Sophos Firewall v18.5 MR3 Resolves Security Vulnerabilities (CVE-2022-0331)

← Back to Security Advisories Overview
Medium
CVE(s)
CVE-2022-0331
Updated:
Product(s)
Sophos Firewall
Publication ID: sophos-sa-20220328-sfos-18-5-3
Article Version: 1
First Published:
Workaround: No

Overview

The Sophos Firewall v18.5 MR3 (18.5.3) release contains the following security fix(es):

CVE ID

Description

Severity

CVE-2022-0331

An information disclosure vulnerability allowing the device serial number to be read by an unauthenticated user in Webadmin of Sophos Firewall was discovered and responsibly disclosed to Sophos by an external security researcher. It was reported via the Sophos bug bounty program.

Sophos would like to thank Mohammed Adel of Safe Decision Cybersecurity Labs for responsibly disclosing the issue to Sophos.

MEDIUM

Applies to the following Sophos product(s) and version(s)

  • Sophos Firewall v18.5 MR2 (18.5.2) and older

Remediation

  • Fixes included in v18.5 MR3 (18.5.3)

  • Users of older versions of Sophos Firewall are required to upgrade to receive this fix

  • Sophos always recommends that Sophos Firewall customers upgrade to the latest available release at their earliest opportunity