Advisory: OpenSSL 3.x critical vulnerability

← Back to Security Advisories Overview
Informational
CVE(s)
CVE-2022-3786
CVE-2022-3602
Updated:
Product(s)
Cloud Optix
Intercept X Endpoint
Intercept X for Server
Reflexion
SafeGuard Enterprise (SGN)
Sophos Authenticator
Sophos Central
Sophos Connect Client 2.0
Sophos Email
Sophos Email Appliance (SEA)
Sophos Enterprise Console (SEC)
Sophos Firewall
Sophos Home
Sophos Mobile
Sophos Mobile EAS Proxy
Sophos RED
Sophos Transparent Authentication Suite (STAS)
Sophos UTM
Sophos UTM Manager
Sophos Web Appliance (SWA)
Sophos Wireless
Sophos ZTNA
SophosLabs Intelix
Publication ID: sophos-sa-20221031-openssl-vuln
Article Version: 3
First Published:
Workaround: No

Overview

On Tuesday October 25, 2022, the OpenSSL Project Team announced that OpenSSL version 3.0.7 will contain a fix for a critical severity vulnerability. The fix applies to OpenSSL version 3 only. Older versions of OpenSSL are not affected.

On Tuesday November 1, 2022, OpenSSL Project Team published an advisory about CVE-2022-3786 and CVE-2022-3602 that affects versions 3 and above.

OpenSSL is a ubiquitous cryptography library used in many operating systems and applications. OpenSSL version 3 is the newest major version, first released in September 2021.

Patches for OpenSSL

The release of OpenSSL 3.0.7 containing the fix is released https://www.openssl.org/source/openssl-3.0.7.tar.gz.

What Sophos products are affected?

Sophos is reviewing and patching all affected applications and services as part of its incident response process.

Product or Service

Status

Description

Cloud Optix

Not vulnerable

OpenSSL version 3.x not used

PureMessage

Not vulnerable

OpenSSL version 3.x not used

Reflexion

Not vulnerable

OpenSSL version 3.x not used

SafeGuard Enterprise (SGN)

Not vulnerable

OpenSSL version 3.x not used

SG UTM (all versions)

Not vulnerable

OpenSSL version 3.x not used

SG UTM Manager (SUM) (all versions)

Not vulnerable

OpenSSL version 3.x not used

Sophos Authenticator

Not vulnerable

OpenSSL version 3.x not used

Sophos Central

Not vulnerable

OpenSSL version 3.x not used

Sophos Endpoint protection (Windows/Mac/Linux)

Not vulnerable

OpenSSL version 3.x not used in:

  • Intercept X Endpoint

  • Intercept X for Server

Sophos Email

Not vulnerable

OpenSSL version 3.x not used

Sophos Email Appliance

Not vulnerable

OpenSSL version 3.x not used

Sophos Enterprise Console (SEC)

Not vulnerable

OpenSSL version 3.x not used

Sophos Firewall (all versions)

Not vulnerable

OpenSSL version 3.x not used

Sophos Firewall auxiliary clients

Not vulnerable

OpenSSL version 3.x not used in:

  • Sophos Connect Client

  • Sophos Transparent Authentication Suite (STAS)

  • Sophos Authentication for Thin Client (SATC) (EOL)

  • Client Authentication Agent (all versions)

Sophos Home

Not vulnerable

OpenSSL version 3.x not used

Sophos Mobile

Not vulnerable

OpenSSL version 3.x not used

Sophos Mobile EAS Proxy

Not impacted

OpenSSL used for certificate generation only

Sophos RED

Not vulnerable

OpenSSL version 3.x not used

Sophos Web Appliance

Not vulnerable

OpenSSL version 3.x not used

Sophos Wireless

Not vulnerable

OpenSSL version 3.x not used

Sophos ZTNA

Not vulnerable

OpenSSL version 3.x not used

SophosLabs Intelix

Not vulnerable

OpenSSL version 3.x not used

Other products and services

Any other products or services not listed above are still under investigation. Sophos will publish updated information as it becomes available.

How are Sophos customers protected?

IPS Signatures

IPS signatures were first published on November 4, 2022.

Sophos Firewall

  • SIDs are 2307860, 60790

Sophos Endpoint

  • SID is 2307860

Sophos SG UTM

  • SID is 60790

Related Information

Sophos Responsible Disclosure Policy

To learn about Sophos security vulnerability disclosure policies and publications, see the Responsible Disclosure Policy.