Available Languages

Updated:August 6, 2016

Document ID:1470490084126286

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Cisco Applied Mitigation Bulletin

Identifying and Mitigating Exploitation of the GNU Bash Environment Variable Command Injection Vulnerability

Doc ID:

35836

First Published:

2014 September 26 01:07 GMT

Version:

CVE-2014-6271

CVE-2014-6277

CVE-2014-6278

More...

IntelliShield

CVE-2014-6271

CVE-2014-6277

CVE-2014-6278

More...

IntelliShield

Cisco Response

Contents

Cisco Response
Device-Specific Mitigation and Identification
Additional Information
Cisco Security Procedures
Related Information

This Applied Mitigation Bulletin is a companion document to the PSIRT Security Advisory GNU Bash Environment Variable Command Injection Vulnerability and provides identification and mitigation techniques that administrators can deploy on Cisco network devices.

Vulnerability Characteristics

A vulnerability in GNU Bash could allow an unauthenticated, remote attacker to inject arbitrary commands.
This vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2014-6271. Additionally, due to an incomplete fix, CVE-2014-6179 has also been assigned.

This document is specifically written for mitigating this vulnerability when attempts by attackers are made against vulnerable HTTP servers.

Vulnerability Overview

Information about vulnerable, unaffected, and fixed software is available in the Cisco Security Advisory, which is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash.

Mitigation Technique Overview

Cisco devices provide several countermeasures for this vulnerability. Administrators are advised to consider these protection methods to be general security best practices for infrastructure devices and the traffic that transits the network. This section of the document provides an overview of these techniques.

Cisco IOS Software can provide effective means of exploit prevention using IOS Zone-Based and User-Based Firewall. This protection mechanism filters and drops packets that are attempting to exploit this vulnerability.

Effective means of exploit prevention can also be provided by the Cisco ASA 5500 and 5500-X Series Adaptive Security Appliance, Cisco Catalyst 6500 Series ASA Services Module (ASASM), and the Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers using Application Layer Protocol Inspection. This protection mechanism filters and drops packets that are attempting to exploit this vulnerability.

Effective use of Cisco Intrusion Prevention System (IPS) event actions provides visibility into and protection against attacks that attempt to exploit this vulnerability.

Effective use of Cisco Sourcefire Next-Generation Intrusion Prevention System event actions provides visibility into and protection against attacks that attempt to exploit this vulnerability.

Risk Management

Organizations are advised to follow their standard risk evaluation and mitigation processes to determine the potential impact of this vulnerability. Triage refers to sorting projects and prioritizing efforts that are most likely to be successful. Cisco has provided documents that can help organizations develop a risk-based triage capability for their information security teams. Risk Triage for Security Vulnerability Announcements and Risk Triage and Prototyping can help organizations develop repeatable security evaluation and response processes.

Device-Specific Mitigation and Identification

Caution: The effectiveness of any mitigation technique depends on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. As with any configuration change, evaluate the impact of this configuration prior to applying the change.

Specific information about mitigation and identification is available for these devices:

Cisco IOS Routers and Switches
Cisco ASA, Cisco ASASM, and Cisco FWSM Firewalls
Cisco Intrusion Prevention System
Sourcefire Intrusion Prevention System

Cisco IOS Routers and Switches

Mitigation: IOS Zone Based Firewall

Starting in Cisco IOS Software Release 12.4(6)T, Zone-Based Policy Firewall (ZFW) replaced Cisco IOS Context-Based Access Control (CBAC). It offers granularity of firewall policy application, and a default deny-all policy that prohibits traffic between firewall security zones until an explicit policy is applied to allow desirable traffic.

In Cisco IOS ZFW, zones establish the security borders of the network. A zone defines a boundary where traffic is subjected to policy restrictions as it crosses to another region of your network. The ZFW default policy between zones is to deny all traffic. If no policy is explicitly configured, all traffic attempting to move between zones is blocked. ZFW uses a configuration policy language known as Cisco Policy Language (CPL). Users familiar with the Cisco IOS Software Modular quality-of-service (QoS) CLI (MQC) might recognize that the format is similar to the way class maps are used in a QoS configuration to specify which traffic will be affected by the action applied in a policy map. Cisco IOS ZFW supports stateful Layer 4 IPv4 and IPv6 inspections and can also provide application-specific inspection, stateful firewall failover, authentication proxy, denial of service (DoS) mitigation, URL filtering, and more.

ZFW http Layer 7 inspection can also be used to block HTTP traffic with a regex of \x28\x29\x20\x7b in the HTTP header. CPU levels may go up considerably when inspecting HTTP headers. This should be tested in a lab environment prior to deployment in a production network.

For configuration examples refer to the IOS ZBF Set-by-Step Configuration and IPv6 Zone Based Firewall (ZFW) Configuration documents in the Cisco Support Community and Cisco Configuration Professional: Zone-Based Firewall Blocking Peer to Peer Traffic Configuration Example. For more information on Cisco IOS ZBF, refer to the Zone-Based Policy Firewall Design and Application Guide.

Cisco ASA, Cisco ASASM, and Cisco FWSM Firewalls

Mitigation: Application Layer Protocol Inspection

Application layer protocol inspection is available beginning in software release 7.2(1) for the Cisco ASA 5500 and 5500-X Series Adaptive Security Appliance, software release 8.5 for the Cisco Catalyst 6500 Series ASA Services Module, and in software release 4.0(1) for the Cisco Firewall Services Module. This advanced security feature performs deep packet inspection of traffic that transits the firewall. Administrators may construct an inspection policy for applications that require special handling through the configuration of inspection class maps and inspection policy maps, which are applied via a global or interface service policy. Application inspection will inspect both IPv4 and IPv6 packets matched in the class-map of the policy.

Additional information about application layer protocol inspection and the Modular Policy Framework (MPF) is in the Getting Started with Application Layer Protocol Inspection section of Book 2: Cisco ASA Series Firewall CLI Configuration Guide, 9.2.

