OpenSSL Security update announced

First of all, this vulnerability is not public as of now. It is just a headsup, you should patch as soon as possible. 

https://twitter.com/SophosXOps/status/1585008351309869057 

So you should start to do an inventory of your products, you are using, which could potentially be affected by this. 

As both products are not using Openssl in version 3.x, they are not affect. You still should continue to check all products in your network. 

Here is the same post for SFOS: https://community.sophos.com/sophos-xg-firewall/f/discussions/137120/openssl-security-update-announced

LuCar Toni said:

As both products are not using Openssl in version 3.x, they are not affect.

This will give me some sleep on the weekend. Thanks!

Are there any notes about Sophos Connect (and the legacy SSL VPN) Client?

Sophos Connect uses OpenSSL 1.1.1n so is not affected. The legacy SSL VPN Client is EoL since Jan 31 2022.

I have added this (and your Security Advisory Post) to the OpenSSL Software List on GitHub. Hope that helps

Regarding the legacy Client: I know that is EoL. But I also know, that there are plenty of them in the wild. If the software would contain openssl 3, a note would help to force upgrades to connect client even more. Also Sophos Support told me to use the legacy client as a workaround.
As I said: If it's affected, a note would really help.

It uses an ssleay32.dll from 2013, work on OpenSSL v3 started in 2019. So not affected by this.

It uses an ssleay32.dll from 2013, work on OpenSSL v3 started in 2019. So not affected by this.