Is Sophos Mobile Control affected by the recently identified OpenSSL leak in versions 1.0.1 to 1.0.1f (cve-2014-160)? Designated cve-2014-160: https://www.openssl.org/news/secadv_20140407.txt
Applies to the following Sophos product(s) and version(s) Mobile Control
Immediately after the acknowledgement of the vulnerabilities present in OpenSSL version 1.0.1, we checked the source code of all Sophos Mobile products:
The non-vulnerable OpenSSL version 0.9.8k is delivered with SMC server to create certificates. No inbound SSL connections is handled by this.
None of the affected OpenSSL libraries are used in any of these products. On Android, we rely on javax.net.ssl to protect our network traffic, which is part of the operating system.
Note: According to Google, these might rely on OpenSSL: “Android uses code from The Legion of the Bouncy Castle and OpenSSL.”
Whether this particular implementation is affected has yet to be verified by the respective device vendor. Sophos can neither verify this nor can we fix any operating system files.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.