[UPDATE 09 April 2014 14:43 ET] A fix is now available — please check our knowledgebase article, we will update it as we get more information.
On 07. April 2014 a critical vulnerability was found in OpenSSL also affecting some versions of Sophos UTM.
The official CVE is tracked with more info here and mentions versions also used inside the UTM product from Sophos.
Affected versions of UTM are: UTM 9.1, UTM 9.2 as well as the SSL Clients from those UTM versions.
The vulnerability described uses a TLS heartbeat read overrun which could be used to reveal chunks of sensitive data from system memory of any system worldwide – and not limited to Sophos UTM – running the affected versions of OpenSSL.
We are working on a fix with high priority and will release Up2Date packages as soon as possible.
Senior Product Manager