You may have seen the OpenSSL team announced, on Monday 2015-07-06, that it had a “high severity” update coming out in three days’ time. The update was published Thursday 2015-07-09.
The good news is no Sophos products are at risk from this bug. Only the current pre-release Beta version of Sophos Management Communication System (MCS 3.0.0 Beta), a component used by Sophos Cloud and UTM Endpoint products, includes an affected version of OpenSSL. However, MCS does not use the relevant part of the OpenSSL code for certificate verification, so cannot fall foul of the bug. Nevertheless, we expect to update MCS 3 Beta with the latest OpenSSL version by mid-August 2015.
All other Sophos product families either don’t use OpenSSL at all, or use one of the unaffected versions.
We are pleased to announce that a new Up2Date package is available for Sophos ASG.
This update includes the fix for the OpenSSL SSL/TLS vulnerability (CVE-2014-0224).
Please read on to see the full details of this release.
On June 5th, 2014 a vulnerability (CVE-2014-0224) was found in OpenSSL that impacts our network security products. Fortunately, as of the publication of this article, there are no known in-the-wild attacks. Of course, as you’ve come to expect from Sophos, we’ve wasted no time in getting to work on patches to fix this vulnerability.
The vulnerability exists in OpenSSL and can allow an attacker using a man-in-the-middle attack to decrypt and modify traffic between a vulnerable client and server. Both client and server must be vulnerable for this exploit to work. OpenSSL versions 1.0.1 and 1.0.2-beta are affected.