OpenSSL Vulnerability in Sophos Connect VPN application

Hello HariKrushna Patel ,

Good day and thanks for reaching out to Sophos Community.

There are plans already to upgrade the OpenVPN on SCC though timeline is yet to be confirmed. In the meantime, May we confirm if you have a specific vulnerability that you are concerned with? Kindly let us know. 

Many thanks for your time and patience and thank you for choosing Sophos.

Cheers,

Hi Raphael,

The version of openssl included in the Sophos Connect client contains a number of High Severity openssl vulnerabilites (CVE-2023-0286, CVE-2022-4450 & CVE-2023-0464) and we need a fix ASAP.

When will a new version of Sophos Connect be published that includes the fixes?

At the very least, we need a workaround where we can update (C:\Program Files (x86)\Sophos\Connect\openssl.exe) to a patched version of openssl. Please advise how to patch this executable without impacting the operation of the Sophos Connect client.

Many thanks,

Josh

Hi Raphael,

The version of openssl included in the Sophos Connect client contains a number of High Severity openssl vulnerabilites (CVE-2023-0286, CVE-2022-4450 & CVE-2023-0464) and we need a fix ASAP.

When will a new version of Sophos Connect be published that includes the fixes?

At the very least, we need a workaround where we can update (C:\Program Files (x86)\Sophos\Connect\openssl.exe) to a patched version of openssl. Please advise how to patch this executable without impacting the operation of the Sophos Connect client.

Many thanks,

Josh