Headline
CVE-2021-36806: Sophos Email Appliance version 4.5.3.4 released
A reflected XSS vulnerability allows an open redirect when the victim clicks a malicious link to an error page on
Sophos Email Appliance
older than version 4.5.3.4.
Hi everyone,
Sophos Email Appliance version 4.5.3.4 was released on February 2, 2023.
Limited release
Version 4.5.3.4 was released to an initial group of customers on February 2, 2023. This release will be made available to all customers over the next few weeks. If you would like to get early access to new features, please contact Sophos Support.
Release Information
This release resolves several issues. The appliance will restart after this update.
You should also familiarize yourself with the known issues, since improper configuration of certain options may cause unexpected behavior.
Before you begin installing and configuring the Email Appliance, you should review the configuration directions.
Internet Explorer 7 and later, and Mozilla Firefox version 4.x and later, are the only supported browsers for this product release. However, the Email Appliance has been optimized for current-generation browsers. If you are using an older browser such as Internet Explorer 6 and experience performance issues, consider upgrading to a newer version of Internet Explorer, or to a recent version of Firefox.
Issues resolved in the Sophos Email Appliance 4.5.3.4 release:
- Fixed potential vulnerability to CVE-2021-36806 (SEA-1779).
- Fixed a potential vulnerability to cipher block chaining (CBC) ciphers with TLS (SEA-1656). Disabled TLS 1.1 for port 25.
- Removed expired certificates (SEA-1846).
- Add Amazon root certificate authority (CA) (SEA-1683).
Reference: https://esa.sophos.com/rn/sea/concepts/ReleaseNotes_4.5.3.4.html