Caution: Application layer protocol inspection will decrease firewall performance. Administrators are advised to test performance impact in a lab environment before this feature is deployed in production environments.

HTTP Application Inspection
By using the HTTP inspection engine on the Cisco ASA 5500 and 5500-X Series Adaptive Security Appliances, Cisco 6500 Series ASA Services Modules, and the Cisco Firewall Services Module, administrators can configure regular expressions (regexes) for pattern matching and construct inspection class maps and inspection policy maps. These methods can help protect against specific vulnerabilities, such as the one described in this document, and other threats that may be associated with HTTP traffic. The following HTTP application inspection configuration uses the Cisco Modular Policy Framework (MPF) to create a policy for inspection of traffic on TCP ports 80, 3128, 8000, 8010, 8080, 8888, and 24326, which are the default ports for the Cisco IPS #WEBPORTS variable. If a server is running on a non-standard webport that should be added to the list.

Caution: The configured regexes can match text strings at any location in the body of an HTML response. Care should be taken to ensure that legitimate business applications that use matching text strings are not affected. Additional information about regex syntax is in Creating a Regular Expression.

!
!-- Configure an HTTP application class that looks for the regex \x28\x29\x20\x7b 
!-- that is typically used to exploit this vulnerability
! 

regex CVE-2014-6271 “\x28\x29\x20\x7b”
                   
! 
!-- Configure a regex class to match on the regular  
!-- expressions that are configured above
! 
class-map type regex match-any CVE-2014-6271_class
 match regex CVE-2014-6271

!
!-- Configure an object group for the default ports that 
!-- are used by the Cisco IPS #WEBPORTS variable, which 
!-- are TCP ports 80 (www), 3128, 8000, 8010, 8080, 8888, 
!-- and 24326
!
object-group service WEBPORTS tcp
 port-object eq www 
 port-object eq 3128 
 port-object eq 8000 
 port-object eq 8010 
 port-object eq 8080 
 port-object eq 8888 
 port-object eq 24326 
!
!-- Configure an access list that uses the WEBPORTS object 
!-- group, which will be used to match TCP packets that 
!-- are destined to the #WEBPORTS variable that is used 
!-- by a Cisco IPS device
!
access-list Webports_ACL extended permit tcp any any object-group WEBPORTS 
!
!-- Configure a class that uses the above-configured
!-- access list to match TCP packets that are destined
!-- to the ports that are used by the Cisco IPS #WEBPORTS
!-- variable
!
class-map Webports_Class
 match access-list Webports_ACL
!
!-- Configure an HTTP application inspection policy that  
!-- identifies, drops, and logs connections that contain   
!-- the regexes that are configured above
! 
regex all_headers *
policy-map type inspect http CVE-2014-6271_policy
 parameters
!
!-- "body-match-maximum" indicates the maximum number of 
!-- characters in the body of an HTTP message that
!-- should be searched in a body match. The default value is
!-- 200 bytes. A large number such as that shown here may have
!-- an impact on system performance.  Administrators are advised
!-- to test performance impact in a lab environment before 
!-- this command is deployed in production environments
!
  body-match-maximum 1380
 match request header regex all_headers CVE-2014-6271_class
  drop-connection log
 
!
!-- Add the above-configured "Webports_Class" that matches 
!-- TCP packets that are destined to the default ports  
!-- that are used by the Cisco IPS #WEBPORTS variable to  
!-- the default policy "global_policy" and use it to 
!-- inspect HTTP traffic that transits the firewall
! 
policy-map global_policy
 class Webports_Class
  inspect http CVE-2014-6271_policy
!
!-- By default, the policy "global_policy" is applied 
!-- globally, which results in the inspection of 
!-- traffic that enters the firewall from all interfaces 
!
service-policy global_policy global

For additional information about the configuration and use of object groups, reference the Objects and ACLs section of Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.2.

Additional information about HTTP application inspection and the MPF is in the HTTP Inspection section of Book 2: Cisco ASA Series Firewall CLI Configuration Guide, 9.2.

For information on using the Cisco Firewall CLI to gauge the effectiveness of application inspection, please refer to the Cisco Security Intelligence Operations white paper Identification of Security Exploits with Cisco ASA, Cisco ASASM, and Cisco FWSM Firewalls.

Cisco Intrusion Prevention System

Mitigation: Cisco IPS Signature Table

Administrators can use the Cisco IPS appliances and services modules to provide threat detection and help prevent attempts to exploit the vulnerability described in this document. The following table provides an overview of CVE identifier and the respective Cisco IPS signature that will trigger events on potential attempts to exploit this vulnerability.

CVE ID	Signature Release	Signature ID	Signature Name	Enabled	Severity	Fidelity*
CVE-2014-6271	S824	4689-0	Bash Environment Variable Command Injection	Yes	High	85
CVE-2014-6271	S824	4689-1	Bash Environment Variable Command Injection	Yes	High	85
CVE-2014-6271	S824	4689-2	Bash Environment Variable Command Injection	Yes	High	85
CVE-2014-6271	S824	4689-3	Bash Environment Variable Command Injection	Yes	High	85

* Fidelity is also referred to as Signature Fidelity Rating (SFR) and is the relative measure of the accuracy of the signature (predefined). The value ranges from 0 through 100 and is set by Cisco Systems, Inc.

Administrators can configure Cisco IPS sensors to perform an event action when an attack is detected. The configured event action performs preventive or deterrent controls to help protect against an attack that is attempting to exploit the vulnerability listed in the preceding table.

Exploits that use spoofed IP addresses may cause a configured event action to inadvertently deny traffic from trusted sources.

Cisco IPS sensors are most effective when deployed in inline protection mode combined with the use of an event action. Automatic Threat Prevention for Cisco IPS 7.x and 6.x sensors that are deployed in inline protection mode provides threat prevention against an attack that is attempting to exploit the vulnerability that is described in this document. Threat prevention is achieved through a default override that performs an event action for triggered signatures with a riskRatingValue greater than 90.

For additional information about the risk rating and threat rating calculation, reference Risk Rating and Threat Rating: Simplify IPS Policy Management.

