News
- Maintenance Release
- Security Release
These release notes are for Sophos UTM.
View the product documentation at Sophos UTM help.
Sophos UTM no longer uses CFFS servers for web categorization. With this release, all online web categorizations will use Sophos XL Categorisation (SXL). This has been the default method since version 9.3, so this change will impact very few devices.
We recommend you upgrade to this release to benefit from this change.
For more information, see Decommissioning of obsolete URL categorization services (CFFS) on 1 September 2023.
You can now see the RED unlock code if you're changing a RED device to manage and connect it through a different UTM device.
When you delete a RED device from the UTM WebAdmin console, the WebAdmin console shows the unlock code in a pop-up message confirming the delete action. It also sends an email notification containing the unlock code to the email addresses listed as "Notification Recipients" under Management > Notifications > Global.
You can now turn on IMDSv2 in your Amazon EC2 instances running Sophos UTM with PAYG licenses.
Earlier, support for IMDSv2 was available only with BYOL UTM licenses.
We've now integrated the 64-bit Avira scan engine with Sophos UTM. So, starting with this release, the following services run in the 64-bit mode by default:
If you've installed the 32-bit Sophos UTM OS, these services will continue to run in the 32-bit mode.
See Sophos NSG: End of Support for Avira 32-bit Scan Engine for more information.
You can now turn on IMDSv2 in your Amazon EC2 instances running Sophos UTM. Sophos UTM supports IMDSv2 only with BYOL UTM licenses. It isn't supported with PAYG UTM licenses.
Support for PAYG UTM licenses has been added in Sophos UTM 9.715.
This release includes a new version of the Wireless AP firmware, version 11.0.019. It includes changes required for the very latest revision of supported APX access point models, as well as addressing the recently-announced certificate parsing vulnerability in OpenSSL.
We've removed the end-of-life SSL VPN client. It's no longer available for download from the User Portal. For more information see this end-of-life notice and this vulnerability disclosure.
Sophos Connect is the recommended alternative to the old SSL VPN and IPsec clients. We've updated the remote access section of the user portal to reflect that.
This release includes a fix for a post-authentication SQL injection vulnerability in the user portal (CVE-2021-36807). For more information on this vulnerability see this advisory. As always, we recommend that you update to this version as soon as possible.
Also included in this release is an update for OpenSSL which removes support for ciphersuites that include the non-EC Diffie-Hellman(DH) algorithm for key exchange. These ciphersuites have been considered weak for some time now. For uses where the UTM is a server (e.g. WAF, SMTP), these cipher suites were already excluded by default prior to this update so there should be no significant impact. Where the UTM acts as a client making connections to external SSL/TLS services running old software with limited support for more modern protocols, this could cause connection issues. For example, users connecting through the web proxy with HTTPS decryption enabled will no longer be able to connect to old servers that have poor support for modern ciphers.
With this release, SG UTM now supports the latest versions of firmware for Sophos wireless access points and RED/SD-RED devices. Updating your UTM will make the new firmware updates available. For more information on these important firmware updates, see these posts from the Sophos Firewall community log:
New installations of UTM 9.706 have strict TCP session handling
enabled by default.
When updating to 9.706 and strict TCP session handling is not
enabled, admins can enable it under Network Protection > Firewall > Advanced.
Up2Date updates will be downloaded via HTTPS connections. In cases where UTM 9 is being used with an upstream proxy or behind a different firewall, it may be necessary to change the configuration on these devices to allow UTM 9 to retrieve Up2Date information via HTTPS.
Starting with this release, E-Mail Protection will use the Sophos
Anti-Spam Interface (SASI) for anti-spam scanning. SASI is already being used as part of
Sophos Email and will replace the currently used anti-spam engine in UTM 9.
