Is Sophos Mobile Control affected by the recently identified OpenSSL leak in versions 1.0.1 to 1.0.1f (cve-2014-160)? Designated cve-2014-160: https://www.openssl.org/news/secadv_20140407.txt
Applies to the following Sophos product(s) and version(s) Sophos Mobile Control
Immediately after the acknowledgement of the vulnerabilities present in OpenSSL version 1.0.1, we checked the source code of all Sophos Mobile products:
The non-vulnerable OpenSSL version 0.9.8k is delivered with SMC server to create certificates. No inbound SSL connections is handled by this.
None of the affected OpenSSL libraries are used in any of these products. On Android, we rely on javax.net.ssl to protect our network traffic, which is part of the operating system.
Note: According to Google, these might rely on OpenSSL: “Android uses code from The Legion of the Bouncy Castle and OpenSSL.”
Whether this particular implementation is affected has yet to be verified by the respective device vendor. Sophos can neither verify this nor can we fix any operating system files.
Tutti i commenti qui inseriti vengono letti (dal team di supporto), ma non verranno inviate risposte specifiche ad alcun quesito tecnico. Nel caso richiediate supporto tecnico, vi invitiamo a postare il vostro quesito nella nostra community. Altrimenti, se la richiesta di supporto riguarda un prodotto con licenza, vi invitiamo ad aprire un ticket per il team di supporto.