For information on using Cisco Security Manager to view the activity from a Cisco IPS sensor, see Identification of Malicious Traffic Using Cisco Security Manager white paper.

Sourcefire Signature Information

Mitigation: Sourcefire Signature Table

The following Sourcefire Snort signatures are available for the vulnerabilities discussed in this document.

CVE ID	GID:SID
CVE-2014-6271	1:31975
CVE-2014-6271	1:31976
CVE-2014-6271	1:31977
CVE-2014-6271	1:31988

For information about using Sourcefire Snort and Sourcefire Next Generation IPS, reference Sourcefire Next-Generation Security.

Additional Information

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

Related to This Bulletin

Cisco Event Response: GNU Bash Environmental Variable Command Injection Vulnerability

GNU Bash Environment Variable Command Injection Vulnerability

Another Major Vulnerability Bashes Systems

GNU Bash Environment Variable Command Injection Vulnerability

GNU Bash Environment Variable String Value Handling Vulnerability

Revision History

Version Description Section Date

1 Initial Release 2014-September-26 01:07 GMT

Show Less

Version	Description	Section	Date
1	Initial Release		2014-September-26 01:07 GMT

Cisco Security Procedures

Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.

Related Information

Affected Products

The security vulnerability applies to the following combinations of products.

Primary Products
Cisco	Cisco NAC Appliance Software	4.0.0 (Base)
	Cisco Unified Communications Manager	9.1 (Base)
	Cisco ASA CX Context-Aware Security Software	9.0 (Base, .1, .1-40, .2, .2-68) \| 9.3 (Base, (1.1.112))
	Cisco Prime Security Manager (PRSM)	9.0 (.0, .1-40, .2-68) \| 9.1 (.0, .2-29, .2-42, .3-8, .3-10, .3-13) \| 9.2 (.0, .1-1, .1-2)
GNU Public License	BASH	3.0 (Base, .16) \| 3.1 (Base) \| 3.2 (Base) \| 4.0 (Base) \| 4.1 (Base) \| 4.2 (Base, patch 1, patch 2, patch 3, patch 4, patch 5, patch 6, patch 7, patch 8, patch 9, patch 10, patch 11, patch 12, patch 13, patch 14, patch 15, patch 16, patch 17, patch 18, patch 19, patch 20, patch 21, patch 22, patch 23, patch 24, patch 25, patch 26, patch 27, patch 28, patch 29, patch 30, patch 31, patch 32) \| 4.3 (Base)

