3rd party component upgrade required for security reasons: OpenSSL Security Advisory [22 Sept 2016] Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-16-048 Final 1 1 2017-04-03T00:00:00 Current version 2017-04-03T00:00:00 2017-04-03T00:00:00 The OpenSSL project released an advisory on Sept 22nd, 2016, describing 1 High, 1 Medium and 12 Low severity vulnerabilities, as listed below:OCSP Status Request extension unbounded memory growth (CVE-2016-6304)SSL_peek() hang on empty record (CVE-2016-6305)SWEET32 Mitigation (CVE-2016-2183)OOB write in MDC2_Update() (CVE-2016-6303)Malformed SHA512 ticket DoS (CVE-2016-6302)OOB write in BN_bn2dec() (CVE-2016-2182)OOB read in TS_OBJ_print_bio() (CVE-2016-2180)Pointer arithmetic undefined behaviour (CVE-2016-2177)Constant time flag not preserved in DSA signing (CVE-2016-2178)DTLS buffered message DoS (CVE-2016-2179)DTLS replay protection DoS (CVE-2016-2181)Certificate message OOB reads (CVE-2016-6306)Excessive allocation of memory in tls_get_message_header() (CVE-2016-6307)Excessive allocation of memory in dtls1_preprocess_fragment() (CVE-2016-6308) Denial of service FortiOS versions 5.4.1, 5.4.0, 5.2.9 and below are impacted by CVEs:* 2016-2177* 2016-2178* 2016-2179* 2016-2180* 2016-2181* 2016-2182* 2016-2183* 2016-6302* 2016-6303* 2016-6304* 2016-6306FortiAnalyzer versions 5.4.1, 5.4.0, 5.2.9 and below are impacted by CVEs:* 2016-2177* 2016-2178* 2016-2179* 2016-2181* 2016-2182* 2016-2183* 2016-6302* 2016-6303* 2016-6304* 2016-6305* 2016-6306* 2016-6307* 2016-6308FortSwitch versions 3.5.0 and below are impacted by CVEs:* 2016-2177* 2016-2179* 2016-2180* 2016-2181* 2016-2182* 2016-6302* 2016-6303* 2016-6304* 2016-6305* 2016-6306* 2016-6307* 2016-6308FortiAP versions 5.4.1 and below are impacted by all CVEs included in the OpenSSL Advisory For FortiOS: Upgrade to firmware version 5.2.10 or 5.4.2 or 5.6.0For FortiAnalyzer: Upgrade to firmware version 5.2.10 or 5.4.2 or 5.6.0For FortiSwitch: Upgrade to firmware version 3.5.1For FortiAP: Upgrade to firmware version 5.4.2 https://fortiguard.fortinet.com/psirt/FG-IR-16-048 3rd party component upgrade required for security reasons: OpenSSL Security Advisory [22 Sept 2016] https://www.openssl.org/news/secadv/20160922.txt https://www.openssl.org/news/secadv/20160922.txt CVE-2016-2177 CVE-2016-2178 CVE-2016-2179 CVE-2016-2180 CVE-2016-2181 CVE-2016-2182 CVE-2016-2183 CVE-2016-6302 CVE-2016-6303 CVE-2016-6304 CVE-2016-6305 CVE-2016-6306 CVE-2016-6307 CVE-2016-6308 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:X/RC:X https://fortiguard.fortinet.com/psirt/FG-IR-16-048 3rd party component upgrade required for security reasons: OpenSSL Security Advisory [22 Sept 2016] Reference> https://www.openssl.org/news/secadv/20160922.txt https://www.openssl.org/news/secadv/20160922.txt