Important Update: Sophos product updates related to the FREAK vulnerability
A vulnerability has been discovered in the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols used by well-known Web browsers and operating systems. The weakness resides in OpenSSL versions 1.01K and earlier, so any software that uses a later version is safe. The reported vulnerability (CVE-2015-0204) lets hackers force secure connections to use a weaker form of encryption. The flaw has been dubbed “FREAK” for Factoring RSA Export Keys.
Action Required/What To Do
Sophos has investigated our full product line and has determined what action is necessary for your customers to prevent the vulnerability from being exploited.
For your customers that have UTM 9.2, Sophos Antivirus (SAV) for Linux, or SAV for vShield, we recommend upgrading them to the latest release:
• | UTM 9.2 customers should upgrade to UTM 9.3 |
• | SAV for Linux customers should upgrade to 9.8.3 |
• | SAV for vShield 1.x customers should upgrade to any 2.x release |
For your customers that have UTM 8.3, Sophos Email Appliance, Sophos Web Appliance, or SAV for Unix, we recommend applying the latest patch.
For your customers that have Sophos Mobile Security (SMSec), or Sophos Mobile Encryption, while these applications are not affected, they run on the iOS or Android operating system, and customers should upgrade the iOS or Android operating system to the latest version as soon as it is available.
Please monitor the following knowledgebase article for further updates on affected products: https://www.sophos.com/en-us/support/knowledgebase/122007.aspx