Hello Sophos,
are Sophos firewalls (SG and XG) affected by the OpenSSL vulnerability?
https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html
Ben
This thread was automatically locked due to age.
Hello Sophos,
are Sophos firewalls (SG and XG) affected by the OpenSSL vulnerability?
https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html
Ben
First of all, this vulnerability is not public as of now. It is just a headsup, you should patch as soon as possible.
https://twitter.com/SophosXOps/status/1585008351309869057
So you should start to do an inventory of your products, you are using, which could potentially be affected by this.
As both products are not using Openssl in version 3.x, they are not affect. You still should continue to check all products in your network.
Here is the same post for SFOS: https://community.sophos.com/sophos-xg-firewall/f/discussions/137120/openssl-security-update-announced
__________________________________________________________________________________________________________________
As both products are not using Openssl in version 3.x, they are not affect.
This will give me some sleep on the weekend. Thanks!
Are there any notes about Sophos Connect (and the legacy SSL VPN) Client?
I have added this (and your Security Advisory Post) to the OpenSSL Software List on GitHub. Hope that helps
Regarding the legacy Client: I know that is EoL. But I also know, that there are plenty of them in the wild. If the software would contain openssl 3, a note would help to force upgrades to connect client even more. Also Sophos Support told me to use the legacy client as a workaround.
As I said: If it's affected, a note would really help.
I have added this (and your Security Advisory Post) to the OpenSSL Software List on GitHub. Hope that helps
Regarding the legacy Client: I know that is EoL. But I also know, that there are plenty of them in the wild. If the software would contain openssl 3, a note would help to force upgrades to connect client even more. Also Sophos Support told me to use the legacy client as a workaround.
As I said: If it's affected, a note would really help.