Advisory: OpenSSL DoS vulnerability (CVE-2022-0778)

← Back to Security Advisories Overview
High
CVE(s)
CVE-2022-0778
Updated:
Product(s)
Sophos Firewall
Sophos UTM
Sophos Web Appliance (SWA)
Publication ID: sophos-sa-20220318-openssl-dos
Article Version: 1
First Published:
Workaround: No

Overview

On Tuesday, March 15, 2022, the OpenSSL project advised about a denial of service vulnerability in all versions of OpenSSL. OpenSSL is a ubiquitous cryptography library used in many operating systems and applications. The vulnerability affects a broad range of services and applications, with varying impacts, from low to very disruptive, making the latest updates for some applications urgent.

The vulnerability allows an attacker to cause the vulnerable component to enter an infinite loop by presenting it with a maliciously crafted certificate.

What Sophos products are affected?

Sophos will review and patch all affected applications and services as part of its incident response process.

Product or ServiceImpactDescription
Sophos Firewall (all versions)HIGH

Sophos Firewall is potentially impacted by CVE-2022-0778 in the VPN and TLS inspection components.

The fix is included in version 18.5 MR3 (late March 2022) and 19.0 GA (April 2022).

Sophos UTMHIGH

Sophos UTM is potentially impacted by CVE-2022-0778 in the VPN and TLS inspection components.

The fix is included in version 9.711 MR11 (April 2022).

Sophos Web ApplianceHIGH

Sophos Web Appliance (SWA) is potentially impacted by CVE-2022-0778.

The fix is included in version 4.3.10.3 (April 2022).