This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

OpenSSL Vulnerability in Sophos Connect VPN application

OpenSSL recently released new patched version, however Sophos Connect ( application still running on vulnerable version of OpenSSL (1.1.1n)

If we replace the openssl.exe file with latest one, will  vpn connectivity work ? and Is there any roadmap with Sophos to release patched version of Sophos connect ?

This thread was automatically locked due to age.
Parents Reply Children
  • Hi Raphael,

    The version of openssl included in the Sophos Connect client contains a number of High Severity openssl vulnerabilites (CVE-2023-0286, CVE-2022-4450 & CVE-2023-0464) and we need a fix ASAP.

    When will a new version of Sophos Connect be published that includes the fixes?

    At the very least, we need a workaround where we can update (C:\Program Files (x86)\Sophos\Connect\openssl.exe) to a patched version of openssl. Please advise how to patch this executable without impacting the operation of the Sophos Connect client.

    Many thanks,