NC-106424 |
API Framework, UI Framework |
A code injection vulnerability allowing remote code execution was discovered in the user portal and web admin console. We released the hotfixes for this issue. See Resolved RCE in Sophos Firewall (CVE-2022-3236). |
NC-101326 |
SSL VPN |
OS command injection through SSL VPN configuration upload (CVE-2022-3226). |
NC-108213 |
UI Framework |
Post-auth code injection (CVE-2022-3696). |
NC-99962 |
Wireless |
Adjacent code injection in Wi-Fi controller (CVE-2022-3713). |
NC-93847 |
Authentication |
Stored XSS in import group wizard (CVE-2022-3709). |
NC-94664 |
Hotspot |
Post-auth read-only SQLi in user portal (CVE-2022-3711). |
NC-102257 |
Firewall |
Post-auth read-only SQLi through API controller (CVE-2022-3710). |
NC-89091 |
API Framework |
Resolved multiple post-auth SQLi vulnerabilities in the web admin console (CVE-2022-1807). |
NC-97743 |
AppFilter Policy |
Unable to export application filter policy. |
NC-74235 |
AppFilter Policy |
DOM-based XSS in AppFilterPolicyDetailEdit.js. |
NC-107176 |
Authentication |
Web admin console SSO prevents language choice. |
NC-79468 |
Authentication |
Outdated users not removed from the live user list. |
NC-84910 |
Authentication |
STAS authentication stops working when the appliance restarts until the access server's restarted if AD is
accessed through a static route. |
NC-84924 |
Authentication |
Memory utilization increases to 90 percent and above in XGS 3100 due to the appcached service. |
NC-85151 |
Authentication |
When the firewall is moved to a group on Sophos Central, it's added to the group but changes to "Error needs
attention". |
NC-85961 |
Authentication |
Guest user is created on secondary appliance but not on primary appliance sometimes. |
NC-90151 |
Authentication |
Unable to authenticate with PUSH with Azure MFA. |
NC-101852 |
Authentication |
Unable to add users with the same email address (Azure AD). |
NC-102771 |
Authentication XFOS Migration |
Users unable to authenticate through CAA. |
NC-102979 |
Backup-Restore |
Unable to restore backup from XG 310 to XG 230. |
NC-85547 |
Captive Portal |
Sign-in message and sign-out option not appearing with custom captive portal. |
NC-95926 |
CDB-CFR, Reporting |
Unable to generate reports. |
NC-101703 |
CDB-CFR, CM |
Unable to open the firewall's web admin console from Sophos Central after turning on "Send reports and logs to
Sophos Central" and "Send configuration backups to Sophos Central" on the firewall from Sophos Central. |
NC-80305 |
Certificates |
Though CA isn't available on the pfx file, CA upload opcode gets called. |
NC-103406 |
Certificates |
Migration from SFOS 18.5 MR4 build 418 to 19.0 MR1 build 365 fails. |
NC-81219 |
CM |
Expected downtime for a firewall upgrade with HA on Sophos Central. |
NC-81430 |
CM, UI Framework |
User portal host injection reported. |
NC-89079 |
CM |
fwcm-eventd agent isn't listening to the IP address up event for SD-WAN connection group. |
NC-83405 |
Core Utils |
Inconsistency with Security Audit Reports (SAR). |
NC-84231 |
Core Utils |
Receiving a duplicate copy of the same executive schedule reports. |
NC-98712 |
Core Utils |
Containment plan to handle production issue causing ten-second factory reset feature to not work on XGS Series
appliances. |
NC-89218 |
Core Utils |
Resolved post-auth shell injection in web admin console through OpenSSL (CVE-2022-1292). |
NC-82972 |
CSC |
HA appliance stops responding. |
NC-101021 |
Date/Time Zone |
Time zone change allowed in Sophos Central on HA appliances. |
NC-80660 |
DHCP |
DHCP IP lease issue. |
NC-92745 |
DNS |
kdump: stack guard page was hit, and appliance restarts repeatedly. |
NC-101271 |
Dynamic Routing (BGP) |
BGP networks on the web admin console show ASCII characters instead of expected networks for config-type Cisco.
