Overview
On Tuesday, March 15, 2022, the OpenSSL project advised about a denial of service vulnerability in all versions of OpenSSL. OpenSSL is a ubiquitous cryptography library used in many operating systems and applications. The vulnerability affects a broad range of services and applications, with varying impacts, from low to very disruptive, making the latest updates for some applications urgent.
The vulnerability allows an attacker to cause the vulnerable component to enter an infinite loop by presenting it with a maliciously crafted certificate.
What Sophos products are affected?
Sophos will review and patch all affected applications and services as part of its incident response process.
| Product or Service | Impact | Description |
|---|---|---|
| Sophos Firewall (all versions) | HIGH | Sophos Firewall is potentially impacted by CVE-2022-0778 in the VPN and TLS inspection components. The fix is included in version 18.5 MR3 (late March 2022) and 19.0 GA (April 2022). |
| Sophos UTM | HIGH | Sophos UTM is potentially impacted by CVE-2022-0778 in the VPN and TLS inspection components. The fix is included in version 9.711 MR11 (April 2022). |
| Sophos Web Appliance | HIGH | Sophos Web Appliance (SWA) is potentially impacted by CVE-2022-0778. The fix is included in version 4.3.10.3 (April 2022). |
Related Information
- https://www.openssl.org/news/secadv/20220315.txt
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=3118eb64934499d93db3230748a452351d1d9a65
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0778
- https://nakedsecurity.sophos.com/2022/03/18/openssl-patches-infinite-loop-dos-bug-in-certificate-verification/