.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
Critical
Sophos Web Appliance 4.3.10.4 Resolves Security Vulnerabilities
CVE(N)
CVE-2023-1671
CVE-2022-4934
CVE-2020-36692
PRODUIT(S)
Sophos Web Appliance (SWA)
Mis à jour
2023 Nov 17
Version de l'article
2
Publié
2023 Apr 4
ID de publication
sophos-sa-20230404-swa-rce
Solution alternative
No
Overview
The Sophos Web Appliance (SWA) 4.3.10.4 release fixes the following security issues:
| CVE ID | Description | Severity |
|---|---|---|
| CVE-2023-1671 | A pre-auth command injection vulnerability in the warn-proceed handler allowing execution of arbitrary code was discovered and responsibly disclosed to Sophos by an external security researcher via the Sophos bug bounty program. CISA observed this vulnerability being used in the wild. | CRITICAL |
| CVE-2022-4934 | A post-auth command injection vulnerability in the exception wizard allowing administrators to execute arbitrary code was discovered and responsibly disclosed to Sophos by an external security researcher via the Sophos bug bounty program. | HIGH |
| CVE-2020-36692 | A reflected XSS via POST vulnerability in report scheduler allowing execution of JavaScript code in the victim browser was discovered and responsibly disclosed to Sophos by an external researcher via the Sophos bug bounty program. The victim must be tricked into submitting a malicious form on an attacker-controlled website while logged in to SWA for the attack to succeed. | MEDIUM |
Notes
- End of Life date for Sophos Web Appliance is on July 20, 2023
- Sophos recommends that Sophos Web Appliance is protected by a firewall and not accessible via the public Internet
- There is no action required for Sophos Web Appliance customers, as updates are installed automatically by default
Related information
- https://www.sophos.com/en-us/content/product-lifecycle
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1671
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4934
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36692
- https://wsa.sophos.com/docs/ws1000/ws1000/concepts/ReleaseNotes_4.3.10.4.html
- https://www.cisa.gov/news-events/alerts/2023/11/16/cisa-adds-three-known-exploited-vulnerabilities-catalog
Sophos Responsible Disclosure Policy
To learn about Sophos security vulnerability disclosure policies and publications, see the Responsible Disclosure Policy.