.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
High
Sophos (SG) UTM 9.710 MR10 Resolves Security Vulnerabilities (CVE-2022-0386, CVE-2022-0652)
CVE(N)
CVE-2022-0386
CVE-2022-0652
PRODUKT(E)
Sophos UTM
Aktualisiert
2022 Mar 21
Artikelversion
1
Erstellt
2022 Mar 21
Veröffentlichungs-ID
sophos-sa-20220321-utm-9710
Workaround
No
Overview
The Sophos UTM 9.710 MR10 release contains several fixes for security vulnerabilities:
CVE ID | Description | Severity |
|---|---|---|
CVE-2022-0386 | A post-auth SQL injection vulnerability in the Mail Manager of Sophos UTM was discovered by Sophos during internal security testing. The remediation prevented an authenticated user from being able to potentially execute code. | HIGH |
CVE-2022-0652 | Confd log files contained local users', including root’s, SHA512crypt password hashes with insecure access permissions, which Sophos discovered during internal security testing. The remediation prevented the hashes from being written to the logs and prevented a local attacker from attempting off-line brute-force attacks against these password hashes. | LOW |
Applies to the following Sophos product(s) and version(s)
Sophos UTM
Remediation
Fixes included in Sophos UTM v9.710 MR10 on March 9, 2022
Users of older versions of Sophos UTM are required to upgrade to receive this fix
Sophos always recommends that Sophos UTM customers upgrade to the latest available release at their earliest opportunity
Related information
Sophos Responsible Disclosure Policy
To learn about Sophos security vulnerability disclosure policies and publications, see the Responsible Disclosure Policy.