|
NC-106811 |
Email |
Unable to start anti-spam service. |
NC-74248 |
Email |
Stored potential XSS in MailScanRuleManage.js |
NC-83419 |
Email |
Inbound emails aren't delivered when SMTP scanning is turned on in the firewall rule. |
NC-85346 |
Email |
Smarthost authentication didn't work. Related to password decryption failure. |
NC-87240 |
Email |
Avira engine error with axpx files. |
NC-90702 |
Email |
SASI detection problems when too many hits are returned. |
NC-92840 |
Email |
RCA for email not received with an error "smtp_check_forward_reply: response arrived without any command". |
NC-93380 |
Email |
Anti-spam not working after upgrade to SFOS 18.5.3. |
NC-94362 |
Email |
SPX stops working after an unspecified period. |
NC-95543 |
Email |
Mail logs page stuck in loading status. |
NC-98296 |
Email |
Attachments getting corrupted while using SPX. |
NC-98300 |
Email |
High CPU utilization due to Exim. |
NC-99421 |
Email |
Email loop with AV scan failure. |
NC-101300 |
Email |
Unable to send emails after upgrading to 18.5.4 due to malware scan failure. |
NC-73975 |
Firewall |
FP fw_fp_track_conn and fw_fp_reclaim_conn errors seen during httperf conn rate test - (flow 2). |
NC-77804 |
Firewall |
netlink: 153776 bytes leftover after parsing attributes in the following process: ipsetelite. |
NC-81939 |
Firewall |
Not reflecting daylight savings time correctly. |
NC-82215 |
Firewall |
Device freeze issue (0010:queued_spin_lock_slowpath+0x14b/0x170) |
NC-82332 |
Firewall |
Kernel panic. Unable to handle kernel NULL pointer "ip_route_me_harder". |
NC-82566 |
Firewall |
Kernel crash after update to 18.5 MR2. RIP:0010:_raw_read_lock_bh+0x14/0x30. |
NC-83470 |
Firewall, VFP-Firewall |
Unable to handle kernel NULL pointer dereference at 0000000000000003 in XG 750 during Connection rate test. |
NC-83734 |
Firewall |
Inbound emails dropped at times with SMTP scanning turned on in HA load balancing. |
NC-86093 |
Firewall |
Duplicate firewall rule group. |
NC-89076 |
Firewall, VFP-Firewall |
Unable to access `www.radix.ad.jp` on the environment tagged VLAN with DPI configured. |
NC-89162 |
Firewall |
Appliance restarts automatically. 0010:queued_spin_lock_slowpath+0x148/0x170. |
NC-90024 |
Firewall |
Backup restore and migration fails when multiple local ACL rules are configured. |
NC-91295 |
Firewall |
Zones tab showing blank after deleting zone created on second page. |
NC-95861 |
Firewall |
Country blocking through firewall rule isn't working. |
NC-97883 |
Firewall |
Unable to upgrade firmware or restore backup from 17.5.15 to 19.0 GA. Duplicate key value violates unique
constraint "tblfirewallrule_unique_name". |
NC-98089 |
Firewall |
Unable to restore backup from SG 230 18.5 MR3 to XGS 2300 19.0 GA. |
NC-100084 |
Firewall |
DNAT issue when multiple hosts are added. |
NC-102308 |
Firewall |
Disabled load balancing NAT rules still sending out alerts for the rules. |
NC-102436 |
Firewall |
Appliance access was lost, and local ACL rules stopped working after restoring backup. |
NC-102614 |
Firewall |
Traffic not working with FastPath for bridge with logical members after migrating to 19.0 GA. Traffic shouldn't
get offloaded. |
NC-86819 |
Firmware Management, Licensing |
AWS instance stuck when starting it. |
NC-88207 |
Firmware Management |
Firmware update fails when space is used in file name. |
NC-94291 |
Firmware Management |
Small var partition created for VM image using aux disk. |
NC-100716 |
FQDN |
