Another curious customer wondering if the Sophos UTM is vulnerable to Heartbleed.
I was just going to setup a Third Party SSL Certificate today for the Sophos UTM but I'm frozen thinking it would be pointless if I have to redo the certificate because of potentially being comprimised as soon as I setup the cert.
Remember: OpenSSL v1.0.0 and all v0.9.x are _not_ vulnerable. They introduced the TLS/DTLS heartbeat feature in v1.0.1 (see overview here: https://en.wikipedia.org/wiki/OpenSSL#Major_version_releases ), so everything after that incl. v1.0.1 is vulnerable.
Based on these fact, here are my findings from my Sophos Enterprise Console server: see screenshot.
My S009 CID is populated with the Sophos Endpoint Security "Preview" version which is v10.3.7.
It looks like *only* the AutoUpdater (SAU) and Firewall (SCF) of the Preview version v10.3.7 are using the vulnerable version of OpenSSL.
The other SAV CIDs/versions are not affected *right now*... but they will be... starting this month (compare staggered upgrade cycle overview here: http://www.sophos.com/en-us/support/knowledgebase/120189.aspx ) with 'Recommended' and 'Extended'! Then in May with 'Previous Recommended' and later on in July 'Previous Extended' will be upgraded to v10.3.7 too.
I wouldn't rely on this information though and await an official answer from Sophos.
Well, I also like the hint that "Though other products may use SSL these are not affected and no action is required." which puts my post above in a different perspective.
