.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
Informational
Advisory: OpenSSL 3.x critical vulnerability
CVE(N)
CVE-2022-3786
CVE-2022-3602
产品(N)
Cloud Optix
Sophos Endpoint
Reflexion
SafeGuard Enterprise (SGN)
Sophos Authenticator
Sophos Central
Sophos Connect Client 2.0
Sophos Email
Sophos Email Appliance (SEA)
Sophos Enterprise Console (SEC)
Sophos Firewall
Sophos Home
Sophos Mobile
Sophos Mobile EAS Proxy
Sophos RED
Sophos Transparent Authentication Suite (STAS)
Sophos UTM
Sophos UTM Manager
Sophos Web Appliance (SWA)
Sophos Wireless
Sophos ZTNA
SophosLabs Intelix
更新日
2022 Nov 4
文章版本
3
公開日
2022 Oct 31
公開 ID
sophos-sa-20221031-openssl-vuln
回避策
No
Overview
On Tuesday October 25, 2022, the OpenSSL Project Team announced that OpenSSL version 3.0.7 will contain a fix for a critical severity vulnerability. The fix applies to OpenSSL version 3 only. Older versions of OpenSSL are not affected.
On Tuesday November 1, 2022, OpenSSL Project Team published an advisory about CVE-2022-3786 and CVE-2022-3602 that affects versions 3 and above.
OpenSSL is a ubiquitous cryptography library used in many operating systems and applications. OpenSSL version 3 is the newest major version, first released in September 2021.
Patches for OpenSSL
The release of OpenSSL 3.0.7 containing the fix is released https://www.openssl.org/source/openssl-3.0.7.tar.gz.
What Sophos products are affected?
Sophos is reviewing and patching all affected applications and services as part of its incident response process.
| Product or Service | Status | Description |
|---|---|---|
| Cloud Optix | Not vulnerable | OpenSSL version 3.x not used |
| PureMessage | Not vulnerable | OpenSSL version 3.x not used |
| Reflexion | Not vulnerable | OpenSSL version 3.x not used |
| SafeGuard Enterprise (SGN) | Not vulnerable | OpenSSL version 3.x not used |
| SG UTM (all versions) | Not vulnerable | OpenSSL version 3.x not used |
| SG UTM Manager (SUM) (all versions) | Not vulnerable | OpenSSL version 3.x not used |
| Sophos Authenticator | Not vulnerable | OpenSSL version 3.x not used |
| Sophos Central | Not vulnerable | OpenSSL version 3.x not used |
| Sophos Endpoint protection (Windows/Mac/Linux) | Not vulnerable | OpenSSL version 3.x not used in:
|
| Sophos Email | Not vulnerable | OpenSSL version 3.x not used |
| Sophos Email Appliance | Not vulnerable | OpenSSL version 3.x not used |
| Sophos Enterprise Console (SEC) | Not vulnerable | OpenSSL version 3.x not used |
| Sophos Firewall (all versions) | Not vulnerable | OpenSSL version 3.x not used |
| Sophos Firewall auxiliary clients | Not vulnerable | OpenSSL version 3.x not used in:
|
| Sophos Home | Not vulnerable | OpenSSL version 3.x not used |
| Sophos Mobile | Not vulnerable | OpenSSL version 3.x not used |
| Sophos Mobile EAS Proxy | Not impacted | OpenSSL used for certificate generation only |
| Sophos RED | Not vulnerable | OpenSSL version 3.x not used |
| Sophos Web Appliance | Not vulnerable | OpenSSL version 3.x not used |
| Sophos Wireless | Not vulnerable | OpenSSL version 3.x not used |
| Sophos ZTNA | Not vulnerable | OpenSSL version 3.x not used |
| SophosLabs Intelix | Not vulnerable | OpenSSL version 3.x not used |
How are Sophos customers protected?
IPS Signatures
IPS signatures were first published on November 4, 2022.
Sophos Firewall
- SIDs are 2307860, 60790
Sophos Endpoint
- SID is 2307860
Sophos SG UTM
- SID is 60790
Related Information
Sophos Responsible Disclosure Policy
To learn about Sophos security vulnerability disclosure policies and publications, see the Responsible Disclosure Policy.