Advisory: OpenSSL DoS vulnerability (CVE-2022-0778)

Retour à la liste des avis de sécurité
High
CVE
CVE-2022-0778
Updated:
Produit(s)
Sophos Firewall
Sophos UTM
Sophos Web Appliance (SWA)
ID de la publication sophos-sa-20220318-openssl-dos
Version de l’article 1
Première publication
Solution No

Overview

On Tuesday, March 15, 2022, the OpenSSL project advised about a denial of service vulnerability in all versions of OpenSSL. OpenSSL is a ubiquitous cryptography library used in many operating systems and applications. The vulnerability affects a broad range of services and applications, with varying impacts, from low to very disruptive, making the latest updates for some applications urgent.

The vulnerability allows an attacker to cause the vulnerable component to enter an infinite loop by presenting it with a maliciously crafted certificate.

What Sophos products are affected?

Sophos will review and patch all affected applications and services as part of its incident response process.

Product or Service

Impact

Description

Sophos Firewall (all versions)

HIGH

Sophos Firewall is potentially impacted by CVE-2022-0778 in the VPN and TLS inspection components.

The fix is included in version 18.5 MR3 (late March 2022) and 19.0 GA (April 2022).

Sophos UTM

HIGH

Sophos UTM is potentially impacted by CVE-2022-0778 in the VPN and TLS inspection components.

The fix is included in version 9.711 MR11 (April 2022).

Sophos Web Appliance

HIGH

Sophos Web Appliance (SWA) is potentially impacted by CVE-2022-0778.

The fix is included in version 4.3.10.3 (April 2022).

Other products and services

Any other products or services not listed above are still under investigation. Sophos will publish updated information as it becomes available.