Resolved XEE vulnerability in Sophos Mobile managed on-premises (CVE-2022-3980)

セキュリティ勧告の概要に戻る
Critical
CVE
CVE-2022-3980
Updated:
製品
Sophos Mobile
文章 ID sophos-sa-20221116-smc-xee
文章のバージョン 1
公開日
対処策 Yes

Overview

Sophos has fixed an XML External Entity (XEE/XXE) vulnerability allowing for Server-Side Request Forgery (SSRF) and potential code execution in Sophos Mobile managed on-premises. This was discovered and responsibly disclosed to Sophos by an external security researcher.

Sophos would like to thank Florian Hauser of Code White GmbH for responsibly disclosing the issue to Sophos.

No action is required for customers using Sophos Mobile, managed by Sophos Central.

Applies to the following Sophos product(s) and version(s)

Sophos Mobile managed on-premises between version 5.0.0 and 9.7.4

Workaround

Customers can protect themselves by blocking all requests to /servlets/OmaDsServlet on a WAF.

Remediation

  • Patch installation

  • For customers unable to upgrade to version 9.7.5, apply the hotfix (tested on 7.0.0 and newer):

    1. Download the Sophos Mobile November 2022 hotfix

    2. Right-click SophosMobileHotfixNov2022.ps1 and select “Run as administrator” on the server

  • Users of older versions of Sophos Mobile on-premises are required to upgrade to receive this fix