The Sophos Community will be offline for scheduled maintenance this Saturday, May 27th, at 13:00 UTC for approximately 1 hour. Apologies for any inconvenience caused.
"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
On June 5th 2014 the OpenSSL Project published an advisory listing seven security defects in their software along with an update to fix them.
Certain Sophos products use the OpenSSL cryptography libraries and hence this article provides information on the issue in relation to our products.
Important: We are fully investigating this issue and will update this article to provide further information when available.
Applies to the following Sophos product(s) and version(s) Sophos UTM PureMessage for UnixSophos Email ApplianceSophos Web ApplianceSophos UTM ManagerSophos Cloud
See the table below for a list of CVE numbers and brief description.
†CVE provides a standardized reference number and information on public security vulnerabilities and exposures. For more information see the cve.mitre.org website.
The list of defects as published by the OpenSSL Project can be found at the following link:
Until the latest software release on June 5th all versions of OpenSSL in client applications were vulnerable . The flaw goes back to the origin of the code in 1998. Only versions 1.0.1 and higher of the server are vulnerable.
For more information see our naked security blog article:
No. Heartbleed (CVE-2014-0160) was disclosed by the OpenSSL Project on April 7th 2014 and was an earlier software defect.
The table below lists the affected Sophos products, associated CVE number, and further information.
Important: When our development teams complete their investigation all affected products and resolutions will be listed. If a product is not listed in the table below it is not affected in any way.
The affected versions will be fixed in the respective versions below: v8.312(released - Please check KBA 121112 for update instructions) v9.113 (released - Please check KBA 121112 for update instructions) v9.203 (released - Please check KBA 121112 for update instructions)
Patched in version 4.107(released): Up2date link MD5SUM: be4f0d72e7266882bb3cd63cdc92bb90 File size ~198MB
Patched in version 4.201(released): Up2date link MD5SUM: 42ddbb8f7eb30cc98a23f2f88b0e52fe File size ~50MB
If something in the article is not clear leave a comment in the form below. Otherwise post your question to our community:
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.