Sophos Security Advisory for Sophos Central Server: Message Relay

Sophos uses Apache in its Message Relay feature; the use of Apache leads to requests about exposure when vulnerabilities are reported in certain Apache modules. This article provides details as to which modules are used by the Message Relay feature

Applies from the following Sophos product(s) and version(s)

Central Server Message Relay 1.0.13

Apache Modules used by Message Relay:

  • mod_access_compat
  • mod_authz_core
  • mod_env
  • mod_log_config
  • mod_logio
  • mod_proxy
  • mod_proxy_connect
  • mod_unique_id

Our custom modules:

  • mod_proxy_connect_v2
  • mod_message_relay

Known Issues

The Message Relay feature is currently using Apache 2.4.37, Message Relay v1.2.5.0; this version of Apache has the following issues:

  • CVE-2018-17189 : mod_http2
  • CVE-2018-17199 : mod_session_cookie
  • CVE-2019-0190 : mod_ssl
  • CVE-2019-0196 : mod_http2
  • CVE-2019-0197 : mod_http2
  • CVE-2019-0211 : Unix only
  • CVE-2019-0215 : mod_ssl
  • CVE-2019-0217 : mod_auth_digest
  • CVE-2019-0220 : core

Sophos Message Relay does use modules affected by the CVE-2019-0220 vulnerability, however, as changes are only possible via Sophos Central, and the Message Relay config files are tamper protected we mitigate the risk. We are planning to upgrade the version of Apache to v2.4.39 which addresses all of the above vulnerabilities We will update this article with dates for the release once we have them.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.


Leave a Reply