We've just released SG UTM version 9.708. As usual, the release will be rolled out in phases:
This release includes a fix for a post-authentication SQL injection vulnerability in the user portal (CVE-2021-36807). For more information on this vulnerability see this advisory. As always, we recommend that you update to this version as soon as possible.
Also included in this release is an update for OpenSSL which removes support for ciphersuites that include the non-EC Diffie-Hellman(DH) algorithm for key exchange. These ciphersuites have been considered weak for some time now. For uses where the UTM is a server (e.g. WAF, SMTP), these cipher suites were already excluded by default prior to this update so there should be no significant impact. Where the UTM acts as a client making connections to external SSL/TLS services running old software with limited support for more modern protocols, this could cause connection issues. For example, users connecting through the WebProxy with HTTPS decryption enabled will no longer be able to connect to old servers that have poor support for modern ciphers.
With this release, SG UTM now supports the latest versions of firmware for Sophos wireless access points and RED/SD-RED devices. Updating your UTM will make the new firmware updates available. For more information on these important firmware updates, see these posts from the Sophos Firewall community log:
[This article was updated on 30 November 2021 to include information about AP and RED firmware updates and direct links for firmware downloads and again on 1 February 2022 to include missing information about Apache vulnerabilities fixed.]