OpenSSL vulnerabilities - March 2015
OpenSSL released a security advisory in March 2015 to announce multiple security vulnerabilities.
Denial of service and memory corruption
FortiADC may be impacted by CVE-2015-0285 and CVE-2015-0291.
FortiOS 5.0.11 and 5.2.3 may be impacted by CVE-2015-0286 when the SSLVPN feature with a PKI user and client certificate is used.
FortiClient may be impacted by CVE-2015-289 and CVE-2015-0292.
Products that allows PKC#12 certificate to be imported by an administrator user may be impacted by CVE-2015-289.
CVE-2015-0207: no product impacted
CVE-2015-0208: no product impacted
CVE-2015-0209: no product impacted
CVE-2015-0287: no product impacted
CVE-2015-0288: no product impacted
CVE-2015-0290: no product impacted
CVE-2015-0293: no product impacted
CVE-2015-1787: no product impacted
Regardless the exploitability (or lack thereof), all products embedding a vulnerable version of OpenSSL will be updated. The following list includes the products version that will embed a patched OpenSSL release:
- FortiOS: 5.0.12 / 5.2.4 or above
- FortiManager: 5.0.11 / 5.2.2 or above
- FortiAnalyzer: 5.0.11 / 5.2.2 or above
- FortiMail: 4.3.10 / 5.0.9 / 5.1.6 / 5.2.4 or above
- FortiWeb: 5.3.5 or above
- FortiAuthenticator: 3.3.1 / 4.0 or above
- FortiClient: Windows/MAC 5.2.4, Android 5.2.6, iOS 5.2.1 or above
- FortiRecorder: 2.0.1 / 2.1.1 or above
- FortiVoice Enterprise: 3.0.6 / 4.0.1 / 4.1.0 or above
- AscenLink: 7.2.3 or above
- FortiADC: 4.2.2 or above
- FortiAP: 5.2.4 or above
For all products, contact Fortinet TAC support to know the patched release current ETA.