Hello Sophos,
are Sophos firewalls (SG and XG) affected by the OpenSSL vulnerability?https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html
Ben
First of all, this vulnerability is not public as of now. It is just a headsup, you should patch as soon as possible.
https://twitter.com/SophosXOps/status/1585008351309869057
So you should start to do an inventory of your products, you are using, which could potentially be affected by this.
As both products are not using Openssl in version 3.x, they are not affect. You still should continue to check all products in your network.
Here is the same post for SFOS: https://community.sophos.com/sophos-xg-firewall/f/discussions/137120/openssl-security-update-announced
__________________________________________________________________________________________________________________
LuCar Toni said:As both products are not using Openssl in version 3.x, they are not affect.
This will give me some sleep on the weekend. Thanks!
Are there any notes about Sophos Connect (and the legacy SSL VPN) Client?
Sophos Connect uses OpenSSL 1.1.1n so is not affected. The legacy SSL VPN Client is EoL since Jan 31 2022.
“First things first, but not necessarily in that order” – Doctor Who
I have added this (and your Security Advisory Post) to the OpenSSL Software List on GitHub. Hope that helps
Regarding the legacy Client: I know that is EoL. But I also know, that there are plenty of them in the wild. If the software would contain openssl 3, a note would help to force upgrades to connect client even more. Also Sophos Support told me to use the legacy client as a workaround.As I said: If it's affected, a note would really help.
It uses an ssleay32.dll from 2013, work on OpenSSL v3 started in 2019. So not affected by this.