ipset sporadically not created for wildcard FQDN host. |
NC-100250 |
Gateway Management |
RCA: Unable to change DGD settings for a specific WAN port. |
NC-82225 |
HA |
Unable to establish HA correctly on fiber ports. |
NC-92282 |
HA |
System services page doesn't load. |
NC-95351 |
HA |
HA failover isn't working due to automatic restart of the auxiliary device. |
NC-100623 |
Hotspot |
Hotspot voucher creation fails. |
NC-99801 |
Interface Management |
Unable to delete a LAG interface. |
NC-101046 |
IPS-DAQ |
Website doesn't work due to OCSP must-staple in Firefox browser. |
NC-86451 |
IPS-DAQ-NSE |
Unable to access web server through XG Firewall with SSL/TLS inspection error "Dropped due to TLS internal
error". |
NC-92131 |
IPS-DAQ-NSE |
Unable to upload a large file with SSL/TLS inspection turned on in do-not-decrypt mode. |
NC-106834 |
IPS-DAQ-NSE |
Connection untrusted when browsing some sites. |
NC-100699 |
IPsec |
SMB file transfer stops and doesn't recover with IPsec acceleration and policy-based VPN. |
NC-106608 |
IPsec |
Duplicate SAs created. |
NC-79128 |
IPsec |
Memory usage increased to 90 percent over 20-25 days. |
NC-81207 |
IPsec |
Web admin console shows error when updating any VPN tunnel configuration. |
NC-81944 |
IPsec |
WWAN doesn't connect after random disconnect event if xfrm interface is created on WWAN. |
NC-83065 |
IPsec |
System generated traffic getting impacted when route precedence is set to VPN and remote subnet to Any. |
NC-83445 |
IPsec |
Constant IPsec VPN flapping. Pushed through Central SD-WAN Orchestration. |
NC-84750 |
IPsec |
Auxiliary device sporadically receives IPsec packets. |
NC-85383 |
IPsec |
Unable to connect IPsec remote access due to invalid .scx file. |
NC-88404 |
IPsec |
IPsec tunnel didn't come up automatically after the restart of a HA appliance. |
NC-90247 |
IPsec |
IPsec VPN failback isn't working. |
NC-94734 |
IPsec |
PPPoE isn't connecting after random disconnect event if xfrm interface is created on PPPoE. |
NC-95239 |
IPsec |
Different gateway entry in IPsec configurations when using DDNS. |
NC-95633 |
IPsec |
Unable to connect IPsec remote access due to invalid .scx file |
NC-100707 |
IPsec |
Wrong source IP address in IPsec routes. |
NC-101355 |
IPsec |
Migration from 19.0 GA to 19.0 MR1 fails. |
NC-103733 |
IPsec |
Amazon VPC connection issue since BGP service keeps restarting. |
NC-97753 |
IPS Engine, IPS Policy |
Unable to upgrade to 19.0 GA from 18.0.4. Duplicate config disable_decode_alerts in tblconfiguration table. |
NC-100681 |
IPS Engine |
Increase in snort memory usage with ATP pattern updates. |
NC-107999 |
IPS Ruleset Management |
HA cluster configuration fails when there's no Network Protection license. |
NC-83177 |
IPS Ruleset Management |
Unable to toggle IPS switch in 18.5 MR2. |
NC-98576 |
IPS Ruleset Management |
IPS pattern not updating. |
NC-99152 |
Logging Framework |
Central reporting: Couldn't initiate the mmap case when queue limit reached with no central connectivity. |
NC-101713 |
Logging Framework |
PG trigger entry not present for sign-in events if on-appliance reporting is turned off. |
NC-94418 |
Logging Framework (Central Reporting) |
Central reporting feature is stuck at write_data2_file. |
NC-101716 |
NFP-Firewall |
Packet drop and slow file transfer with IPsec (IPsec acceleration) and NAT-T. |
NC-97058 |
NFP-Firewall |
VPN traffic for specific tunnel periodically stops when IPsec acceleration is enabled. |
