This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos and Heartbleed

Hi there, are there any Sophos products affected by the OpenSSL Heartbleed bug?

:48924


This thread was automatically locked due to age.
  • Another curious customer wondering if the Sophos UTM is vulnerable to Heartbleed.  

    I was just going to setup a Third Party SSL Certificate today for the Sophos UTM but I'm frozen thinking it would be pointless if I have to redo the certificate because of potentially being comprimised as soon as I setup the cert.

    Links: 

    :48926
  • Remember: OpenSSL v1.0.0 and all v0.9.x are _not_ vulnerable. They introduced the TLS/DTLS heartbeat feature in v1.0.1 (see overview here: https://en.wikipedia.org/wiki/OpenSSL#Major_version_releases ), so everything after that incl. v1.0.1 is vulnerable.

    Based on these fact, here are my findings from my Sophos Enterprise Console server: see screenshot.

    My S009 CID is populated with the Sophos Endpoint Security "Preview" version which is v10.3.7.

    It looks like *only* the AutoUpdater (SAU) and Firewall (SCF) of the Preview version v10.3.7 are using the vulnerable version of OpenSSL.

    The other SAV CIDs/versions are not affected *right now*... but they will be... starting this month (compare staggered upgrade cycle overview here: http://www.sophos.com/en-us/support/knowledgebase/120189.aspx ) with 'Recommended' and 'Extended'! Then in May with 'Previous Recommended' and later on in July 'Previous Extended' will be upgraded to v10.3.7 too.

    I wouldn't rely on this information though and await an official answer from Sophos.

    :48928
  • Thanks, that KB answers all questions. Yay.

    Well, I also like the hint that "Though other products may use SSL these are not affected and no action is required." which puts my post above in a different perspective.

    :48968