3rd party component upgrade required for security reasons: OpenSSL Security Advisory [26 Jan 2017]

Summary

The OpenSSL project released an advisory on Jan 26th, 2017, describing 3 Moderate, 1 Low severity vulnerabilities, as listed below:
Truncated packet could crash via OOB read (CVE-2017-3731)
Bad (EC)DHE parameters cause a client crash (CVE-2017-3730)
BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732)
Montgomery multiplication may produce incorrect results (CVE-2016-7055)

Affected Products

FortiOS versions 5.4.5 and below are impacted by CVEs:
CVE-2017-3732
CVE-2016-7055
FortiAnalyzer versions 5.4.2 and below are impacted by CVEs:
CVE-2017-3731
CVE-2017-3732
FortSwitch versions 3.5.2 and below are impacted by CVEs:
CVE-2017-3731
CVE-2017-3732
CVE-2016-7055
FortiAP versions 5.4.2 and below are potentially impacted by these CVEs:
CVE-2017-3731
CVE-2016-7055

Solutions

For FortiOS: Upgrade to firmware version at least 5.4.6, 5.6.0 For FortiAnalyzer: Upgrade to firmware version at least 5.4.3 or 5.6.0 For FortiSwitch: Upgrade to firmware version at least 3.5.3 or 3.6.0 For FortiAP: Upgrade to firmware version at least 5.4.3 or 5.6.0

References

• https://www.openssl.org/news/secadv/20170126.txt