Overview
On Tuesday October 25, 2022, the OpenSSL Project Team announced that OpenSSL version 3.0.7 will contain a fix for a critical severity vulnerability. The fix applies to OpenSSL version 3 only. Older versions of OpenSSL are not affected.
On Tuesday November 1, 2022, OpenSSL Project Team published an advisory about CVE-2022-3786 and CVE-2022-3602 that affects versions 3 and above.
OpenSSL is a ubiquitous cryptography library used in many operating systems and applications. OpenSSL version 3 is the newest major version, first released in September 2021.
Patches for OpenSSL
The release of OpenSSL 3.0.7 containing the fix is released https://www.openssl.org/source/openssl-3.0.7.tar.gz.
What Sophos products are affected?
Sophos is reviewing and patching all affected applications and services as part of its incident response process.
Product or Service |
Status |
Description |
---|---|---|
Cloud Optix |
Not vulnerable |
OpenSSL version 3.x not used |
PureMessage |
Not vulnerable |
OpenSSL version 3.x not used |
Reflexion |
Not vulnerable |
OpenSSL version 3.x not used |
SafeGuard Enterprise (SGN) |
Not vulnerable |
OpenSSL version 3.x not used |
SG UTM (all versions) |
Not vulnerable |
OpenSSL version 3.x not used |
SG UTM Manager (SUM) (all versions) |
Not vulnerable |
OpenSSL version 3.x not used |
Sophos Authenticator |
Not vulnerable |
OpenSSL version 3.x not used |
Sophos Central |
Not vulnerable |
OpenSSL version 3.x not used |
Sophos Endpoint protection (Windows/Mac/Linux) |
Not vulnerable |
OpenSSL version 3.x not used in:
|
Sophos Email |
Not vulnerable |
OpenSSL version 3.x not used |
Sophos Email Appliance |
Not vulnerable |
OpenSSL version 3.x not used |
Sophos Enterprise Console (SEC) |
Not vulnerable |
OpenSSL version 3.x not used |
Sophos Firewall (all versions) |
Not vulnerable |
OpenSSL version 3.x not used |
Sophos Firewall auxiliary clients |
Not vulnerable |
OpenSSL version 3.x not used in:
|
Sophos Home |
Not vulnerable |
OpenSSL version 3.x not used |
Sophos Mobile |
Not vulnerable |
OpenSSL version 3.x not used |
Sophos Mobile EAS Proxy |
Not impacted |
OpenSSL used for certificate generation only |
Sophos RED |
Not vulnerable |
OpenSSL version 3.x not used |
Sophos Web Appliance |
Not vulnerable |
OpenSSL version 3.x not used |
Sophos Wireless |
Not vulnerable |
OpenSSL version 3.x not used |
Sophos ZTNA |
Not vulnerable |
OpenSSL version 3.x not used |
SophosLabs Intelix |
Not vulnerable |
OpenSSL version 3.x not used |
Other products and services
Any other products or services not listed above are still under investigation. Sophos will publish updated information as it becomes available.
How are Sophos customers protected?
IPS Signatures
IPS signatures were first published on November 4, 2022.
Sophos Firewall
-
SIDs are 2307860, 60790
Sophos Endpoint
-
SID is 2307860
Sophos SG UTM
-
SID is 60790