Overview
On Tuesday February 7, 2023, the OpenSSL Project Team announced that several versions of OpenSSL contain fixes for vulnerabilities, including one high severity one.
OpenSSL is a ubiquitous cryptography library used in many operating systems and applications.
Patches for OpenSSL
The fixes are included in the following releases:
- https://www.openssl.org/source/openssl-3.0.8.tar.gz
- https://www.openssl.org/source/openssl-1.1.1t.tar.gz
- OpenSSL 1.0.2zg (premium support customers only)
What Sophos products are affected?
Sophos is reviewing and patching all affected applications and services as part of its incident response process.
Note: as this is an ongoing investigation product status will change as more information becomes available.
Product or Service | CVE-2023-0286 Status | Description |
Cloud Optix | Not affected | Component not present |
PureMessage | Not affected | Vulnerable code not in execute path |
SG UTM (all versions) | Not affected | Vulnerable code cannot be controlled by adversary |
Sophos Endpoint protection (Windows/Mac/Linux) | Not affected | Vulnerable code not in execute path |
Sophos Endpoint Protection - Legacy (Linux/SVE) | Not affected | Vulnerable code not in execute path |
Sophos Enterprise Console (SEC) | Not affected | Vulnerable code not in execute path |
Sophos Firewall (all versions) | Not affected | Vulnerable code cannot be controlled by adversary |
Sophos Central | Not affected | Vulnerable code not in execute path |
Sophos Connect client | Not affected | Vulnerable code not in execute path |
Sophos Email | Not affected | Vulnerable code not in execute path |
Sophos Email Appliance | Not affected | Vulnerable code not in execute path |
Sophos Home | Not affected | Vulnerable code not in execute path |
Sophos RED | Not affected | Vulnerable code not in execute path |
Sophos Wireless | Not affected | Vulnerable code not in execute path |
Sophos Web Appliance | Not affected | Vulnerable code not in execute path |
Sophos SASI (AntiSpam) | Not affected | Vulnerable code not in execute path |
Sophos Mobile | Not affected | Vulnerable code not in execute path |
Sophos Mobile EAS Proxy | Not affected | Vulnerable code not in execute path |
SophosLabs Intelix | Not affected | Vulnerable code not in execute path |
Sophos product protections
Sophos is actively monitoring for threat activity and detection opportunities relating to this vulnerability.
Related Information
- https://www.openssl.org/news/secadv/20230207.txt
- https://www.openssl.org/policies/general/security-policy.html
- https://nakedsecurity.sophos.com/2023/02/08/openssl-fixes-high-severity-data-stealing-bug-patch-now/
- https://nakedsecurity.sophos.com/2023/02/09/s3-ep121-can-you-get-hacked-and-then-prosecuted-for-it-audio-text/
Change Log
- February 14, 2023: Initial version
- February 20, 2023:
- Added: Sophos Endpoint Protection - Legacy (Linux/SVE), Sophos Central, Sophos Email, Sophos Email Appliance
- Updated: Sophos Endpoint protection (Windows/Mac/Linux)