General Discussion Status of OpenSSL CVE-2022-0778 on UTM 9?

UTM Firewall requires membership for participation - click to join

Thread Info

State Verified Answer
+1 person also asked this people also asked this
Locked Locked
Replies 3 replies
Subscribers 8 subscribers
Views 1250 views
Users 0 members are here

Options

Suggested

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Status of OpenSSL CVE-2022-0778 on UTM 9?

Fahnoe over 2 years ago

It would appear that UTM 9.7 is vulnerable to CVE-2022-0778 as described in https://www.openssl.org/news/secadv/20220315.txt

As I read the alert, it would appear that this has severe impact for all the older OpenSSL releases like are being used on the UTM...

I would very much like to know if this is on Sophos' radar and when a fix is likely to be available. Thanks.

--Larry

This thread was automatically locked due to age.

Top Replies

emmosophos over 2 years ago +1 verified

Hello Fahnoe, Thank you for contacting the Sophos Community. Sophos is aware of this one and working on it under NUTM-13394 Regards,

Parents

0 BAlfson over 2 years ago

Hey Larry,

You've been around for awhile, so I bet you already know what I'm about to write, but others might not...

It's usually easier for the developers to patch the modules that they've already "hardened" than to keep testing and hardening new releases. Much of the code is modified and unnecessary code eliminated, so just because the version number is "old" doesn't mean the Sophos has the vulnerability.

That said, I'll IM a Sophos guy here to see what the status is.

Cheers - bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 2 years ago

Hey Larry,

You've been around for awhile, so I bet you already know what I'm about to write, but others might not...

It's usually easier for the developers to patch the modules that they've already "hardened" than to keep testing and hardening new releases. Much of the code is modified and unnecessary code eliminated, so just because the version number is "old" doesn't mean the Sophos has the vulnerability.

That said, I'll IM a Sophos guy here to see what the status is.

Cheers - bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data