This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

OpenSSL Vulnerability in Sophos Connect VPN application

OpenSSL recently released new patched version, however Sophos Connect (2.2.90.1104) application still running on vulnerable version of OpenSSL (1.1.1n)

If we replace the openssl.exe file with latest one, will  vpn connectivity work ? and Is there any roadmap with Sophos to release patched version of Sophos connect ?



This thread was automatically locked due to age.
  • Hello  ,

    Good day and thanks for reaching out to Sophos Community.

    There are plans already to upgrade the OpenVPN on SCC though timeline is yet to be confirmed. In the meantime, May we confirm if you have a specific vulnerability that you are concerned with? Kindly let us know. 

    Many thanks for your time and patience and thank you for choosing Sophos.

    Cheers,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Hi Raphael,

    The version of openssl included in the Sophos Connect client contains a number of High Severity openssl vulnerabilites (CVE-2023-0286, CVE-2022-4450 & CVE-2023-0464) and we need a fix ASAP.

    When will a new version of Sophos Connect be published that includes the fixes?

    At the very least, we need a workaround where we can update (C:\Program Files (x86)\Sophos\Connect\openssl.exe) to a patched version of openssl. Please advise how to patch this executable without impacting the operation of the Sophos Connect client.

    Many thanks,

    Josh