The good news is no Sophos products are at risk from this bug. Only the current pre-release Beta version of Sophos Management Communication System (MCS 3.0.0 Beta), a component used by Sophos Cloud and UTM Endpoint products, includes an affected version of OpenSSL. However, MCS does not use the relevant part of the OpenSSL code for certificate verification, so cannot fall foul of the bug. Nevertheless, we expect to update MCS 3 Beta with the latest OpenSSL version by mid-August 2015.
All other Sophos product families either don’t use OpenSSL at all, or use one of the unaffected versions.
For more information see the links below. If you have any questions please contact your account manager in the first instance.
Learn more about OpenSSL CVE-2015-1793 (Naked Security)
See the latest Sophos support information (KBA)