Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 41 subscribers
  • Views 697 views
  • Users 0 members are here
Options
Suggested

FRRouting some new CVEs for <= 9.1

Ben@Network

Hello Sophos,

today we received the information, that FRR has new CVEs:

CVE-2024-31948
CVE-2024-31949
CVE-2024-31950
CVE-2024-31951

All versions <= 9.1 are affected, including version 8.4.2 on the Sophos firewalls. When will the update be provided?

Thanks,

Ben



Added TAGs
[edited by: emmosophos at 6:29 PM (GMT -7) on 8 Apr 2024]
Parents Reply Children
  • 0 in reply to emmosophos

    Here is update on these:

    These 2 - BGP related - 

    CVE-2024-31948 
    CVE-2024-31949

    are tracked under NC-133407 and are planned to be fixed in upcoming SFOS 20.0MR1 release.

    These 2 ( Ospf TE related)
    CVE-2024-31950
    CVE-2024-31951

    These are now tracked under different ticket: NC-133682 and no fix version set for these yet. These CVEs  specific to ospf mpls traffic engineering related - the config for which is not supported on SFOS UI and hence does not directly impact SFOS. (such config is however possible via advanced backend CLIs).

    The open source FRRouting does not have any patch for these available. Dev team will continue to monitor open source fix for this and integrate the patch in SFOS when available.

Unfiltered HTML