Check
Point Corrects Inaccurate Statements
Published by ISS
Inaccurate Statement of Versions Affected by ISAKMP Issue
Contrary to ISS initial security alert, the most recent versions
of Check Point VPN-1 Versions 4.1 and NG are not susceptible
to this vulnerability. This issue was resolved with Next Generation
FP2, released in April 2002 and 4.1 SP6, released in June
2002.
It appears that ISS did not adequately test version 4.1 SP6 prior to listing it as affected. After being notified of the error, ISS requested access to SP6 for testing. Check Point provided the software and ISS has since confirmed that no vulnerability exists in VPN-1 4.1 SP6 and updated their security advisory accordingly.
Inaccurate Statement of Scope of HTTP Security Server Vulnerability
ISS initially characterized this vulnerability as affecting
all aspects of HTTP inspection in Application Intelligence.
The issue described is related only to the HTTP Security Server.
Check Point has issued a simple update to a configuration
file to mitigate this issue.
Check Point sincerely apologizes for any confusion this inaccurate information from ISS may have caused our customers.