Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2014.0073
A vulnerability in OpenSSL has been identified in multiple Sophos products
19 June 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Sophos Cloud
Sophos UTM
SUM
Sophos Web Appliance
Sophos Email Appliance
PureMessage
Operating System: Network Appliance
VMware ESX Server
Solaris
Linux variants
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2014-0224
Member content until: Saturday, July 19 2014
Reference: ASB-2014.0071
ASB-2014.0069.2
ASB-2014.0068
ESB-2014.0887
OVERVIEW
A vulnerability in OpenSSL has been identified in multiple Sophos
products.
IMPACT
The vendor has provided the following details on the vulnerability:
"The CVE-2014-0224 vulnerability This newly discovered vulnerability
is linked to a flaw in the origin of the code in 1998. Almost all
versions of OpenSSL are vulnerable, and if they are exploited it can
result in communications being disclosed to a man-in-the-middle
attack. However, the flaw relies on both the client and the server
running vulnerable versions of OpenSSL and the server version being
1.0.1 or higher to be exploited. For more information on this
threat, read our Naked Security article." [1]
MITIGATION
The vendor has released patches to correct this issue, which are
available from Sophos' website. [1]
REFERENCES
[1] OpenSSL Man-in-the-Middle vulnerability: Sophos Product Status
http://blogs.sophos.com/2014/06/10/openssl-man-in-the-middle-vulnerability-sophos-product-status-2/
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBU6J2MhLndAQH1ShLAQKrIA//bc2CFueC9JfBa6kEho98+eTQaMsf8ceX
5MJ2rAa3UOIh2ENp65F7uWyHXTofdJT9nHKWcBaxlhKkwQrTtKUOKmunfC/gGa7o
rWbb4GH14/f/BSityE0RJxYHljtYu3wCd31VpctZLa59GPb2rtWEVAo5ZtoBOGc1
pht8Fdrbq4Pd89mk46F4PSJMzoccCZ6sayzZPTJc+8L21+bjHh5glw9X0BNO6UQ0
eEkVPqKzfOPKM2SFCTf7/QtjnxcR/x4kl8juGLMXflcqgafJ8SUhAkVN1KVRynV+
mkSslbnHFQsxs6H2E8602wUYdklfJSZNJtSr/KvVX9xJpHrWzi0PSsNcpc1glCIU
YKrb1tnMNA0Dq7p4z4/pc3ZziFopwmpR3PASV8SZE1BBVggd0MjUvWbP8tfSV8wu
wLucRhZ0r9Q0p/l8GqQXpbG4vUDSo15hXDv6hU222W3P9VdKCf3iC+3k57qB8kUt
IXPsS8UrGLAi5yjKkS4ihlrKZMSDCVB5fo2eVb9+rs+aqB0rXyQWAJIKAgkSYg0y
EORL8fIAQDhYGo32t0qegfywjYfuqUjoVS5DUcsc6oAkfsubSijqBKKD8LUiHso6
eeTuPDCrZxinpWWa3veur3Ea4seuibpc+1iB3eGiMgujwHtuoazISbfk7VzGOBeX
S0HR1LrZR0o=
=VF0G
-----END PGP SIGNATURE-----