Headline
CVE-2022-22305: Fortiguard
An improper certificate validation vulnerability [CWE-295] in FortiManager 7.0.1 and below, 6.4.6 and below; FortiAnalyzer 7.0.2 and below, 6.4.7 and below; FortiOS 6.2.x and 6.0.x; FortiSandbox 4.0.x, 3.2.x and 3.1.x may allow a network adjacent and unauthenticated attacker to man-in-the-middle the communication between the listed products and some external peers.
** PSIRT Advisories**
Multiple products - Lack of certificate verification when establishing secure connections
Summary
An improper certificate validation vulnerability [CWE-295] in FortiOS, FortiAnalyzer, FortiManager, and FortiSandbox may allow a network adjacent and unauthenticated attacker to man-in-the-middle the communication between the listed products and some external peers.
Affected Products
FortiOS versions 6.2.x
FortiOS versions 6.0.x
FortiOS versions 5.6.x
FortiManager version 7.0.1 and below.
FortiManager version 6.4.6 and below.
FortiAnalyzer version 7.0.2 and below.
FortiAnalyzer version 6.4.7 and below.
FortiSandbox versions 4.0.x.
FortiSandbox versions 3.2.x.
FortiSandbox versions 3.1.5Â and below.
Solutions
Please upgrade to FortiOS version 7.0.0Â or above.
Please upgrade to FortiOS version 6.4.0Â or above.
Please upgrade to FortiManager version 7.0.2 or above.
Please upgrade to FortiManager version 6.4.7 or above.
Please upgrade to FortiAnalyzer version 7.0.3Â or above.
Please upgrade to FortiAnalyzer version 6.4.8 or above.
Please upgrade to FortiSandbox version 4.2.0 or aboveÂ
Â