SOPHOS Security Update for Users of Web Application Firewall (WAF) in SFOS
A security researcher discovered a Cross-site Scripting (XSS) vulnerability within the WAF component of the Sophos Firewall Operating System (SFOS).
The vulnerability, which was responsibly disclosed to Sophos, could be used for unauthenticated remote code execution. Our investigations have found no evidence of the vulnerability being exploited in any Firewall or UTM appliance.
An official security update is available, fully tested, and automatically distributed as follows:
For customers running SFOS version 16 and above that use the default setting of automatic updates, the security update will be automatically installed, and there is no action required. Customers who have changed their default settings will need to apply the update manually.
Customers who do not have the WAF turned on are not vulnerable, but will proactively receive the security update.
Remediation
SFOS Version | Security Update Distributed |
Version 16.01 and above Version 17 (all releases) | December 29, 2017 |
Version 15 (all releases) | Upgrade to current SFOS version |
For more information please read the following KBA on our support website: https://community.sophos.com/kb/en-us/128024