Associated Products
Apple	Mac OS X	10.7.5 (Base) \| 10.8.5 (Base) \| 10.9.5 (Base)
Apple	Mac OS X Server	10.7.5 (Base)
Blue Coat Systems, Inc.	Content Analysis System	1.1 (Base, .1.1, .2.1, .3.1, .4.1, .5.1)
	Director (SGME)	5.2.1.0 (Base) \| 5.2.2.1 (Base) \| 5.2.2.5 (Base) \| 5.3.1.1 (Base) \| 5.3.1.2 (Base) \| 5.3.1.3 (Base) \| 5.3.1.4 (Base) \| 5.4.0.1 (Base) \| 5.4.1.1 (Base) \| 5.4.2.4 (Base) \| 5.5 (Base) \| 5.4.2.5 (Base) \| 6.1 (Base) \| 5.5.1.1 (Base)
	Malware Analysis Appliance	1.1 (Base, .1)
	Management Center	1 (Base, .1, .2)
	Reporter	9.4 (Base)
	Security Analytics Platform	6.0 (Base) \| 7.0 (Base)
	X-Series XOS	Original Release (Base)
CentOS Project	CentOS	5 (.0 i386, .0 x86_64, .1 i386, .1 x86_64, .2 i386, .2 x86_64, .3 i386, .3 x86_64, .4 i386, .4 x86_64, .5 i386, .5 x86_64) \| 6 (.0 i386, .0 x86_64, .1 i386, .1 x86_64, .2 i386, .2 x86_64) \| 7 (x86_64)
Cisco	Cisco Application and Content Networking System (ACNS) Software	Original Release (Base)
	Cisco Application Policy Infrastructure Controller (APIC)	1.1 ((1j))
	Cisco Prime Access Registrar	1.7 (Base) \| 3.0 (Base) \| 3.5 (Base) \| 4.0 (Base) \| 4.1 (Base, .2)
	Cisco ACE 4700 Series Application Control Engine Appliances	A5 (Base, (3.0))
	Cisco Digital Media Manager Software	3.5 (Base, .1) \| 4.0 (Base) \| 4.1 (Base) \| 5.0 (Base, .2, .3) \| 5.1 (Base) \| 5.2 (Base, 5.2.1, 5.2.1.1, 5.2.2, 5.2.2.1, 5.2.3) \| 5.3 (Base)
	Cisco Digital Media Player Software	5.0 (Base, .2, .3) \| 4.1 (Base) \| 4.2 (Base)
	Cisco Edge 300 Series	1.0 (.0, (5), (5.1)) \| 1.1 (.0) \| 1.2 (Base) \| 1.3 (Base) \| 1.5 (Base, (1)) \| 1.6 (Base)
	Cisco Emergency Responder	1.1 (Base, (3), (4)) \| 1.2 (Base, (1), (1)SR1, (2), (2)sr1, (3)a, (3)SR1, (3a)SR2) \| 1.3 (Base, (1a), (2)) \| 2.0 (Base, (2), (3)) \| 7.0 (Base, .3b) \| 7.1 (Base, .1, .1.3) \| 8.5 (Base) \| 8.6 (Base)
	Cisco Finesse	9.0(1) (Base) \| 9.1(1) (Base)
	Cisco GSS Global Site Selector	1.0 (Base, .1) \| 1.1 (Base, .1) \| 1.2 (Base, .1, .2) \| 1.3 (.0, .1, .2, .3) \| 2.0 (.0, .1, .2, .2.1, .3, .3.0.31, .4) \| 3.0 (.0, .1, .2) \| 3.1 (Base) \| 3.2 (.0)
	Cisco IP Interoperability and Collaboration System (IPICS)	1.0 ((1.1))
	Cisco IronPort Encryption Appliance	Original Release (Base)
	Cisco Network Analysis Module (NAM) Software	4.0 (.0) \| 4.1 (.0)
	Cisco NX-OS Software	Cisco Nexus 1000V Switch for VMware vSphere (Base, 4.0(4)SV1(1), 4.0(4)SV1(2), 4.0(4)SV1(3), 4.0(4)SV1(3a), 4.0(4)SV1(3b), 4.0(4)SV1(3c), 4.0(4)SV1(3d), 4.2(1)SV1(4), 4.2(1)SV1(4a), 4.2(1)SV1(4b), 4.2(1)SV1(5.1), 4.2(1)SV1(5.1a), 4.2(1)SV1(5.2), 4.2(1)SV1(5.2b), 4.2(1)SV2(1.1), 4.2(1)SV2(1.1a), 4.2(1)SV2(2.1), 4.2(1)SV2(2.1a)) \| Cisco Nexus 1000V Switch for Microsoft Hyper-V (5.2(1)SM1(5.1)) \| for Nexus 3000 Series (Base, 5.0(3)U1(1), 5.0(3)U1(1a), 5.0(3)U1(1b), 5.0(3)U1(1d), 5.0(3)U1(2), 5.0(3)U1(2a), 5.0(3)U2(1), 5.0(3)U2(2), 5.0(3)U2(2a), 5.0(3)U2(2b), 5.0(3)U2(2c), 5.0(3)U2(2d), 5.0(3)U3(1), 5.0(3)U3(2), 5.0(3)U3(2a), 5.0(3)U3(2b), 5.0(3)U4(1), 5.0(3)U5(1), 5.0(3)U5(1a), 5.0(3)U5(1b), 5.0(3)U5(1c), 5.0(3)U5(1d), 5.0(3)U5(1e), 5.0(3)U5(1f), 5.0(3)U5(1g), 5.0(3)U5(1h), 6.0(2)U1(1), 6.0(2)U1(1a), 6.0(2)U1(2), 6.0(2)U1(3), 6.0(2)U4(1)) \| for Nexus 4000 Series (Base, 4.1(2)E1(1), 4.1(2)E1(1b), 4.1(2)E1(1d), 4.1(2)E1(1e), 4.1(2)E1(1f), 4.1(2)E1(1g), 4.1(2)E1(1h), 4.1(2)E1(1i), 4.1(2)E1(1j)) \| for Nexus 5000 Series (Base, 4.0(0)N1(1a), 4.0(0)N1(2), 4.0(0)N1(2a), 4.0(1a)N1(1), 4.0(1a)N1(1a), 4.0(1a)N2(1), 4.0(1a)N2(1a), 4.1(3)N1(1), 4.1(3)N1(1a), 4.1(3)N2(1), 4.1(3)N2(1a), 4.2(1)N1(1), 4.2(1)N2(1), 4.2(1)N2(1a), 5.0(2)N1(1), 5.0(3)N1(1c), 5.0(2)N2(1), 5.0(2)N2(1a), 