OpenSSL vulnerabilities - March 2015
DescriptionOpenSSL released a security advisory in March 2015 to announce multiple security vulnerabilities.
Impact DetailThe impact may vary depending on the affected product (see below).
There is no known public exploit for any of the mentioned CVE in the OpenSSL advisory.
Affected ProductsFortiADC may be impacted by CVE-2015-0285 and CVE-2015-0291.
FortiOS 5.0.11 and 5.2.3 may be impacted by CVE-2015-0286 when the SSLVPN feature with a PKI user and client certificate is used.
FortiClient may be impacted by CVE-2015-289 and CVE-2015-0292.
Products that allows PKC#12 certificate to be imported by an administrator user may be impacted by CVE-2015-289.
CVE-2015-0207: no product impacted
CVE-2015-0208: no product impacted
CVE-2015-0209: no product impacted
CVE-2015-0287: no product impacted
CVE-2015-0288: no product impacted
CVE-2015-0290: no product impacted
CVE-2015-0293: no product impacted
CVE-2015-1787: no product impacted
SolutionsRegardless the exploitability (or lack thereof), all products embedding a vulnerable version of OpenSSL will be updated. The following list includes the products version that will embed a patched OpenSSL release:
- FortiOS: 5.0.12 / 5.2.4 or above
- FortiManager: 5.0.11 / 5.2.2 or above
- FortiAnalyzer: 5.0.11 / 5.2.2 or above
- FortiMail: 4.3.10 / 5.0.9 / 5.1.6 / 5.2.4 or above
- FortiWeb: 5.3.5 or above
- FortiAuthenticator: 3.3.1 / 4.0 or above
- FortiClient: Windows/MAC 5.2.4, Android 5.2.6, iOS 5.2.1 or above
- FortiRecorder: 2.0.1 / 2.1.1 or above
- FortiVoice Enterprise: 3.0.6 / 4.0.1 / 4.1.0 or above
- AscenLink: 7.2.3 or above
- FortiADC: 4.2.2 or above
- FortiAP: 5.2.4 or above
For all products, contact Fortinet TAC support to know the patched release current ETA.