Advisory: OpenSSL high severity vulnerability

Sophos Security Advisory

Advisory: OpenSSL high severity vulnerability
MoritzGrimm

Summary

Overview

On Tuesday February 7, 2023, the OpenSSL Project Team announced that several versions of OpenSSL contain fixes for vulnerabilities, including one high severity one.

OpenSSL is a ubiquitous cryptography library used in many operating systems and applications.

Patches for OpenSSL

The fixes are included in the following releases:

What Sophos products are affected?

Sophos is reviewing and patching all affected applications and services as part of its incident response process.

Note: as this is an ongoing investigation product status will change as more information becomes available.

Product or ServiceUsing a vulnerable version of OpenSSLExploitability assessment for HIGH rated vulnerabilities (CVE-2023-0286)Fix/mitigation
Cloud OptixNoN/A
PureMessageYesHighly unlikely – X509_V_FLAG_CRL_CHECK feature not usedNone
SG UTM (all versions)YesHighly unlikely – trusted CRLs are exclusively read from diskPatch development underway
Sophos Endpoint protection (Windows/Mac/Linux)YesHighly unlikely – X509_V_FLAG_CRL_CHECK feature not usedPatch development underway

  • Windows: TBD
  • Mac: TBD
  • Linux: 2023.2
Sophos Endpoint Protection – Legacy (Linux/SVE)YesHighly unlikely – X509_V_FLAG_CRL_CHECK feature not usedNone
Sophos Enterprise Console (SEC)YesHighly unlikely – X509_V_FLAG_CRL_CHECK feature not usedNone
Sophos Firewall (all versions)YesHighly unlikely – trusted CRLs are exclusively read from diskPatch development underway
Sophos CentralYesHighly unlikely – X509_V_FLAG_CRL_CHECK feature not usedPatch roll-out complete before March 31, 2023
Sophos Connect clientYesHighly unlikely – X509_V_FLAG_CRL_CHECK feature not usedUnder review
Sophos EmailYesHighly unlikely – X509_V_FLAG_CRL_CHECK feature not usedPatch roll-out complete before March 31, 2023
Sophos Email ApplianceYesHighly unlikely – X509_V_FLAG_CRL_CHECK feature not usedNone
Sophos HomeYesHighly unlikely – X509_V_FLAG_CRL_CHECK feature not usedPatch development underway
Sophos REDYesHighly unlikely – X509_V_FLAG_CRL_CHECK feature not usedPatch development underway
Sophos WirelessYesHighly unlikely – X509_V_FLAG_CRL_CHECK feature not usedPatch development underway
Sophos Web ApplianceYesHighly unlikely – X509_V_FLAG_CRL_CHECK feature not usedNone
Sophos SASI (AntiSpam)YesHighly unlikely – X509_V_FLAG_CRL_CHECK feature not usedPatch development underway
Sophos MobileYesHighly unlikely – X509_V_FLAG_CRL_CHECK feature not usedPatch development underway
Sophos Mobile EAS ProxyYesHighly unlikely – X509_V_FLAG_CRL_CHECK feature not usedPatch development underway
SophosLabs IntelixYesHighly unlikely – X509_V_FLAG_CRL_CHECK feature not usedPatch development underway

Other products and services

Any other products or services not listed above are still under investigation. Sophos will publish updated information as it becomes available.

Sophos product protections

Sophos is actively monitoring for threat activity and detection opportunities relating to this vulnerability.

Change Log

  • February 14, 2023: Initial version
  • February 20, 2023:
    • Added: Sophos Endpoint Protection – Legacy (Linux/SVE), Sophos Central, Sophos Email, Sophos Email Appliance
    • Updated: Sophos Endpoint protection (Windows/Mac/Linux)
Severity
Informational
First Published
Updated
Publication ID
sophos-sa-20230214-openssl-vuln
Workaround
No
Cloud Optix
Intercept X Endpoint
Intercept X for Server
Sophos Central
Sophos Connect Client 2.0
Sophos Email
Sophos Email Appliance (SEA)
Sophos Enterprise Console (SEC)
Sophos Firewall
Sophos Home
Sophos Mobile
Sophos Mobile EAS Proxy
Sophos RED
Sophos UTM
Sophos Web Appliance (SWA)
Sophos Wireless
SophosLabs Intelix
CVE-2023-0286
Article Version
2

READ MORE