5.0(3)N2(1), 5.0(3)N2(2), 5.0(3)N2(2a), 5.0(3)N2(2b), 5.1(3)N1(1), 5.1(3)N1(1a), 5.1(3)N2(1), 5.1(3)N2(1a), 5.1(3)N2(1b), 5.1(3)N2(1c), 5.2(1)N1(1), 5.2(1)N1(1a), 5.2(1)N1(1b), 5.2(1)N1(2), 5.2(1)N1(2a), 5.2(1)N1(3), 5.2(1)N1(4), 5.2(1)N1(5), 5.2(1)N1(6), 5.2(1)N1(7), 5.2(1)N1(8), 5.2(1)N1(8a), 6.0(2)N1(1), 6.0(2)N1(2), 6.0(2)N1(2a), 6.0(2)N2(1), 6.0(2)N2(1b), 6.0(2)N2(2), 6.0(2)N2(3), 6.0(2)N2(4), 6.0(2)N2(5), 7.0(0)N1(1), 7.0(1)N1(1), 7.0(2)N1(1), 7.0(3)N1(1)) \| for Nexus 6000 Series (Base, 6.0(2)N1(2), 6.0(2)N1(2a), 6.0(2)N2(1), 6.0(2)N2(1b), 6.0(2)N2(2), 6.0(2)N2(3), 6.0(2)N2(4), 6.0(2)N2(5), 7.0(0)N1(1), 7.0(1)N1(1), 7.0(2)N1(1), 7.0(3)N1(1)) \| for Nexus 7000 Series (Base, 4.1.(2), 4.1.(3), 4.1.(4), 4.1.(5), 4.2.(2a), 4.2(3), 4.2(4), 4.2(6), 4.2(8), 5.0(2a), 5.0(3), 5.0(5), 5.1(1), 5.1(1a), 5.1(3), 5.1(4), 5.1(5), 5.1(6), 5.2(1), 5.2(3a), 5.2(4), 5.2(5), 5.2(7), 5.2(9), 6.0(1), 6.0(2), 6.0(3), 6.0(4), 6.1(1), 6.1(2), 6.1(3), 6.1(4), 6.1(4a), 6.2(2), 6.2(2a), 6.2(6)) \| for Nexus 9000 Series (Base, 6.1(2)I2(1), 6.1(2)I2(2), 6.1(2)I2(2a), 6.1(2)I2(2b), 6.1(2)I2(3), 11.0(1b), 11.0(1c))
	Cisco Physical Access Gateway	1.0 (.0.0.1.118)
	Cisco Prime Collaboration	9.0 (.0, .5) \| 10.0 (.0, .5, .5.1)
	Cisco Prime Service Catalog	9.4 (Base) \| 9.4.1(GD) (Base) \| 10.0 (Base) \| 10.0(GD) (Base)
	Cisco Secure Access Control System (ACS)	Original Release (Base) \| 2.4 (Base) \| 2.6.3.2 (Base) \| 2.6.4.4 (Base) \| 3.0 (Base) \| 3.0.1.40 (Base) \| 3.0.3.6 (Base) \| 3.1 (Base, .2) \| 3.1.1 (Base) \| 3.2 (Base) \| 3.2 (1.20) (Base) \| 3.2 (1) (Base) \| 3.2 (2) (Base) \| 3.2 (3) (Base) \| 3.2.1 (Base) \| 3.2.2 (Base) \| 3.2.3 (Base) \| 3.3 (Base) \| 3.3 (1) (Base) \| 3.3.1 (Base, .16) \| 3.3.2 (Base, .2) \| 3.3.3 (.11) \| 4.0 (Base, .1.27, .1.42, .1.44, .1.49) \| 4.1 (.1.1, .1.23, .1.23.3, .3.12, .4.13, .4.13.1, .4.13.10) \| 4.2 (.0.124) \| 5.0 (Base, .0.21) \| 5.1 (Base, .0.44) \| 5.2 (Base, .0.26, .0.26.1, .0.26.2, .0.26.3, .0.26.4, .0.26.5, .0.26.6, .0.26.7, .0.26.8, .0.26.9, .0.26.10, .0.26.11) \| 5.3 (Base, .0.6, .0.40, .0.40.1, .0.40.2, .0.40.3, .0.40.4, .0.40.5, .0.40.6, .0.40.7) \| 5.4 (.0.46.0a, .0.46.1, .0.46.2, .0.46.3)
	Cisco Secure Access Control Server Solution Engine (ACSE)	5.5 ((0.46.10))
	Cisco TelePresence	1.1 (.1) \| 1.2 (.0, .1, .2) \| 1.3 (Base, .2) \| 1.6 (.0, .2, .3, .4, .5, .6, .7, .8) \| 1.7 (.0, .1, .2, .3) \| TE 4.0.0 (Base) \| TE 4.1.0 (Base) \| TE 4.1.1 (Base)
	Cisco Unified Communications Manager	5.1 ((1b), (1c), (2), (2a), (2b), (3), (3a), (3b), (3c), (3d), (3e)) \| Original Release (Base) \| 1.0 (Base) \| 6.1 ((1), (1a), (1b), (2), (2)SU1, (2)SU1a, (3), (4), (5)) \| 2.0 (Base) \| 7.0 (Base, (1), (2)) \| 3.0 (Base) \| 7.1 (Base, (3), (5), (5b)) \| 3.0.3(a) (Base) \| 8.0 (Base, (2c), (3)) \| 3.1 (Base, .1, .2, .3a) \| 8.5 (Base, .1) \| 3.1(1) (Base) \| 8.6 (Base, .1, .2) \| 3.1(2) (Base) \| 3.1(2)SR3 (Base) \| 3.1(3) (Base) \| 3.1(3)SR2 (Base) \| 3.1(3)SR4 (Base) \| 3.2 (Base) \| 3.2(3)SR3 (Base) \| 3.3 (Base) \| 3.3(2)SPc (Base) \| 3.3(3) (Base) \| 3.3(3)ES61 (Base) \| 3.3(3)SR3 (Base) \| 3.3(3)SR4a (Base) \| 3.3(3a) (Base) \| 3.3(4) (Base) \| 3.3(4)ES25 (Base) \| 3.3(4)SR2 (Base) \| 3.3(4c) (Base) \| 3.3(5) (Base) \| 3.3(5)ES24 (Base) \| 3.3(5)SR1 (Base) \| 3.3(5)SR1a (Base) \| 3.3(5)SR2 (Base) \| 3.3(5)SR2a (Base) \| 3.3(5)SR3 (Base) \| 3.3(59) (Base) \| 3.3(61) (Base) \| 3.3(63) (Base) \| 3.3(64) (Base) \| 3.3(65) (Base) \| 3.3(66) (Base) \| 3.3(67.5) (Base) \| 3.3(68.1) (Base) \| 3.3(71.0) (Base) \| 3.3(74.0) (Base) \| 3.3(78) (Base) \| 3.3(76) (Base) \| 4.0 (.1, .2) \| 4.0(2) (Base) \| 4.0(2a)ES40 (Base) \| 4.0(2a)ES56 (Base) \| 4.0(2a)SR2b (Base) \| 4.0(2a)SR2c (Base) \| 4.1 (Base) \| 4.1(2) (Base) \| 4.1(2)ES33 (Base) \| 4.1(2)ES50 (Base) \| 4.1(2)SR1 (Base) \| 4.1(3) (Base) \| 4.1(3)ES (Base) \| 4.1(3)ES07 (Base) \| 4.1(3)ES24 (Base) \| 4.1(3)SR (Base) \| 4.1(3)SR1 (Base) \| 4.1(3)SR2 (Base) \| 4.1(3)SR3 (Base) \| 4.1(3)SR3b (Base) \| 4.1(3)SR3c (Base) \| 4.1(3)SR4 (Base) \| 4.1(3)SR4b (Base) \| 4.1(3)SR4d (Base) \| 4.1(3)SR5 (Base) \| 4.1(4) (Base) \| 4.1(9) (Base) \| 4.1(17) (Base) \| 4.1(19) (Base) \| 4.1(22) (Base) \| 4.1(23) (Base) \| 4.1(25) (Base) \| 4.1(26) (Base) \| 4.1(27.7) (Base) \| 4.1(28.2) (Base) \| 4.1(30.4) (Base) \| 4.1(36) (Base) \| 4.1(39) (Base) \| 4.2(1) (Base) \| 4.2(1)SR1b (Base) \| 4.2(1.02) (Base) \| 4.2(1.05.3) (Base) \| 4.2(1.06) (Base) \| 4.2(1.07) (Base) \| 4.2(3) (Base) \| 4.2(3)SR1 (Base) \| 4.2(3)SR2 (Base) \| 4.2(3)SR3 (Base) \| 4.2(3)SR4 (Base) \| 4.2(3.08) (Base) \| 4.2(3.2.3) (Base) \| 4.2(3.3) (Base) \| 4.2(3.13) (Base) \| 4.2(3.20) (Base) \| 4.2(3.31) (Base) \| 4.2(3.36) (Base) \| 4.2(3.39) (Base) \| 4.2(3.46) (Base) \| 4.3 (Base) \| 4.3(1) (Base) \| 4.1(3)2 (Base) \| 4.3(1)SR (Base) \| 4.3(1)SR1 (Base) \| 4.3(1)SR1a (Base) \| 4.3(1)SR1b (Base) \| 4.3(1.57) (Base) \| 4.3(2) (Base) \| 4.3(2)SR1 (Base) \| 5.0(1) (Base) \| 5.0(2) (Base) \| 5.0(2a) (Base) \| 5.0(3) (Base) \| 5.0(3a) (Base) \| 5.0(3.1101) (Base) \| 5.0(4) (Base) \| 5.0(4a) (Base) \| 5.0(4a)SU1 (Base) \| 5.0(4c) (Base) \| 5.0(4.2136.001) (Base) \| 5.0(4.2137.001) (Base) \| 5.0(4.2137.002) (Base) \| 5.1 (Base) \| 5.1(1) (Base) \| 5.1(1a) (Base) \| 5.1(1b) (Base) \| 5.1(1c) (Base) \| 5.1(1.9131.045) (Base) \| 5.1(2) (Base) \| 5.1(2a) (Base) \| 5.1(2b) (Base) \| 5.1(3) (Base) \| 5.1(3a) (Base) \| 5.1(3b) (Base) \| 5.1(3c) (Base) \| 6.0(0.9901.169) (Base) \| 6.0(0.9901.190) (Base) \| 6.0(1) (Base) \| 6.0(1a) (Base) \| 6.0(1b) (Base) \| 6.1 (Base) \| 6.1(1) (Base) \| 6.1(1a) (Base) \| 6.1(2) (Base) \| 9.0 (Base) \| 9.0(1) (Base) \| 9.1 (.2) \| 9.1(1) (Base) \| 9.1(2.10000.28) (Base) \| 9.1(2.13058.1) (Base) \| 10.0 (Base) \| 10.0(1) (Base)
	Cisco Unified Contact Center Enterprise	4.6 (.2) \| 5.0 ((0)) \| 6.0 ((0)_SR1) \| 7.0 ((0)_SR1) \| 7.1 (.0, (2), (3), (4)) \| 7.2 ((1)) \| 7.5 ((2))
	Cisco Unity Connection	7.0 (Base) \| 7.1 (Base, .5ES33.32900-33, (1), (2), (2a), (2a)SU1, (2b), (2b)SU1, (3), (3a), (3a)SU1, (3a)SU1a, (3b), (3b)SU1, (3b)SU2, (5), (5)SU1a, (5a), (5b), (5b)SU2, (5b)SU3, (5b)SU4, (5b)SU5, (5b)SU6, (5b)SU6a) \| 8.0 (Base) \| 8.5 (Base, (1), (1)SU1, (1)SU2, (1)SU3, (1)SU4, (1)SU5, (1)SU6) \| 8.6 (Base, (1), (1a), (2), (2a), (2a)SU1, (2a)SU2, (2a)SU3) \| 9.0 ((1)) \| 9.1 ((1), (2)) \| 10.0 (.0, .5)
	Cisco Video Surveillance Media Server Software	5.0 (.0) \| 5.1 (.0, .1) \| 6.0 (Base) \| 6.1 (.0, .1) \| 6.2 (.0) \| 7.0 (.0, .1)
	Cisco Wide Area Application Services (WAAS)	4.0 (Base, .7, .7.46, .9, .9.10, .11.34, .13.23, .17.14, .19.14, .23, .25, .27) \| 4.1 (.1, .1a, .1b, .1c, .1d, .1e, .3, .3a, .3b, .5a, .5b, .5c, .5d, .5e, .5g, .5f, .7, .7a, .7b, .7c) \| 4.2 (Base, (1), (3a), (3c)) \| 4.3 (.1, .3, .5, .5a) \| 4.4 (.1, .3, .3a, .3b, .3c, .5, .5a, .5b, .5c, .5d, .7, .7a) \| 5.0 (Base, .1, .3, .3a, .3c, .3d, .3e, .3g) \| 5.1 (Base, .1, .1a, .1b, .1c, .1d, .1e, .1f, .1g) \| 5.2 (Base, .1) \| 5.3 (.1, .3, .5, .5a, .5b) \| 5.4 (.1, .1a)
	Cisco Wireless LAN Controller (WLC)	7.4 (.121.0) \| 7.6 (.130.0) \| 8.0 (.100)
	Cisco Intrusion Detection System (IDS)	Original Release (Base) \| 4210 (Base, 2.0, 3.0, 4.0) \| 4220 (Base, 2.0, 3.0, 4.0) \| 4230 (Base, 2.0, 3.0, 4.0) \| 2.2 (.1) \| 2.5 (.1) \| 3.0 (.1, .2, .3, .4, .5) \| 3.1 (.1, .2, .3, .4, .5) \| 4.0 (Base) \| 4.1 (.1, .2, .3, .4, .5) \| 5.0 (.1, .6) \| 5.1 (Base, .1, .2, .3) \| 6.0 (.0.185)
