Is Sophos Mobile Control affected by the recently identified OpenSSL leak in versions 1.0.1 to 1.0.1f (cve-2014-160)?

  • Artikel-ID: 120860
  • Aktualisiert: 11 Apr 2014

Is Sophos Mobile Control affected by the recently identified OpenSSL leak in versions  1.0.1 to 1.0.1f (cve-2014-160)? Designated cve-2014-160: https://www.openssl.org/news/secadv_20140407.txt

Applies to the following Sophos product(s) and version(s)

Sophos Mobile Control

Information

Immediately after the acknowledgement of the vulnerabilities present in OpenSSL version 1.0.1, we checked the source code of all Sophos Mobile products:

  • Sophos Mobile Control (server and apps (iOS, Android and Windows Phone 8))
  • Sophos Mobile Encryption (iOS, Android)
  • Sophos Mobile Security (Android)

The non-vulnerable OpenSSL version 0.9.8k is delivered with SMC server to create certificates. No inbound SSL connections is handled by this.

None of the affected OpenSSL libraries are used in any of these products. On Android, we rely on javax.net.ssl to protect our network traffic, which is part of the operating system.

Note: According to Google, these might rely on OpenSSL: “Android uses code from The Legion of the Bouncy Castle and OpenSSL.”

Whether this particular implementation is affected has yet to be verified by the respective device vendor. Sophos can neither verify this nor can we fix any operating system files.

Related articles:

 
Wenn Sie weitere Informationen oder Unterstützung benötigen, wenden Sie sich bitte an den technischen Support.

Artikel bewerten

Ungenügend Hervorragend

Anmerkungen