This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

OpenSSL Vulnerability in Sophos Connect VPN application

OpenSSL recently released new patched version, however Sophos Connect (2.2.90.1104) application still running on vulnerable version of OpenSSL (1.1.1n)

If we replace the openssl.exe file with latest one, will vpn connectivity work ? and Is there any roadmap with Sophos to release patched version of Sophos connect ?

This thread was automatically locked due to age.

0 Raphael Alganes over 1 year ago

Hello HariKrushna Patel ,

Good day and thanks for reaching out to Sophos Community.

There are plans already to upgrade the OpenVPN on SCC though timeline is yet to be confirmed. In the meantime, May we confirm if you have a specific vulnerability that you are concerned with? Kindly let us know.

Many thanks for your time and patience and thank you for choosing Sophos.

Cheers,

Raphael Alganes
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 Josh Waaa over 1 year ago in reply to Raphael Alganes

Hi Raphael,

The version of openssl included in the Sophos Connect client contains a number of High Severity openssl vulnerabilites (CVE-2023-0286, CVE-2022-4450 & CVE-2023-0464) and we need a fix ASAP.

When will a new version of Sophos Connect be published that includes the fixes?

At the very least, we need a workaround where we can update (C:\Program Files (x86)\Sophos\Connect\openssl.exe) to a patched version of openssl. Please advise how to patch this executable without impacting the operation of the Sophos Connect client.

Many thanks,

Josh
Cancel
Vote Up 0 Vote Down

Cancel