.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
High
Advisory: OpenSSL DoS vulnerability (CVE-2022-0778)
CVE(N)
CVE-2022-0778
产品(N)
Sophos Firewall
Sophos UTM
Sophos Web Appliance (SWA)
更新日
2022 Mar 18
文章版本
1
公開日
2022 Mar 18
公開 ID
sophos-sa-20220318-openssl-dos
回避策
No
Overview
On Tuesday, March 15, 2022, the OpenSSL project advised about a denial of service vulnerability in all versions of OpenSSL. OpenSSL is a ubiquitous cryptography library used in many operating systems and applications. The vulnerability affects a broad range of services and applications, with varying impacts, from low to very disruptive, making the latest updates for some applications urgent.
The vulnerability allows an attacker to cause the vulnerable component to enter an infinite loop by presenting it with a maliciously crafted certificate.
What Sophos products are affected?
Sophos will review and patch all affected applications and services as part of its incident response process.
| Product or Service | Impact | Description |
|---|---|---|
| Sophos Firewall (all versions) | HIGH | Sophos Firewall is potentially impacted by CVE-2022-0778 in the VPN and TLS inspection components. The fix is included in version 18.5 MR3 (late March 2022) and 19.0 GA (April 2022). |
| Sophos UTM | HIGH | Sophos UTM is potentially impacted by CVE-2022-0778 in the VPN and TLS inspection components. The fix is included in version 9.711 MR11 (April 2022). |
| Sophos Web Appliance | HIGH | Sophos Web Appliance (SWA) is potentially impacted by CVE-2022-0778. The fix is included in version 4.3.10.3 (April 2022). |
Related Information
- https://www.openssl.org/news/secadv/20220315.txt
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=3118eb64934499d93db3230748a452351d1d9a65
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0778
- https://nakedsecurity.sophos.com/2022/03/18/openssl-patches-infinite-loop-dos-bug-in-certificate-verification/
Sophos Responsible Disclosure Policy
To learn about Sophos security vulnerability disclosure policies and publications, see the Responsible Disclosure Policy.