New code injection vulnerability in the User Portal and Webadmin of Sophos Firewall

Surprised there is no 'banner' announcement of this in the community forum (I learnt about it from a third party security mailing list). I've said it before but I will say it again, I think it is a major failing of Sophos not to have a security alert mailing list.

Details here - https://www.sophos.com/en-us/security-advisories/sophos-sa-20220923-sfos-rce

How to check if your XG has been patched - https://support.sophos.com/support/s/article/KB-000044539?language=en_US



Added TAGs
[edited by: emmosophos at 9:53 PM (GMT -7) on 23 Sep 2022]
Parents
  • Hi JasP,

    Thank you for reaching out and also for your contributions to the Community.

    We have a number of communications tools that we use to keep our stakeholders informed of security incidents.

    • As you’ve pointed out, the Security Advisories page as part of the Sophos Trust Center is the primary location to get the latest security alerts. You can also filter and sort across a variety of meta data and product lines.
    • We also use the Security Advisory as a central point to link to other important resources such as relevant KB articles, related CVEs on cve.mitre.org, and other helpful documentation.
    • We also email affected customers and partners directly to ensure they know what to do to ensure they are protected.
    • We also offer an SMS alert service that provides an immediate text notification for important service and security advisories. Anyone can subscribe to it, and we encourage all our customers and partners to use it.
  • To say a web page is the primary location for notifications is ridiculous. How often do you want us to check a web page? Daily? Every hour? Every minute? The whole point of security advisories is that you want the information ASAP in realtime. Having to manually check a web page is not the way to deliver that sort of alert. The web page is fine for the details of an issue, not alerting us to new issues.

    We are a Sophos partner. I have received no emails from Sophos about this.

    I subscribe to your SMS alert service. I have received nothing about this and I don't believe you deliver security alerts via this mechanism anyway. Have you read the link you referenced? It's for the status of your services, not security alerts.

    Sorry but this seems to be the Sophos 'way'. We, your Partners and customers, tell you that what you are doing is not satisfactory. You ignore us. How hard is it to create a mailing list? Every person and their dog seems to email me stuff I don't want.

Reply
  • To say a web page is the primary location for notifications is ridiculous. How often do you want us to check a web page? Daily? Every hour? Every minute? The whole point of security advisories is that you want the information ASAP in realtime. Having to manually check a web page is not the way to deliver that sort of alert. The web page is fine for the details of an issue, not alerting us to new issues.

    We are a Sophos partner. I have received no emails from Sophos about this.

    I subscribe to your SMS alert service. I have received nothing about this and I don't believe you deliver security alerts via this mechanism anyway. Have you read the link you referenced? It's for the status of your services, not security alerts.

    Sorry but this seems to be the Sophos 'way'. We, your Partners and customers, tell you that what you are doing is not satisfactory. You ignore us. How hard is it to create a mailing list? Every person and their dog seems to email me stuff I don't want.

Children