	Intrusion Prevention System (IPS)	7.0 ((7)E4)
	IOS	15.4S (15.4(1)S)
	Cisco IOS XE Software	2.1 (2.1.0, 2.1.1, 2.1.2) \| 2.2 (2.2.1, 2.2.2, 2.2.3) \| 2.3 (2.3.0, 2.3.0t, 2.3.1t, 2.3.2) \| 2.4 (2.4.0, 2.4.1) \| 2.5 (2.5.0) \| 2.6 (2.6.0, 2.6.1, 2.6.2) \| 3.1S (3.1.0S, 3.1.1S, 3.1.2S, 3.1.3S) \| 3.1SG (3.1.1SG) \| 3.2S (3.2.0S, 3.2.1S, 3.2.2S) \| 3.2SE (3.2.0SE, 3.2.1SE, 3.2.2SE, 3.2.3SE) \| 3.2SG (3.2.0SG, 3.2.1SG, 3.2.2SG, 3.2.3SG, 3.2.4SG, 3.2.5SG) \| 3.2XO (3.2.0XO, 3.2.1XO) \| 3.3S (3.3.0S, 3.3.1S, 3.3.2S) \| 3.3SE (3.3.0SE, 3.3.1SE) \| 3.3SG (3.3.0SG, 3.3.1SG, 3.3.2SG) \| 3.3XO (3.3.0XO) \| 3.4S (3.4.0S, 3.4.1S, 3.4.2S, 3.4.3S, 3.4.4S, 3.4.5S, 3.4.6S) \| 3.4SG (3.4.0SG, 3.4.1SG, 3.4.2SG) \| 3.5E (3.5.0E) \| 3.5S (Base, 3.5.0S, 3.5.1S, 3.5.2S) \| 3.6S (Base, 3.6.0S, 3.6.1S, 3.6.2S) \| 3.7S (Base, 3.7.0S, 3.7.1S, 3.7.2S, 3.7.3S, 3.7.4S, 3.7.5S, 3.7.6S) \| 3.8S (Base, 3.8.0S, 3.8.1S, 3.8.2S) \| 3.9S (3.9.0S, 3.9.1S, 3.9.2S) \| 3.10S (3.10.0S, 3.10.0aS, 3.10.1S, 3.10.2S, 3.10.3S, 3.10.4S) \| 3.11S (3.11.0S, 3.11.1S, 3.11.2S) \| 3.12S (3.12.0S) \| 3.13S (3.13.0S)
	Cisco MDS 9000 NX-OS Software	5.2 ((8d)) \| 6.2 ((7))
	Cisco MDS SAN-OS Software	1.0 (Base, .2, .2a, .3a, .4, .5) \| 1.1 (Base, .1, .1a, .2, .3) \| 1.2 (.1a, .1b, .2a) \| 1.3 (.1, .2a, .3, .3c, .4a, .4b, .5, .6) \| 2.0 (.1b, .2b, .3, .4, .4a) \| 2.1 (Base, .1, .1a, .1b, .2, .2d, .2e, .3) \| 3.0 (.1, .2, .2a, .3) \| 3.2 (Base) \| 3.3 (Base)
	Cisco NetFlow Collection Engine	4.0 (.0) \| 5.0 (.2, .3) \| 6.0 (.0)
	Cisco PGW 2200 Softswitch	Original Release (Base) \| 9.3 (Base) \| 9.4 (Base) \| 9.5 (Base) \| 9.6 (Base) \| 9.7 (Base) \| 9.8 (Base)
	Cisco Service Control Engine (SCE)	3.0 (Base, .1, .3, .4, .5, .6) \| 3.1 (Base, .1, .5, .6)
	Cisco Network Admission Control Guest Server	1.0 (.0) \| 1.1 (.0, .1, .2, .3) \| 2.0 (.0, .1, .2, .3)
	Cisco MXE 5600 Media Experience Engine	1.0.0 (Base) \| 1.0.1 (Base) \| 1.1.0 (Base) \| 1.1.1 (Base) \| 1.1.3 (Base) \| 1.2.0 (Base)
	Cisco Show and Share	5.0 (Base) \| 5.0.2 (Base) \| 5.0.3 (Base) \| 5.1 (Base) \| 5.2 (Base) \| 5.2.1 (Base) \| 5.2.2 (Base) \| 5.2.3 (Base)
	Cisco Identity Services Engine Software	1.0 (Base) \| 1.0 MR (Base) \| 1.1 (Base) \| 1.2 (Base, (0.747))
	Cisco TelePresence Video Communication Server (VCS)	X5.2 (Base) \| X6.0 (Base) \| X6.1 (Base) \| X7.0 (.0, .1, .2, .3) \| X7.1 (Base) \| X7.2 (Base, .1, .2) \| X8.1 (Base, .1) \| X8.2 (Base, .1)
	Cisco Unified Computing System (Managed)	1.0 (Base, (2k)) \| 1.1 (Base, (1m)) \| 1.2 (Base, (1d)) \| 1.3 (Base, (1c), (1m), (1n), (1o), (1p), (1q), (1t), (1w), (1y)) \| 1.4 (Base, (1i), (1j), (1m), (3i), (3l), (3m), (3q), (3s), (3u), (3y), (4f), (4g), (4i), (4j), (4k)) \| 2.0 (Base, (1m), (1q), (1s), (1t), (1w), (1x), (2m), (2q), (2r), (3a), (3b), (3c), (4a), (4b), (4d), (5a), (5b), (5c)) \| 2.1 (Base, (1a), (1b), (1d), (1e), (1f), (2a)) \| 2.2 (Base, (2c)A)
	Cisco Business Edition 3000 Software	8.6 (Base, (1), (1a), .2, .2a, .3, .4)
	Cisco TelePresence Manager	1.5 (Base) \| 1.6 (Base) \| 1.7 (Base) \| 1.8 (.0, .1)
	Cisco TelePresence Multipoint Switch	1.0 (Base, .4.0) \| 1.1 (.0, .1, .2) \| 1.5 (.0, .1, .2, .3, .4, .5, .6) \| 1.6 (.0, .1, .2, .3, .4) \| 1.7 (.0, .1, .2, .3) \| 1.8 (.0, .1, .2, .3) \| 1.9 (.0)
	Cisco TelePresence Recording Server	1.5 (Base) \| 1.6 (Base, .1, .2, .3) \| 1.7 (.0, .1, .2.1, .3) \| 1.8 (.0, .1)
	Cisco ASA CX Context-Aware Security Software	9.3
	Cisco Prime LAN Management Solution (LMS)	4.1 (Base) \| 4.2 (Base, .1, .2, .3)
