.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
Informational
Exim CVE-2019-15846 and Sophos Products
CVE(S)
CVE-2019-15846
PRODUCT(S)
Sophos Email
Sophos Firewall
Sophos UTM
Updated
2019 Oct 16
Article Version
1
First Published
2019 Oct 16
Publication ID
sophos-sa-20191016-exim-cve
Workaround
No
Overview
CVE-2019-15846 outlines a vulnerability in Exim whereby a specially crafted SNI ending can be utilized to run arbitrary code on the vulnerable server
This vulnerability is not exploitable on any Sophos products, see the table below for more information.
Sophos Email Products and CVE-2019-15846
| Product | Vulnerable | Further information |
|---|---|---|
| Sophos XG Firewall | No | The TLS headers that are used to exploit this vulnerability are stripped by the product before reaching the vulnerable Exim code. * |
| Sophos UTM | No | The TLS headers that are used to exploit this vulnerability are stripped by the product before reaching the vulnerable Exim code. * |
| Sophos Email on Central | No | Product doesn't utilize Exim |
| Sophos Email Appliance | No | Product doesn't utilize Exim |
| Puremessage for Unix | No | Product doesn't utilize Exim |
| Puremessage for Exchange | No | Product doesn't utilize Exim |
| Cyberoam | No | Product doesn't utilize Exim |
| Reflexion | No | Product doesn't utilize Exim |
* Despite this vulnerability not being exploitable due to the current architecture of the Sophos XG and Sophos UTM products, we do still plan on releasing a patch for Exim on these platforms in an upcoming Maintenance Release.
Related information
Sophos Responsible Disclosure Policy
To learn about Sophos security vulnerability disclosure policies and publications, see the Responsible Disclosure Policy.