In
case of false positive or false negative detections, please follow the instructions in
this support article on how to submit a sample.
| Issue ID | Component | Description |
|---|---|---|
| NUTM-14447 | AWS, Network | VPC route propagation not working for added and deleted networks while connected |
| NUTM-14452 | Basesystem | OpenVPN config files are not compatible with OpenVPN 3 clients |
| NUTM-14381 | Basesystem | Ulogd coredump |
| NUTM-13857 | Basesystem | Tinyproxy vulnerability (ha_proxy) - CVE-2022-40468 |
| NUTM-12916 | Basesystem | Curl vulnerabilities - CVE-2021-22924, CVE-2023-28321, CVE-2023-28322, and others |
| NUTM-14464 | Basesystem | Add the Sophos wildcard URL to default HTTPS scanning exceptions |
| NUTM-14465 | Cluster/HA | Firewall misconfiguration could lead to ha_proxy acting as open proxy |
| NUTM-14319 | Configuration Management, Security | Strengthen backup encryption |
| NUTM-14364 | Reply emails show the warning: "S/MIME: WARNING - Encrypted, but cannot verify signature" | |
| NUTM-14102 | Upgrade Exim to 4.97.1 | |
| NUTM-14487 | UI Framework | POST to WebAdmin with no Content-Type header causes worker crash |
| NUTM-14442 | UI Framework | Arbitrary host header manipulation in the user portal |
| NUTM-14456 | UI Framework | Add a banner reminding that EOL access point devices are in use |
| NUTM-14486 | WAF | WAF Segmentation fault with coredump |
| NUTM-12897 | Web | Open redirection vulnerability on the login page |
| Issue ID | Component | Description |
|---|---|---|
| NUTM-14288 | Basesystem | Samba vulnerability - CVE-2022-2127 |
| NUTM-14285 | Basesystem | Turned off session tickets on WebAdmin and user portal. |
| NUTM-14237 | Basesystem | Removed deprecated XSS protection header from WebAdmin and user portal. |
| NUTM-14219 | Basesystem | Removed support for weak TLS signature algorithms in WebAdmin and user portal. |
| NUTM-14068 | Basesystem | Tar vulnerability - CVE-2022-48303 |
| NUTM-14289 | Endpoint | Removed Endpoint Protection from WebAdmin and system backend. |
| NUTM-14197 | Email stuck in queue with scanner timeout. | |
| NUTM-14305 | Logging | Failed logins for SSL VPN Remote Access aren't displayed in reports. |
| NUTM-14218 | RED | Turned off DHE ciphers for RED. |
| NUTM-14339 | WAF | Daily WAF Coredumps: Segmentation fault (11) |
| NUTM-13988 | Web | Improved performance and error handling for Active Directory SSO. |
| NUTM-13182 | Web | Reflected XSS in Web Proxy (CVE-2021-4429) |
| Issue ID | Component | Description |
|---|---|---|
| NUTM-14362 | Basesystem | Increased granularity of ethernet offload options |
| NUTM-14368 | Exim: libspf2 vulnerability - CVE-2023-42118 |
| Issue ID | Component | Description |
|---|---|---|
| NUTM-14139 | Basesystem | Mexico time zone still switches to DST |
| NUTM-14089 | Basesystem | High CPU usage by rrdtool due to DST |
| NUTM-14051 | Basesystem | Upgrade Postgres to 9.2.24 to address numerous vulnerabilities |
| NUTM-14038 | Basesystem | Address OpenSSL vulnerabilities: CVE-2023-0286, CVE-2023-0215 |
| NUTM-13689 | Basesystem | Upgrade Apache to 2.4.56 to address numerous vulnerabilities |
| NUTM-13537 | Basesystem | VLAN interfaces on a RED interface are deactivated if you turn off and then turn on the RED interface |
| NUTM-14172 | Potential denial of service vulnerability in SPX portal and Webadmin: CVE-2002-20001, CVE-2022-40735 | |
| NUTM-14107 | SPX announcement email without message ID header | |
