.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
Critical
Resolved XEE vulnerability in Sophos Mobile managed on-premises (CVE-2022-3980)
CVE(N)
CVE-2022-3980
PRODUIT(S)
Sophos Mobile
Mis à jour
2022 Nov 16
Version de l'article
1
Publié
2022 Nov 16
ID de publication
sophos-sa-20221116-smc-xee
Solution alternative
Yes
Overview
Sophos has fixed an XML External Entity (XEE/XXE) vulnerability allowing for Server-Side Request Forgery (SSRF) and potential code execution in Sophos Mobile managed on-premises. This was discovered and responsibly disclosed to Sophos by an external security researcher.
Sophos would like to thank Florian Hauser of Code White GmbH for responsibly disclosing the issue to Sophos.
No action is required for customers using Sophos Mobile, managed by Sophos Central.
Applies to the following Sophos product(s) and version(s)
Sophos Mobile managed on-premises between version 5.0.0 and 9.7.4
Workaround
Customers can protect themselves by blocking all requests to /servlets/OmaDsServlet on a WAF.
Remediation
Patch installation
Ensure you are running the supported version (9.7.3) of Sophos Mobile managed on-premises
Install the Sophos Mobile 9.7.5 patch
For customers unable to upgrade to version 9.7.5, apply the hotfix (tested on 7.0.0 and newer):
Download the Sophos Mobile November 2022 hotfix
Right-click
SophosMobileHotfixNov2022.ps1and select “Run as administrator” on the server
Users of older versions of Sophos Mobile on-premises are required to upgrade to receive this fix
Related information
Sophos Responsible Disclosure Policy
To learn about Sophos security vulnerability disclosure policies and publications, see the Responsible Disclosure Policy.