This article provides information on Exim vulnerability CVE-2019-15846 and how it impacts Sophos products

Applies to the following Sophos product(s) and version(s)
PureMessage for Unix
Sophos Central Email
Sophos Email Appliance
Cyberoam
Sophos UTM Software Appliance
PureMessage for Microsoft Exchange
Reflexion

Overview

CVE-2019-15846 outlines a vulnerability in Exim whereby a specially crafted SNI ending can be utilized to run arbitrary code on the vulnerable server

This vulnerability is not exploitable on any Sophos products, see the table below for more information.

Sophos Email Products and CVE-2019-15846

* Despite this vulnerability not being exploitable due to the current architecture of the Sophos XG and Sophos UTM products, we do still plan on releasing a patch for Exim on these platforms in an upcoming Maintenance Release. 

Related information

• http://exim.org/static/doc/security/CVE-2019-15846.txt

Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.

Feedback and contact

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.
This is invaluable to us to ensure that we continually strive to give our customers the best information possible.Article appears in the following topics

• Advisories
• Email Appliance
• Sophos UTM 9
• XG Firewall
• CyberoamOS
• PureMessage > For Exchange
• PureMessage > For UNIX
• Sophos Central > Email