OpenSSL Security update announced

You aren't giving them any time, are ya?!  LOL, it was announced a few hours ago.

There's nothing I can find on CVE related to this and nothing really of note in that site that describes much.  Do you happen to know if they even related a CVE?  Is it even a vulnerability?

EDIT:  Checking the IPS Rules covering CVE issues, the latest one I can find from this year is CVE 2022-1292 and that was fixed in 3.0.3 OpenSSL.

A note in one of the other forums advise both UTM and XG are not affected.

Ian

First of all, this vulnerability is not public as of now. It is just a headsup, you should patch as soon as possible. 

https://twitter.com/SophosXOps/status/1585008351309869057 

So you should start to do an inventory of your products, you are using, which could potentially be affected by this. 

As both products are not using Openssl in version 3.x, they are not affect. You still should continue to check all products in your network. 

Here is the same post for SFOS: https://community.sophos.com/sophos-xg-firewall/f/discussions/137120/openssl-security-update-announced

LuCar Toni said:

As both products are not using Openssl in version 3.x, they are not affect.

This will give me some sleep on the weekend. Thanks!

Are there any notes about Sophos Connect (and the legacy SSL VPN) Client?

Sophos Connect uses OpenSSL 1.1.1n so is not affected. The legacy SSL VPN Client is EoL since Jan 31 2022.

I have added this (and your Security Advisory Post) to the OpenSSL Software List on GitHub. Hope that helps

Regarding the legacy Client: I know that is EoL. But I also know, that there are plenty of them in the wild. If the software would contain openssl 3, a note would help to force upgrades to connect client even more. Also Sophos Support told me to use the legacy client as a workaround.
As I said: If it's affected, a note would really help.

It uses an ssleay32.dll from 2013, work on OpenSSL v3 started in 2019. So not affected by this.