Hi there, are there any Sophos products affected by the OpenSSL Heartbleed bug?
This thread was automatically locked due to age.
Hi there, are there any Sophos products affected by the OpenSSL Heartbleed bug?
Another curious customer wondering if the Sophos UTM is vulnerable to Heartbleed.
I was just going to setup a Third Party SSL Certificate today for the Sophos UTM but I'm frozen thinking it would be pointless if I have to redo the certificate because of potentially being comprimised as soon as I setup the cert.
Links:
Remember: OpenSSL v1.0.0 and all v0.9.x are _not_ vulnerable. They introduced the TLS/DTLS heartbeat feature in v1.0.1 (see overview here: https://en.wikipedia.org/wiki/OpenSSL#Major_version_releases ), so everything after that incl. v1.0.1 is vulnerable.
Based on these fact, here are my findings from my Sophos Enterprise Console server: see screenshot.
My S009 CID is populated with the Sophos Endpoint Security "Preview" version which is v10.3.7.
It looks like *only* the AutoUpdater (SAU) and Firewall (SCF) of the Preview version v10.3.7 are using the vulnerable version of OpenSSL.
The other SAV CIDs/versions are not affected *right now*... but they will be... starting this month (compare staggered upgrade cycle overview here: http://www.sophos.com/en-us/support/knowledgebase/120189.aspx ) with 'Recommended' and 'Extended'! Then in May with 'Previous Recommended' and later on in July 'Previous Extended' will be upgraded to v10.3.7 too.
I wouldn't rely on this information though and await an official answer from Sophos.