Advisory: OpenSSL 3.x critical vulnerability

← Back to Security Advisories Overview
Informational
CVE(s)
CVE-2022-3786
CVE-2022-3602
Updated:
Product(s)
Cloud Optix
Intercept X Endpoint
Intercept X for Server
Reflexion
SafeGuard Enterprise (SGN)
Sophos Authenticator
Sophos Central
Sophos Connect Client 2.0
Sophos Email
Sophos Email Appliance (SEA)
Sophos Enterprise Console (SEC)
Sophos Firewall
Sophos Home
Sophos Mobile
Sophos Mobile EAS Proxy
Sophos RED
Sophos Transparent Authentication Suite (STAS)
Sophos UTM
Sophos UTM Manager
Sophos Web Appliance (SWA)
Sophos Wireless
Sophos ZTNA
SophosLabs Intelix
Publication ID: sophos-sa-20221031-openssl-vuln
Article Version: 3
First Published:
Workaround: No

Overview

On Tuesday October 25, 2022, the OpenSSL Project Team announced that OpenSSL version 3.0.7 will contain a fix for a critical severity vulnerability. The fix applies to OpenSSL version 3 only. Older versions of OpenSSL are not affected.

On Tuesday November 1, 2022, OpenSSL Project Team published an advisory about CVE-2022-3786 and CVE-2022-3602 that affects versions 3 and above.

OpenSSL is a ubiquitous cryptography library used in many operating systems and applications. OpenSSL version 3 is the newest major version, first released in September 2021.

Patches for OpenSSL

The release of OpenSSL 3.0.7 containing the fix is released https://www.openssl.org/source/openssl-3.0.7.tar.gz.

What Sophos products are affected?

Sophos is reviewing and patching all affected applications and services as part of its incident response process.

Product or ServiceStatusDescription
Cloud OptixNot vulnerableOpenSSL version 3.x not used
PureMessageNot vulnerableOpenSSL version 3.x not used
ReflexionNot vulnerableOpenSSL version 3.x not used
SafeGuard Enterprise (SGN)Not vulnerableOpenSSL version 3.x not used
SG UTM (all versions)Not vulnerableOpenSSL version 3.x not used
SG UTM Manager (SUM) (all versions)Not vulnerableOpenSSL version 3.x not used
Sophos AuthenticatorNot vulnerableOpenSSL version 3.x not used
Sophos CentralNot vulnerableOpenSSL version 3.x not used
Sophos Endpoint protection (Windows/Mac/Linux)Not vulnerable

OpenSSL version 3.x not used in:

  • Intercept X Endpoint
  • Intercept X for Server
Sophos EmailNot vulnerableOpenSSL version 3.x not used
Sophos Email ApplianceNot vulnerableOpenSSL version 3.x not used
Sophos Enterprise Console (SEC)Not vulnerableOpenSSL version 3.x not used
Sophos Firewall (all versions)Not vulnerableOpenSSL version 3.x not used
Sophos Firewall auxiliary clientsNot vulnerable

OpenSSL version 3.x not used in:

  • Sophos Connect Client
  • Sophos Transparent Authentication Suite (STAS)
  • Sophos Authentication for Thin Client (SATC) (EOL)
  • Client Authentication Agent (all versions)
Sophos HomeNot vulnerableOpenSSL version 3.x not used
Sophos MobileNot vulnerableOpenSSL version 3.x not used
Sophos Mobile EAS ProxyNot impactedOpenSSL used for certificate generation only
Sophos REDNot vulnerableOpenSSL version 3.x not used
Sophos Web ApplianceNot vulnerableOpenSSL version 3.x not used
Sophos WirelessNot vulnerableOpenSSL version 3.x not used
Sophos ZTNANot vulnerableOpenSSL version 3.x not used
SophosLabs IntelixNot vulnerableOpenSSL version 3.x not used

How are Sophos customers protected?

IPS Signatures

IPS signatures were first published on November 4, 2022.

Sophos Firewall

  • SIDs are 2307860, 60790

Sophos Endpoint

  • SID is 2307860

Sophos SG UTM

  • SID is 60790

Related Information

Sophos Responsible Disclosure Policy

To learn about Sophos security vulnerability disclosure policies and publications, see the Responsible Disclosure Policy.