On June 5th 2014 the OpenSSL Project published an advisory listing seven security defects in their software along with an update to fix them.
Certain Sophos products use the OpenSSL cryptography libraries and hence this article provides information on the issue in relation to our products.
Important: We are fully investigating this issue and will update this article to provide further information when available.
Applies to the following Sophos product(s) and version(s)
Sophos Web Appliance
Sophos UTM Manager
Sophos Email Appliance
PureMessage for Unix
What are the OpenSSL defects?
See the table below for a list of CVE numbers and brief description.
|CVE reference† ||Description |
|CVE-2014-0224 ||SSL/TLS MITM vulnerability |
|CVE-2014-0221 ||DTLS recursion flaw |
|CVE-2014-0195 ||DTLS invalid fragment vulnerability |
|CVE-2014-0198 ||SSL_MODE_RELEASE_BUFFERS NULL pointer dereference |
|CVE-2010-5298 ||SSL_MODE_RELEASE_BUFFERS session injection or denial of service |
|CVE-2014-3470 ||Anonymous ECDH denial of service |
|CVE-2014-0076 ||Fix for the attack described in the paper "Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" |
†CVE provides a standardized reference number and information on public security vulnerabilities and exposures. For more information see the cve.mitre.org website.
The list of defects as published by the OpenSSL Project can be found at the following link:
What versions of OpenSSL are affected?
Until the latest software release on June 5th all versions of OpenSSL in client applications were vulnerable . The flaw goes back to the origin of the code in 1998. Only versions 1.0.1 and higher of the server are vulnerable.
For more information see our naked security blog article:
Have any of the OpenSSL defects been exploited so far?
Is this the same as 'heartbleed'?
No. Heartbleed (CVE-2014-0160) was disclosed by the OpenSSL Project on April 7th 2014 and was an earlier software defect.
What Sophos products are affected?
The table below lists the affected Sophos products, associated CVE number, and further information.
Important: When our development teams complete their investigation all affected products and resolutions will be listed. If a product is not listed in the table below it is not affected in any way.
|Product affected ||Associated CVE ||Further information |
| Sophos UTM v8.3 |
Sophos UTM v9.1
Sophos UTM v9.2
|CVE-2014-0224 || |
The affected versions will be fixed in the respective versions below:
v8.312(released - Please check KBA 121112 for update instructions)
v9.113 (released - Please check KBA 121112 for update instructions)
v9.203 (released - Please check KBA 121112 for update instructions)
|Sophos UTM Manager v4.1 and 4.2 ||CVE-2014-0224 || |
Patched in version 4.107(released):
File size ~198MB
Patched in version 4.201(released):
File size ~50MB
|Sophos Web Appliance v3.9.x.x ||CVE-2014-0224 ||Patch in v184.108.40.206 (expected June 11th, 2014) |
|Sophos Email Appliance v3.7.x.x ||CVE-2014-0224 ||Patch in v220.127.116.11 (expected week commencing June 23rd 2014) |
|PureMessage for UNIX v6 ||CVE-2014-0224 ||Patch expected June 25th June 2014 |
|Sophos Cloud ||CVE-2014-0224 ||Patched 17th June 2014 |
I have a further question, what should I do?
If something in the article is not clear leave a comment in the form below. Otherwise post your question to our community: