Advisory: OpenSSL high severity vulnerability

Retour à la liste des avis de sécurité
Informational
CVE
CVE-2023-0286
Updated:
Produit(s)
Cloud Optix
Intercept X Endpoint
Intercept X for Server
Sophos Central
Sophos Connect Client 2.0
Sophos Email
Sophos Email Appliance (SEA)
Sophos Enterprise Console (SEC)
Sophos Firewall
Sophos Home
Sophos Mobile
Sophos Mobile EAS Proxy
Sophos RED
Sophos UTM
Sophos Web Appliance (SWA)
Sophos Wireless
SophosLabs Intelix
ID de la publication sophos-sa-20230214-openssl-vuln
Version de l’article 2
Première publication
Solution No

Overview

On Tuesday February 7, 2023, the OpenSSL Project Team announced that several versions of OpenSSL contain fixes for vulnerabilities, including one high severity one.

OpenSSL is a ubiquitous cryptography library used in many operating systems and applications.

Patches for OpenSSL

The fixes are included in the following releases:

What Sophos products are affected?

Sophos is reviewing and patching all affected applications and services as part of its incident response process.

Note: as this is an ongoing investigation product status will change as more information becomes available.

Product or ServiceCVE-2023-0286 StatusDescription
Cloud OptixNot affectedComponent not present
PureMessageNot affectedVulnerable code not in execute path
SG UTM (all versions)Not affectedVulnerable code cannot be controlled by adversary
Sophos Endpoint protection (Windows/Mac/Linux)Not affectedVulnerable code not in execute path
Sophos Endpoint Protection - Legacy (Linux/SVE)Not affectedVulnerable code not in execute path
Sophos Enterprise Console (SEC)Not affectedVulnerable code not in execute path
Sophos Firewall (all versions)Not affectedVulnerable code cannot be controlled by adversary
Sophos CentralNot affectedVulnerable code not in execute path
Sophos Connect clientNot affectedVulnerable code not in execute path
Sophos EmailNot affectedVulnerable code not in execute path
Sophos Email ApplianceNot affectedVulnerable code not in execute path
Sophos HomeNot affectedVulnerable code not in execute path
Sophos REDNot affectedVulnerable code not in execute path
Sophos WirelessNot affectedVulnerable code not in execute path
Sophos Web ApplianceNot affectedVulnerable code not in execute path
Sophos SASI (AntiSpam)Not affectedVulnerable code not in execute path
Sophos MobileNot affectedVulnerable code not in execute path
Sophos Mobile EAS ProxyNot affectedVulnerable code not in execute path
SophosLabs IntelixNot affectedVulnerable code not in execute path

Sophos product protections

Sophos is actively monitoring for threat activity and detection opportunities relating to this vulnerability.

Change Log

  • February 14, 2023: Initial version
  • February 20, 2023:
    • Added: Sophos Endpoint Protection - Legacy (Linux/SVE), Sophos Central, Sophos Email, Sophos Email Appliance
    • Updated: Sophos Endpoint protection (Windows/Mac/Linux)