We have just begun the rollout process for version 220.127.116.11 of Sophos Web Appliance.
As with many other products, the Sophos Web Appliance is vulnerable to the TCP SACK PANIC issues described in this Naked Security article. Sophos published an initial advisory regarding this issue here: https://community.sophos.com/kb/en-us/134237
Version 18.104.22.168 addresses these vulnerabilities. This update will be applied in the next configured update window.
For customers who have disabled automatic updating, we recommend that you apply this upgrade as soon as possible, especially if your Web Appliance is exposed to inbound traffic from the Internet. Systems behind a stateful firewall allowing only outbound connections are at lower risk, but an attack may still be possible under certain circumstances.
Release notes for this and other recent updates can be found here.