Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2014.0073 A vulnerability in OpenSSL has been identified in multiple Sophos products 19 June 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Sophos Cloud Sophos UTM SUM Sophos Web Appliance Sophos Email Appliance PureMessage Operating System: Network Appliance VMware ESX Server Solaris Linux variants Impact/Access: Access Privileged Data -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-0224 Member content until: Saturday, July 19 2014 Reference: ASB-2014.0071 ASB-2014.0069.2 ASB-2014.0068 ESB-2014.0887 OVERVIEW A vulnerability in OpenSSL has been identified in multiple Sophos products. IMPACT The vendor has provided the following details on the vulnerability: "The CVE-2014-0224 vulnerability This newly discovered vulnerability is linked to a flaw in the origin of the code in 1998. Almost all versions of OpenSSL are vulnerable, and if they are exploited it can result in communications being disclosed to a man-in-the-middle attack. However, the flaw relies on both the client and the server running vulnerable versions of OpenSSL and the server version being 1.0.1 or higher to be exploited. For more information on this threat, read our Naked Security article." [1] MITIGATION The vendor has released patches to correct this issue, which are available from Sophos' website. [1] REFERENCES [1] OpenSSL Man-in-the-Middle vulnerability: Sophos Product Status http://blogs.sophos.com/2014/06/10/openssl-man-in-the-middle-vulnerability-sophos-product-status-2/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU6J2MhLndAQH1ShLAQKrIA//bc2CFueC9JfBa6kEho98+eTQaMsf8ceX 5MJ2rAa3UOIh2ENp65F7uWyHXTofdJT9nHKWcBaxlhKkwQrTtKUOKmunfC/gGa7o rWbb4GH14/f/BSityE0RJxYHljtYu3wCd31VpctZLa59GPb2rtWEVAo5ZtoBOGc1 pht8Fdrbq4Pd89mk46F4PSJMzoccCZ6sayzZPTJc+8L21+bjHh5glw9X0BNO6UQ0 eEkVPqKzfOPKM2SFCTf7/QtjnxcR/x4kl8juGLMXflcqgafJ8SUhAkVN1KVRynV+ mkSslbnHFQsxs6H2E8602wUYdklfJSZNJtSr/KvVX9xJpHrWzi0PSsNcpc1glCIU YKrb1tnMNA0Dq7p4z4/pc3ZziFopwmpR3PASV8SZE1BBVggd0MjUvWbP8tfSV8wu wLucRhZ0r9Q0p/l8GqQXpbG4vUDSo15hXDv6hU222W3P9VdKCf3iC+3k57qB8kUt IXPsS8UrGLAi5yjKkS4ihlrKZMSDCVB5fo2eVb9+rs+aqB0rXyQWAJIKAgkSYg0y EORL8fIAQDhYGo32t0qegfywjYfuqUjoVS5DUcsc6oAkfsubSijqBKKD8LUiHso6 eeTuPDCrZxinpWWa3veur3Ea4seuibpc+1iB3eGiMgujwHtuoazISbfk7VzGOBeX S0HR1LrZR0o= =VF0G -----END PGP SIGNATURE-----