NC-94128 |
NFP-Firewall |
Firewall stopped responding on specific port. |
NC-90566 |
NFP-Firewall |
Traffic not traversing XGS Firewall for a specific configuration. |
NC-98094 |
nSXLd |
Unable to categorize URLs and IP addresses using external URL database. |
NC-85412 |
PPPoE |
PPPoE password issue. |
NC-95197 |
RED |
Appliance auto-restarts frequently in a day or two. |
NC-90839 |
RED |
Red interface disappears when changing the DHCP server configuration. |
NC-88628 |
RED |
RED UDP packets are forwarded to the auxiliary device after HA switchover. |
NC-76071 |
RED |
XGS-2100 - Interface doesn't have any IP address when same firmware is restored on the same hardware. |
NC-94337 |
Reporting |
Migration failure to 19.0 GA - MaxNoTables24hr_tls exists. |
NC-81131 |
Reporting |
Last access time isn't generated when there are users with username having XSS payload. |
NC-86690 |
SDWAN Routing |
SD-WAN FTP proxy traffic not working with transparent proxy. |
NC-86652 |
SDWAN Routing |
TFTP traffic doesn't follow SD-WAN routing. |
NC-83366 |
SDWAN Routing |
Turning off captcha on VPN zone isn't working for route-based VPN with SD-WAN routing. |
NC-93720 |
SecurityHeartbeat |
delay-missing-heartbeat-detection not synchronized on the auxiliary device. |
NC-85423 |
SNMP |
Kernel fails on XG 125 with SNMP high memory consumption. |
NC-74120 |
Spoofing |
Traffic through bridge will be blocked as IP_Spoof if spoof protection is turned on for the involved zone. |
NC-102737 |
SSLVPN |
SSL VPN service stuck in busy status. Site-to-site and remote access SSL VPN affected. |
NC-99247 |
SSLVPN |
Unable to download SSL VPN site-to-site server configuration. |
NC-98574 |
SSLVPN |
Traffic isn't passing through site-to-site SSL VPN tunnel though tunnel is up. |
NC-94661 |
SSLVPN |
Android and iOS users aren't able to import SSL VPN ovpn file. |
NC-93919 |
SSLVPN |
SecurityHeartbeat_over_VPN object removed from SSL VPN policy after an SSL VPN global configuration change. |
NC-88483 |
SSLVPN |
CVE: 2022-0547 openvpn deferred auth vulnerability. |
NC-87596 |
SSLVPN |
Site-to-site and remote access SSL VPN not working. |
NC-83469 |
SSLVPN |
Dashboard doesn't reflect the remote user's details. |
NC-101075 |
Static routing |
Static route to RED disappears when XGS in HA 19.5 is restarted. |
NC-93689 |
Up2Date Client |
Cosmetic issue with SASI pattern after firmware downgrade. |
NC-100334 |
WAF |
Virtual host not removed if firewall rule is turned off. |
NC-84146 |
WAF |
Warning about subject alternate not being part of domain. |
NC-102093 |
Web |
Upgrading from 19.0 GA to 19.5 EAP0 can leave nasm directory in a bad status. |
NC-100265 |
Web |
Expired certificates in certcache are being used rather than generating new ones. |
NC-83584 |
WebInSnort |
IPS segfault in libnsg_tcphold_preproc. |
NC-81956 |
WebInSnort |
HTTPS traffic to internal server on 8080 is dropped by ips tcphold. |
NC-94019 |
Wireless |
Wrong Mac-aging time for bridge interface Guest AP. |
NC-90684 |
Wireless |
Multiple APX 320s not Registering with XG Firewall. Not showing up in pending list. |
NC-87659 |
Wireless |
Legacy AP roaming key decryption is failing when fast transition is turned on. |
NC-85549 |
Wireless |
SFOS goes in bad status after a restart if time-based SSID is configured. |
NC-84604 |
Wireless |
Unable to restore backup from SG 230 to XGS 2300 due to access point database issue. |
NC-107453 |
WAF |
WAF rules not working on auxiliary appliance. |