On 7th April 2014 a critical vulnerability was found in OpenSSL. This article provides information for Sophos customers and how our products are impacted and steps required to fix the vulnerability.
Important: This article may continue to be updated with further advice. We therefore recommend you check back regularly for new information.
Applies to the following Sophos product(s) and version(s) Sophos UTM Sophos Anti-Virus for VMware vShieldSophos Cloud
The official CVE is tracked here and mentions versions of Open SSL used in some Sophos products (see below).
The vulnerability described uses a TLS heartbeat read overrun which could be used to reveal chunks of sensitive data from system memory of any system worldwide running the affected versions of OpenSSL - but only exposed services are immediately affected, as the bug allows to be read from the processes own memory.
For more information read our naked security blog article on the issue: Anatomy of a data leakage bug - the OpenSSL "heartbleed" buffer overflow
1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.
The table below lists all the affected Sophos products. Important: Though other products may use SSL these are not affected and no action is required.
If you use one or more of the products mentioned below use the table to guide you on what is required.
A patch is available for the vulnerability in UTM 9.1. The overview steps are:
For detailed instructions see article 120851.
Patched in 4.106-2, available now.
To apply the patch proceed as follows:
Alternatively you can download the Up2Date package from our FTP Server and install it under Management | Up2Date | Advanced:
First update from 4.105 to 4.106:
Download SUM 4.106 (MD5)
Second update from 4.106 to 4.106-2:
Download SUM 4.106-2 (MD5)
A new version of the installer, version 1.1.6 ,has been made available to address the vulnerability and can be downloaded here.
Please upgrade to version 1.1.6 which includes an uninstall and install wizard to assist with the upgrade. Please see the Sophos Anti-Virus for VMware vShield upgrade guide for step by step information on how to upgrade.
Note: For information on VMware products and OpenSSL vulnerability status see VMware’s security advisory - http://www.vmware.com/security/advisories/VMSA-2014-0004
For information relating the vulnerability to other Sophos products see:
There are three primary requirements to patch the OpenSSL vulnerability, protect yourself from any future exploit attempts and to mitigate any security vulnerabilities if your certs have already been compromised
The currently available patches for UTM are listed in article Heartbleed: Recommended steps for UTM. We will add details on other patches as soon as possible. Check back for updates.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.