| NUTM-14039 | Potential denial of service vulnerability in email service: CVE-2002-20001, CVE-2022-40735 | |
| NUTM-13882 | Downloading emails from Mail Manager fails | |
| NUTM-14217 | UI framework | WebAdmin post-auth command injection: CVE-2023-3367 |
| NUTM-14134 | WAF | Potential denial of service vulnerability in webserver protection: CVE-2002-20001, CVE-2022-40735 |
| Issue ID | Component | Description |
|---|---|---|
| NUTM-14054, NUTM-14049 | AWS | PAYG license expires if you turn on IMDSv2 |
| NUTM-14015 | AWS, Basesystem | Unable to start the AWS HVM instance after you restart UTM |
| NUTM-13908 | Basesystem | IPsec doesn't reconnect on DHCP interface after firmware upgrade |
| NUTM-13906 | Basesystem | Address DHCP vulnerabilities: CVE-2022-2928, CVE-2022-2929 |
| NUTM-13770 | Basesystem | Turn off the autocomplete attribute in the password field for RESTful API authentication |
| NUTM-13490 | Basesystem | Address vulnerabilities in Zlib: CVE-2018-25032, CVE-2022-37434 |
| NUTM-13489 | Basesystem | Address bind vulnerabilities |
| NUTM-13488 | Basesystem | Address vulnerability in GNU tar: CVE-2021-20193 |
| NUTM-12593 | Basesystem | Add backend configuration for IPS SMTP Memcap |
| NUTM-14133 | Cluster, HA | After upgrading from 9.714-4 to 9.715-3 HA breaks |
| NUTM-14016 | RED | All RED connections drop and reconnect after RED server core dump |
| NUTM-13656 | Sandstorm | Excessive Sandbox database error messages in system.log |
| NUTM-13898 | Wireless | Address local WiFi driver vulnerabilities: CVE-2022-41674, CVE-2022-42719, CVE-2022-42720, CVE-2022-42721, CVE-2022-42722 |
| Issue ID | Component | Description |
|---|---|---|
| NUTM-13947 | Web | Resolved an issue where web protection wasn't working if you made configuration changes on the Web Protection > Filtering Options > Misc > Misc Settings page. |
| Issue ID | Component | Description |
|---|---|---|
| NUTM-13682 | Post-auth SQLi in Quarantine Manager (CVE-2022-3345) | |
| NUTM-13475 | Basesystem | High CPU usage by rrdtool due to daylight saving time changes |
| Issue ID | Component | Description |
|---|---|---|
| NUTM-13758 | AWS | UTM update from 9.711 to 9.712-12 renders C5/M5 instances unusable |
| NUTM-13504 | WAF | Enforce usage of valid Let's Encrypt root CA |
| NUTM-13496 | Basesystem | Openssl vulnerability - CVE-2022-1292 |
| NUTM-13376 | Basesystem | DHCP Relay not working after upgrade to 9.704 |
| NUTM-13227 | Basesystem | uriparser vulnerabilities |
| NUTM-13215 | AWS | AWS Pay-As-You-Go license expires on C5/M5 instances |
| NUTM-12872 | Basesystem | LibXML vulnerability - CVE-2021-3541 |
| Issue ID | Component | Description |
|---|---|---|
| NUTM-13433 | Wireless | AP/APX : Openssl Vulnerability - CVE-2022-0778 |
| NUTM-13421 | Basesystem | Upgrade Apache to 2.4.53 |
| NUTM-13419 | WAF | Upgrade Apache to 2.4.53 (WAF) - CVE-2022-22720 |
| NUTM-13326 | UI Framework | Identify 32-bit or 64-bit build in WebAdmin footer |
| NUTM-13394 | Basesystem | Openssl Vulnerability - CVE-2022-0778 |
| NUTM-13363 | Wireless | Integrate updated APX firmware version 11.0.019 |
| NUTM-13334 | Basesystem | PowerShell / Putty - Default SSH client options result in failed connection |
| Issue ID | Component | Description |
|---|---|---|
| NUTM-12592 | Basesystem | Use Only Secure Ciphers for UTM SSH Server |
| NUTM-12784 | Basesystem | Patch BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, CVE-2021-25219) |
| NUTM-13101 | Basesystem | Patch Strongswan Vulnerability (CVE-2021-41991) |
