Advisory: OpenSSL Security Advisory [05 Jun 2014]

  • ID de l'article 121108
  • Mis à jour : 02 juil. 2014

On June 5th 2014 the OpenSSL Project published an advisory listing seven security defects in their software along with an update to fix them.  

Certain Sophos products use the OpenSSL cryptography libraries and hence this article provides information on the issue in relation to our products.

Important: We are fully investigating this issue and will update this article to provide further information when available.

Applies to the following Sophos product(s) and version(s)

Sophos Web Appliance
Sophos UTM Manager
Sophos UTM
Sophos Email Appliance
Sophos Cloud
PureMessage for Unix

What are the OpenSSL defects?

See the table below for a list of CVE numbers and brief description.

CVE reference† Description
CVE-2014-0224 SSL/TLS MITM vulnerability
CVE-2014-0221 DTLS recursion flaw
CVE-2014-0195 DTLS invalid fragment vulnerability
CVE-2014-0198 SSL_MODE_RELEASE_BUFFERS NULL pointer dereference
CVE-2010-5298 SSL_MODE_RELEASE_BUFFERS session injection or denial of service
CVE-2014-3470 Anonymous ECDH denial of service
CVE-2014-0076 Fix for the attack described in the paper "Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"

†CVE provides a standardized reference number and information on public security vulnerabilities and exposures.  For more information see the cve.mitre.org website.

The list of defects as published by the OpenSSL Project can be found at the following link:

What versions of OpenSSL are affected?

Until the latest software release on June 5th all versions of OpenSSL in client applications were vulnerable . The flaw goes back to the origin of the code in 1998. Only versions 1.0.1 and higher of the server are vulnerable.

For more information see our naked security blog article:

Have any of the OpenSSL defects been exploited so far?

No.

Is this the same as 'heartbleed'?

No.  Heartbleed (CVE-2014-0160) was disclosed by the OpenSSL Project on April 7th 2014 and was an earlier software defect.

What Sophos products are affected?

The table below lists the affected Sophos products, associated CVE number, and further information.

Important: When our development teams complete their investigation all affected products and resolutions will be listed. If a product is not listed in the table below it is not affected in any way.

Product affected Associated CVE Further information
Sophos UTM v8.3
Sophos UTM v9.1
Sophos UTM v9.2
CVE-2014-0224

The affected versions will be fixed in the respective versions below:
v8.312(released - Please check KBA 121112 for update instructions)
v9.113 (released - Please check KBA 121112 for update instructions)
v9.203 (released - Please check KBA 121112 for update instructions)

Sophos UTM Manager v4.1 and 4.2 CVE-2014-0224

Patched in version 4.107(released):
Up2date link
MD5SUM: be4f0d72e7266882bb3cd63cdc92bb90
File size ~198MB

Patched in version 4.201(released):
Up2date link
MD5SUM: 42ddbb8f7eb30cc98a23f2f88b0e52fe
File size ~50MB

Sophos Web Appliance v3.9.x.x CVE-2014-0224 Patch in v3.9.0.2 (expected June 11th, 2014)
Sophos Email Appliance v3.7.x.x CVE-2014-0224 Patch in v3.8.0.0 (expected week commencing June 23rd 2014)
PureMessage for UNIX v6 CVE-2014-0224 Patch expected June 25th June 2014
Sophos Cloud  CVE-2014-0224 Patched 17th June 2014

I have a further question, what should I do?

If something in the article is not clear leave a comment in the form below.  Otherwise post your question to our community:

 
Si vous avez besoin de plus d'informations ou d'instructions, veuillez contacter le support technique.

Évaluez cet article

Très mauvais Excellent

Commentaires