You may have seen the OpenSSL team announced, on Monday 2015-07-06, that it had a “high severity” update coming out in three days’ time. The update was published Thursday 2015-07-09.
The good news is no Sophos products are at risk from this bug. Only the current pre-release Beta version of Sophos Management Communication System (MCS 3.0.0 Beta), a component used by Sophos Cloud and UTM Endpoint products, includes an affected version of OpenSSL. However, MCS does not use the relevant part of the OpenSSL code for certificate verification, so cannot fall foul of the bug. Nevertheless, we expect to update MCS 3 Beta with the latest OpenSSL version by mid-August 2015.
All other Sophos product families either don’t use OpenSSL at all, or use one of the unaffected versions.
For more information see the links below. If you have any questions please contact your account manager in the first instance.