| NUTM-13119 | Basesystem | Patch Binutils Vulnerability (CVE-2021-3487) |
| NUTM-13144 | Basesystem | Remove SSLVPN client downloader from UTM |
| NUTM-13192 | Basesystem | Use Secure Key Exchange Algorithms for SSH |
| NUTM-13203 | Basesystem | snmpd high memory for snmpwalk v3 |
| NUTM-12615 | Configuration Management | Root password hash exposed via confd*.log (CVE-2022-0652) |
| NUTM-13013 | Upgrade Exim to v4.95 | |
| NUTM-13200 | OAEP RSA padding mode still uses SHA-1 in S/MIME | |
| NUTM-13267 | SQLi in the Mail Manager (CVE-2022-0386) | |
| NUTM-13071 | Logging | IPFIX reporting transferred data on wrong direction |
| NUTM-12885 | Network | IPS exceptions issue |
| NUTM-12987 | RED | Issue with RED tunnel on BO after disconnecting PPPoE |
| NUTM-12936 | Web | Add configuration for overriding warn page proceed link protocol (Standard Mode SSO) |
| Issue ID | Component | Description |
|---|---|---|
| NUTM-12868 | It is not possible to permanently block an IP from the SMTP-Proxy if authentication is enabled | |
| NUTM-13008 | Public DNS causing blocked connection with RBL | |
| NUTM-13193 | SPX portal 404 NO SUCH USER after upgrading to 9.708 | |
| NUTM-12791 | Wireless | Address the Frag Attack vulnerabilities for Local Wifi and connected AP devices (see https://community.sophos.com/b/security-blog/posts/multiple-vulnerabilities-aka-fragattacks-in-wifi-specification for more details) |
| NUTM-13263 | Wireless | Integrate updated AP firmware (v. 11.0.017) to address FragAttack issues |
| NUTM-12971 | WAF | Update Apache Runtime Library (APR) to address CVE-2021-35940 |
| NUTM-12861 | WAF | Upgrade Apache to address CVE-2020-13950, CVE-2021-26690, CVE-2021-26691, CVE-2021-34798, CVE-2021-39275, CVE-2021-40438 |
| Issue ID | Component | Description |
|---|---|---|
| NUTM-12646 | Access & Identity | User E-Mail addresses won't be synced properly |
| NUTM-12873 | Access & Identity | GUI issue with selecting Inbound/Outbound ipsec debug option |
| NUTM-12904 | Access & Identity | DUO authentication fails back to AD with success |
| NUTM-12225 | Basesystem | Upgrade Apache to address numerous vulnerabilities including CVE-2020-13950, CVE-2021-26690, CVE-2021-26691, CVE-2021-34798, CVE-2021-39275, CVE-2021-40438 |
| NUTM-12434 | Basesystem | Yukon, Canada region timezone set to stop using DST |
| NUTM-12507 | Basesystem | Getting error message for command 'last' |
| NUTM-12717 | Basesystem | Resolve OpenSSL issues - Remove DH cipher support - (CVE-2020-1968) & (CVE-2021-3712) |
| NUTM-12748 | Basesystem | Address underscore.js vulnerability (CVE-2021-23358) |
| NUTM-12739 | E-Mails stuck in SMTP spool due to Sandstorm Scan | |
| NUTM-12798 | SPX doesn't work with "&" in the email local part | |
| NUTM-12875 | PCI compliance scan failure due to exim ciphers | |
| NUTM-12932 | Exim coredumps | |
| NUTM-12934 | Kernel | Fully implement RFC5961 compliance for SYN packets (CVE-2004-0230) |
| NUTM-12385 | Logging | Automatic log deletion by age of log file not working correctly. |
| NUTM-11404 | Network | Sierra Wireless MC7430 Qualcomm® SnapdragonTmX7 LTE-A 4G dongle goes down after few hours |
| NUTM-12126 | Network | If "Skip rule on interface error" is not used multipath rule doesn't work as expected |
| NUTM-12184 | Network | WAN interface switched to DHCP |
| NUTM-12519 | UI Framework | Post-auth SQLi in User Portal (CVE-2021-36807) |
| NUTM-12524 | UI Framework | Add Cache-Control header for Web Admin and User Portal |
