XG Firewall 17.5 MR12 Released

Hi XG Community!

We've released XG Firewall 17.5 MR12. Initially, the firmware will be available by manual download from the Licensing Portal. We will gradually release the firmware via auto-update to customers.

Please visit the following link for more information regarding the upgrade process: Sophos XG Firewall: How to upgrade the firmware.

Note: The upgrade from version 17.5 MR12 to 18.0 will follow soon.

News

  • Security Release
  • Fixes SQL injection vulnerability and malicious code execution in XG Firewall/SFOS detailed out in KBA135412

Note: Hotfix referenced in KBA135412 is NOT required for 17.5 MR12 as CVE-2020-12271 has been fixed in this release version.

Issues Resolved

  • NC-59408 [API Framework, UI Framework] SQLi prevention in hybrid request - ORM fields and mode parameters (CVE-2020-12271)
  • NC-58898 [Email] Potential RCE through heap overflow in awarrensmtp (CVE-2020-11503)
  • NC-59300 [Email] Blind pre-auth SQLi in spxd on port 8094
  • NC-59454 [UI Framework] Enable apache access logs

Download

To manually install the upgrade, you can download the firmware from the Licensing Portal. Please refer to Sophos XG Firewall: How to upgrade the firmware.