Is Sophos Mobile Control affected by the recently identified OpenSSL leak in versions 1.0.1 to 1.0.1f (cve-2014-160)? Designated cve-2014-160: https://www.openssl.org/news/secadv_20140407.txt
Applies to the following Sophos product(s) and version(s)
Sophos Mobile Control
Immediately after the acknowledgement of the vulnerabilities present in OpenSSL version 1.0.1, we checked the source code of all Sophos Mobile products:
- Sophos Mobile Control (server and apps (iOS, Android and Windows Phone 8))
- Sophos Mobile Encryption (iOS, Android)
- Sophos Mobile Security (Android)
The non-vulnerable OpenSSL version 0.9.8k is delivered with SMC server to create certificates. No inbound SSL connections is handled by this.
None of the affected OpenSSL libraries are used in any of these products. On Android, we rely on javax.net.ssl to protect our network traffic, which is part of the operating system.
Note: According to Google, these might rely on OpenSSL: “Android uses code from The Legion of the Bouncy Castle and OpenSSL.”
Whether this particular implementation is affected has yet to be verified by the respective device vendor. Sophos can neither verify this nor can we fix any operating system files.