| NUTM-13002 | UI Framework | AutoComplete Attribute Not Disabled for Password in Form-Based Authentication |
| NUTM-12680 | WAF | Unable to renew Let's Encrypt Certificate |
| NUTM-12285 | Web | Avira scan fails for certain files during upload through Webproxy |
| NUTM-11712 | Wireless | Built-in Wireless with two bridge to AP LAN errors and instability |
| NUTM-12199 | Wireless | Issue with the certificate chain for Let's Encrypt when used for hotspot |
| NUTM-12372 | Wireless | LocalWiFi: Intermittently unable to connect to the Wireless SSID |
| NUTM-12859 | Wireless | IPtables rules are not created for AP being part of 'Access Point Group' |
| Issue ID | Component | Description |
|---|---|---|
| NUTM-12550 | Access & Identity | Replace deprecated option in SSLVPN client config |
| NUTM-12310 | SPF checks incorrectly occurring when multiple upstream hosts are configured in an availability group | |
| NUTM-12672 | Logging | IPFIX does not switch source and destination ports between inbound and outbound side of flow |
| NUTM-12749 | Basesystem | Update bzip2 to address CVE-2019-12900 |
| NUTM-12590 | Basesystem | Patch OpenSSL against CVE-2021-23840 & CVE-2021-23841 |
| Issue ID | Component | Description |
|---|---|---|
| NUTM-12471 | Basesystem | OpenSSL: CVE-2020-1971 - DoS |
| NUTM-12362 | Wireless | AP55/55C/100X/320X : Communication issue for Clients which are connected to the same SSID but at different APs |
| NUTM-12286 | ECC Ciphers ECDH-ECDSA not supported by Exim SMTP | |
| NUTM-12280 | RED | RED site-to-site tunnels reconnecting at random intervals (utm to tum) |
| NUTM-12254 | Wireless | Website not loading for wireless user due to large packets whose size is larger than the MTU of the link |
| NUTM-12228 | Documentation | WAF compression not working with CTF |
| NUTM-12204 | Web | High CPU with http proxy coredumps . |
| NUTM-12198 | Basesystem, UI Framework | Webadmin host injection reported |
| NUTM-12188 | Access & Identity | openl2tp service is dead and unable to start |
| NUTM-12148 | WAF | WAF not always sending SNI to backend |
| NUTM-12062 | Access & Identity | AD Group object not updated when user with an Umlaut in the username logs in |
| NUTM-12050 | Access & Identity | IPv6 auto-firewall rules missing with IPsec S2S respond only |
| NUTM-12045 | Network | INFO-122 Dhcpd not running |
| NUTM-12032 | Wireless | "&" sign in PSK cause issues after config change |
| NUTM-12029 | Web | AWS https scanning connect timeout on some sites with chrome |
| NUTM-11989 | Basesystem | BGP issue causes long delay in UTM startup |
| NUTM-11988 | Basesystem | Interface goes down after re-assigning the hardware of an interface |
| NUTM-11950 | WAF | AH00051 child pid XXXX exit signal Segmentation fault (11), possible coredump in /tmp |
| NUTM-11941 | unnecessary SMTP restarts due to a SSL VPN login | |
| NUTM-11915 | Network | Ipsec routes will be removed if a wifi network will be added and the ipsec local networks overlap with an existing wifi network |
| NUTM-11753 | Basesystem | SG450 RAID status not alerting |
See UTM for a full list of known issues with Sophos UTM.
You can find technical support for Sophos products in the following ways:
Copyright © 2022 Sophos Limited. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.
Sophos and Sophos Anti-Virus are registered trademarks of Sophos Limited and Sophos Group. All other product and company names mentioned are trademarks or registered trademarks of their respectiveowners.