Advisory: OpenSSL high severity vulnerability

Zurück zur Übersicht der Sicherheitshinweise
Informational
CVE(s)
CVE-2023-0286
Updated:
Produkt(e)
Cloud Optix
Intercept X Endpoint
Intercept X for Server
Sophos Central
Sophos Connect Client 2.0
Sophos Email
Sophos Email Appliance (SEA)
Sophos Enterprise Console (SEC)
Sophos Firewall
Sophos Home
Sophos Mobile
Sophos Mobile EAS Proxy
Sophos RED
Sophos UTM
Sophos Web Appliance (SWA)
Sophos Wireless
SophosLabs Intelix
Veröffentlichungs-ID sophos-sa-20230214-openssl-vuln
Artikelversion 2
Erstveröffentlichung
Provisorische Lösung No

Overview

On Tuesday February 7, 2023, the OpenSSL Project Team announced that several versions of OpenSSL contain fixes for vulnerabilities, including one high severity one.

OpenSSL is a ubiquitous cryptography library used in many operating systems and applications.

Patches for OpenSSL

The fixes are included in the following releases:

What Sophos products are affected?

Sophos is reviewing and patching all affected applications and services as part of its incident response process.

Note: as this is an ongoing investigation product status will change as more information becomes available.

Product or Service

Using a vulnerable version of OpenSSL

Exploitability assessment for HIGH rated vulnerabilities (CVE-2023-0286)

Fix/mitigation

Cloud Optix

No

N/A

 

PureMessage

Yes

Highly unlikely - X509_V_FLAG_CRL_CHECK feature not used

None

SG UTM (all versions)

Yes

Highly unlikely - trusted CRLs are exclusively read from disk

Patch development underway

Sophos Endpoint protection (Windows/Mac/Linux)

Yes

Highly unlikely - X509_V_FLAG_CRL_CHECK feature not used

Patch development underway

  • Windows: TBD

  • Mac: TBD

  • Linux: 2023.2

Sophos Endpoint Protection - Legacy (Linux/SVE) Yes Highly unlikely - X509_V_FLAG_CRL_CHECK feature not used None

Sophos Enterprise Console (SEC)

Yes

Highly unlikely - X509_V_FLAG_CRL_CHECK feature not used

None

Sophos Firewall (all versions)

Yes

Highly unlikely - trusted CRLs are exclusively read from disk

Patch development underway

Sophos Central Yes Highly unlikely - X509_V_FLAG_CRL_CHECK feature not used Patch roll-out complete before March 31, 2023

Sophos Connect client

Yes

Highly unlikely - X509_V_FLAG_CRL_CHECK feature not used

Under review

Sophos Email Yes Highly unlikely - X509_V_FLAG_CRL_CHECK feature not used Patch roll-out complete before March 31, 2023
Sophos Email Appliance Yes Highly unlikely - X509_V_FLAG_CRL_CHECK feature not used None

Sophos Home

Yes

Highly unlikely - X509_V_FLAG_CRL_CHECK feature not used

Patch development underway

Sophos RED

Yes

Highly unlikely - X509_V_FLAG_CRL_CHECK feature not used

Patch development underway

Sophos Wireless

Yes

Highly unlikely - X509_V_FLAG_CRL_CHECK feature not used

Patch development underway

Sophos Web Appliance

Yes

Highly unlikely - X509_V_FLAG_CRL_CHECK feature not used

None

Sophos SASI (AntiSpam)

Yes

Highly unlikely - X509_V_FLAG_CRL_CHECK feature not used

Patch development underway

Sophos Mobile

Yes

Highly unlikely - X509_V_FLAG_CRL_CHECK feature not used

Patch development underway

Sophos Mobile EAS Proxy

Yes

Highly unlikely - X509_V_FLAG_CRL_CHECK feature not used

Patch development underway

SophosLabs Intelix

Yes

Highly unlikely - X509_V_FLAG_CRL_CHECK feature not used

Patch development underway

Other products and services

Any other products or services not listed above are still under investigation. Sophos will publish updated information as it becomes available.

Sophos product protections

Sophos is actively monitoring for threat activity and detection opportunities relating to this vulnerability.

Change Log

  • February 14, 2023: Initial version

  • February 20, 2023:

    • Added: Sophos Endpoint Protection - Legacy (Linux/SVE), Sophos Central, Sophos Email, Sophos Email Appliance

    • Updated: Sophos Endpoint protection (Windows/Mac/Linux)