are Sophos firewalls (SG and XG) affected by the OpenSSL vulnerability?https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html
This is confusing. In the release notes it lists one small change with no security implication that I'm aware of.
Back in 3.0.5 it talks about a severe bug whereby if a coder passes a NULL to a particular function, OpenSSL will essentially use no encryption. So it doesn't appear to be a vulnerability in the sense that it can be exploited, but rather a problem if Sophos causes a NULL value to be passed to that function. Under those conditions, there would be no encryption.
Still would like to know the answer, but I imagine that Sophos needs to look at its SSLVPN server code to make sure they can't accidentally pass a NULL. (If they're using openSSL's server it seems unlikely that this is a problem. It appears to mainly be related to folks using openSSL to create their own client or server.
No, neither SG or XG are affected by CVE-2022-3358
OpenSSL announced the details of the new vulnerabilities:
again neither Sophos SG UTM or SFOS are affected by this.