Overview
On Tuesday October 25, 2022, the OpenSSL Project Team announced that OpenSSL version 3.0.7 will contain a fix for a critical severity vulnerability. The fix applies to OpenSSL version 3 only. Older versions of OpenSSL are not affected.
On Tuesday November 1, 2022, OpenSSL Project Team published an advisory about CVE-2022-3786 and CVE-2022-3602 that affects versions 3 and above.
OpenSSL is a ubiquitous cryptography library used in many operating systems and applications. OpenSSL version 3 is the newest major version, first released in September 2021.
Patches for OpenSSL
The release of OpenSSL 3.0.7 containing the fix is released https://www.openssl.org/source/openssl-3.0.7.tar.gz.
What Sophos products are affected?
Sophos is reviewing and patching all affected applications and services as part of its incident response process.
Product or Service | Status | Description |
---|---|---|
Cloud Optix | Not vulnerable | OpenSSL version 3.x not used |
PureMessage | Not vulnerable | OpenSSL version 3.x not used |
Reflexion | Not vulnerable | OpenSSL version 3.x not used |
SafeGuard Enterprise (SGN) | Not vulnerable | OpenSSL version 3.x not used |
SG UTM (all versions) | Not vulnerable | OpenSSL version 3.x not used |
SG UTM Manager (SUM) (all versions) | Not vulnerable | OpenSSL version 3.x not used |
Sophos Authenticator | Not vulnerable | OpenSSL version 3.x not used |
Sophos Central | Not vulnerable | OpenSSL version 3.x not used |
Sophos Endpoint protection (Windows/Mac/Linux) | Not vulnerable | OpenSSL version 3.x not used in:
|
Sophos Email | Not vulnerable | OpenSSL version 3.x not used |
Sophos Email Appliance | Not vulnerable | OpenSSL version 3.x not used |
Sophos Enterprise Console (SEC) | Not vulnerable | OpenSSL version 3.x not used |
Sophos Firewall (all versions) | Not vulnerable | OpenSSL version 3.x not used |
Sophos Firewall auxiliary clients | Not vulnerable | OpenSSL version 3.x not used in:
|
Sophos Home | Not vulnerable | OpenSSL version 3.x not used |
Sophos Mobile | Not vulnerable | OpenSSL version 3.x not used |
Sophos Mobile EAS Proxy | Not impacted | OpenSSL used for certificate generation only |
Sophos RED | Not vulnerable | OpenSSL version 3.x not used |
Sophos Web Appliance | Not vulnerable | OpenSSL version 3.x not used |
Sophos Wireless | Not vulnerable | OpenSSL version 3.x not used |
Sophos ZTNA | Not vulnerable | OpenSSL version 3.x not used |
SophosLabs Intelix | Not vulnerable | OpenSSL version 3.x not used |
How are Sophos customers protected?
IPS Signatures
IPS signatures were first published on November 4, 2022.
Sophos Firewall
- SIDs are 2307860, 60790
Sophos Endpoint
- SID is 2307860
Sophos SG UTM
- SID is 60790