Hello Sophos,
are Sophos firewalls (SG and XG) affected by the OpenSSL vulnerability?
https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html
Ben
This thread was automatically locked due to age.
Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.
Hello Sophos,
are Sophos firewalls (SG and XG) affected by the OpenSSL vulnerability?
https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html
Ben
This is confusing. In the release notes it lists one small change with no security implication that I'm aware of.
Back in 3.0.5 it talks about a severe bug whereby if a coder passes a NULL to a particular function, OpenSSL will essentially use no encryption. So it doesn't appear to be a vulnerability in the sense that it can be exploited, but rather a problem if Sophos causes a NULL value to be passed to that function. Under those conditions, there would be no encryption.
Still would like to know the answer, but I imagine that Sophos needs to look at its SSLVPN server code to make sure they can't accidentally pass a NULL. (If they're using openSSL's server it seems unlikely that this is a problem. It appears to mainly be related to folks using openSSL to create their own client or server.