New code injection vulnerability in the User Portal and Webadmin of Sophos Firewall

Surprised there is no 'banner' announcement of this in the community forum (I learnt about it from a third party security mailing list). I've said it before but I will say it again, I think it is a major failing of Sophos not to have a security alert mailing list.

Details here - https://www.sophos.com/en-us/security-advisories/sophos-sa-20220923-sfos-rce

How to check if your XG has been patched - https://support.sophos.com/support/s/article/KB-000044539?language=en_US



Added TAGs
[edited by: emmosophos at 9:53 PM (GMT -7) on 23 Sep 2022]
Parents
  • Hi JasP,

    Thank you for reaching out and also for your contributions to the Community.

    We have a number of communications tools that we use to keep our stakeholders informed of security incidents.

    • As you’ve pointed out, the Security Advisories page as part of the Sophos Trust Center is the primary location to get the latest security alerts. You can also filter and sort across a variety of meta data and product lines.
    • We also use the Security Advisory as a central point to link to other important resources such as relevant KB articles, related CVEs on cve.mitre.org, and other helpful documentation.
    • We also email affected customers and partners directly to ensure they know what to do to ensure they are protected.
    • We also offer an SMS alert service that provides an immediate text notification for important service and security advisories. Anyone can subscribe to it, and we encourage all our customers and partners to use it.
  • To say a web page is the primary location for notifications is ridiculous. How often do you want us to check a web page? Daily? Every hour? Every minute? The whole point of security advisories is that you want the information ASAP in realtime. Having to manually check a web page is not the way to deliver that sort of alert. The web page is fine for the details of an issue, not alerting us to new issues.

    We are a Sophos partner. I have received no emails from Sophos about this.

    I subscribe to your SMS alert service. I have received nothing about this and I don't believe you deliver security alerts via this mechanism anyway. Have you read the link you referenced? It's for the status of your services, not security alerts.

    Sorry but this seems to be the Sophos 'way'. We, your Partners and customers, tell you that what you are doing is not satisfactory. You ignore us. How hard is it to create a mailing list? Every person and their dog seems to email me stuff I don't want.

  • I can confirm I have not received an SMS alert and I also miss a big warning about it when I go to the community or sophos home website.

    Also there is no information if that hotfix has already been installed at our firewalls or not.

    You could create a message here, just like you did with the exim patch:

    That is not good..

    Nothing on sophos support.

    https://support.sophos.com/

Reply Children
No Data