point products)
CVE-2014-0160 Refer to sk100173 - Check Point response to OpenSSL vulnerability
CVE-2014-0076

Not vulnerable

Note: The bug is in code that Check Point products do not use
2013
CVE-2013-6450

Not relevant. Check Point products do not use DTLS
CVE-2013-6449

Not relevant. OpenSSL used in Check Point products is not vulnerable because it does not have TLS 1.2
CVE-2013-4353

Not relevant. OpenSSL used in Check Point products is not vulnerable
CVE-2013-0169

The attack is impractical. Attacker needs to Man-in-the-Middle 8 million connections to gain one plaintext block. The result is more serious for DTLS. However, Check Point does not use DTLS for anything. The fix in OpenSSL has performance issues. Check Point does not plan to fix it.
CVE-2013-0166

Not relevant

Note: Check Point products perform their own certificate validation
 
2012
CVE-2012-2686 Not relevant
CVE-2012-2333 Not relevant
CVE-2012-1165 Not relevant
CVE-2012-0884 Not vulnerable
CVE-2012-0027 Not relevant
 
2011
CVE-2011-4619 Not relevant
CVE-2011-4577 Not relevant
CVE-2011-4576 Not vulnerable (fixed in R75.40)
CVE-2011-4109 Not relevant
CVE-2011-4108 Not relevant
CVE-2011-3210 Not relevant
CVE-2011-1945 Not relevant
CVE-2011-1473 Not exploitable, as Check Point puts all sorts of protections against DoS on the gateway (limiting the number of connections, limiting the amount of data, etc.) and this CVE is not even considered a vulnerability in OpenSSL by the community.
 
2010
CVE-2010-5298

Not vulnerable (fix for this CVE is already integrated)
CVE-2010-4252 Not relevant
CVE-2010-4180 Not relevant
CVE-2010-0433 Not relevant
 
2009
CVE-2009-4355 Not vulnerable
CVE-2009-3555 Not relevant
CVE-2009-3245 Not relevant
CVE-2009-2409 Not relevant
CVE-2009-1386 Not relevant
CVE-2009-0789 Not relevant
CVE-2009-0590 Not relevant
 
2008
CVE-2008-7270 Not relevant
CVE-2008-5077 Not relevant
 
2006
CVE-2006-7250 Not relevant
CVE-2006-4343 Not relevant
CVE-2006-3738 Not vulnerable (refer to sk33771)
CVE-2006-2940 Not vulnerable, fix is included in Check Point OpenSSL library
CVE-2006-2937 Not vulnerable / not relevant

 

Clarifications:

Status Meaning
Not relevant
  • Either Check Point does not use the vulnerable code.
  • Or Check Point does not have this code in released versions.
  • Or Check Point changed the code in such a way that this vulnerability does not apply anymore.
Not vulnerable
  • The issue is not relevant to Check Point code (the affected code does not exist or is not used in Check Point software).
  • The issue was relevant to Check Point code and Check Point has already fixed it.
Relevant
  • The issue exists in Check Point code.

 

How to check the version of the installed OpenSSL package:

[Expert@HostName:0]# cpopenssl version

Example: 
[Expert@Gateway_172.29.19.156:0] # cpopenssl version 
OpenSSl 1.1.1k  25 Mar 2021 
[Expert@Gateway_172.29.19.156:0] #
Notes:
  • "cpopenssl version" command is supported in R80.40 and higher Check Point versions.
  • All Check Point versions starting from R80.40 are protected and include all relevant CVE fixes.

Applies To:
  • This SK replaces sk101171

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment 

SECURE YOUR EVERYTHING

©

Copyright | Privacy Policy
Follow Us