Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 39 subscribers
  • Views 6729 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

OpenSSL Security update announced

Ben@Network

Hello Sophos,

are Sophos firewalls (SG and XG) affected by the OpenSSL vulnerability?
https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html

Ben



This thread was automatically locked due to age.
  • 0

    This is confusing. In the release notes it lists one small change with no security implication that I'm aware of.

    Back in 3.0.5 it talks about a severe bug whereby if a coder passes a NULL to a particular function, OpenSSL will essentially use no encryption. So it doesn't appear to be a vulnerability in the sense that it can be exploited, but rather a problem if Sophos causes a NULL value to be passed to that function. Under those conditions, there would be no encryption.

    Still would like to know the answer, but I imagine that Sophos needs to look at its SSLVPN server code to make sure they can't accidentally pass a NULL. (If they're using openSSL's server it seems unlikely that this is a problem. It appears to mainly be related to folks using openSSL to create their own client or server.

  • 0

    No, neither SG or XG are affected by CVE-2022-3358

  • +1

    OpenSSL announced the details of the new vulnerabilities:

    https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows

    again neither Sophos SG UTM or SFOS are affected by this. 

Unfiltered HTML