Sophos is aware of vulnerabilities that have been reported in certain Apache modules. While the Sophos Message Relay feature uses Apache, we do not load these modules and are not affected by this issue. Apache will be updated in our next regular release as per our normal process.
Applies to the following Sophos product(s) and version(s) Sophos Central
CVE-2017-9788 is uninitialized memory reflection in mod_auth_digest which we do not load, and it is not included in the distribution.
CVE-2017-9789 is a read after free in mod_http2 which we do not load, and it is not included in the distribution
While not affected by the vulnerabilities, we are upgrading the version of Apache to v2.4.37 with Sophos Message Relay v1.1.43. This will be released over a period of time from the 26th November to the 05th December 2018.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.