	Cisco Prime Network Control System	1.0 (Base) \| 1.1 (Base, .1.24) \| 2.0 (Base)
	Cisco Unified Communications Domain Manager	8.1 (.1, .2, .3, .4) \| 10.1 (Base, .2)
	Cisco Prime Infrastructure	1.2 (.0, .1) \| 1.3 (.0) \| 1.4 (.0, .1, .2) \| 2.0 (.0) \| 2.1 (.0)
	Cisco WebEx Node for ASR 1000 Series	15.3 (Base, (01)S)
	Cisco WebEx Node for MCS	8.5 ((5))
	Cisco Unified Computing System (Standalone)	1.1 (Base, (1d)) \| 1.2 (Base, (1b), (2d), (2j), (2l)) \| 1.3 (Base, (1c), (1d), (2d), (2i), (2j)) \| 1.4 (Base, (1c), (2), (3c)2, (3c)1, (3j), (3k), (3p), (3p)5, (3s), (4a), (4a)1, (5b)1, (5e), (5g), (5g)2, (5h), (5j), (6c), (6d), (7b)1, (7c)1, (7h)) \| 1.5 (Base, (1b), (1f)) \| 2.2 (Base, (2c)A)
	Cisco Unified Computing System Central Software	1.0 (Base) \| 1.1 (Base)
	Cisco TelePresence System Software	1.5 (Base, .10(3648), .11(3659), .12(3701), .13(3717)) \| 1.6 (Base, .0(3954), .2(4023), .3(4042), .4(4072), .5(4097), .6(4109), .7(4212), .8(4222)) \| 1.7 (Base, .0.1(4764), .0.2(4719), .1(4864), .2(4937), .2.1(2), .4(270), .5(42), .6(4)) \| 1.8 (Base, .0(55), .1(34), .2(11), .3(4), .4(13), .5(4)) \| 1.9 (Base, .0(46), .1(68), .2(19), .3(44), .4(19), .5(7), .6(2)) \| 1.10 (Base, .0(259), .1(43)) \| 6.0 (.0.1(4), .1(50), .2(28), .3(33), .4(11), .5(5)) \| 6.1 (.0(90)) \| 7.2 (Base)
	Cisco Enterprise Content Delivery System (ECDS)	2.5 (Base, .3, .3 (S1), .3 (S2), .3 (S3), .3 (S4), .3 (S5), .5, .5 (S1), .6)
	Cisco TelePresence TE Software	4.0 (Base, .0) \| 4.1 (Base, .1, .1-CUCM, .2, .2-CUCM) \| 6.0 (Base, .0, .1, .2)
	Cisco Virtualization Experience Client 6000 Series Firmware	8.6 (Base) \| 8.7 (Base) \| 9.0 (Base) \| 9.2 (Base, .1)
	Cisco ASR 5000 Series Software	11.0 (Base) \| 12.0 (.0) \| 12.1 (Base) \| 12.2 (Base) \| 14.0 (.0) \| 15.0 (Base) \| 16.0 (.0) \| 16.1 (.0, .1, .2) \| 17.2 (.0)
	Cisco Videoscape Distribution Suite Service Broker	1.0 (Base, .1) \| 1.1 (Base)
	Cisco SocialMiner	8.5 ((4), (5)) \| 9.0 ((1))
	Cisco MediaSense	8.5 ((3), (4)) \| 9.0 ((1a)) \| 9.1 ((1)) \| 10.0 ((1))
	Cisco TelePresence TX9000	6.0.4 (Base)
	Cisco MXE 3500 (Media Experience Engine)	3.0 (Base) \| 3.1 (Base) \| 3.2 (Base) \| 3.3 (Base, .2)
Cisco Nexus 1000V Switch	5.2(2e) (Base) \| 6.3(2) (Base) \| 7.0(2) (Base)
Cisco Unified Computing System Director	3.4 (Base) \| 4.0 (Base) \| 4.1 (Base)
Cisco Unified Intelligence Center	7.5 (Base, (2), (3), (4), (5)) \| 8.0 (Base, (2), (3), .4) \| 8.5 (Base, .2, .3, .4) \| 9.0 ((1), (2)) \| 9.1 ((1)) \| 10.0 ((1), (5))
Cisco Universal Small Cell Series Firmware	R2.12 (Base) \| R2.13 (Base) \| R2.14 (Base) \| R2.15 (Base) \| R2.16 (Base) \| R2.17 (Base) \| R3.2 (Base) \| R3.3 (Base) \| R3.4 (Base, 1.1, 2.1, 2.17) \| R3.5 (Base)
FreeBSD Project	FreeBSD	7.3 (Base) \| 7.4 (Base) \| 8.0 (Base) \| 8.1 (Base) \| 8.2 (Base) \| 8.3 (Base) \| 8.4 (Base) \| 9.0 (Base) \| 9.1 (Base) \| 9.2 (Base) \| 9.3 (Base) \| 10.0 (Base)
HP	HP CloudSystem Enterprise	8.0 (Base, .1, .2) \| 8.1 (Base, .1)
	HP CloudSystem Foundation	8.0 (Base, .1, .2) \| 8.1 (Base, .0, .1)
	HP Enterprise Maps	1.0 (Base)
	HP TippingPoint Next Generation Firewall (NGFW)	1.0.1.3974 (Base) \| 1.0.2.3988 (Base) \| 1.0.3.4024 (Base) \| 1.1.0.4127 (Base) \| 1.1.0.4150 (Base)
	HP NonStop	H06 (.25.00, .25.01, .26, .26.01, .27, .27.01, .28, .28.01) \| J06 (.14.00, .14.01, .14.02, .14.03, .15, .15.01, .15.02, .16, .16.01, .16.02, .17, .17.01, .18.00)
	HP OneView	1.0 (Base) \| 1.01 (Base) \| 1.05 (Base) \| 1.10 (Base, .05, .07)
	HP StoreEver ESL E-series Tape Library	Original Release (Base)
	HP StoreOnce Backup	3.0 (Base) \| 3.1 (Base) \| 3.2 (Base) \| 3.3 (Base) \| 3.4 (Base) \| 3.5 (Base) \| 3.6 (Base) \| 3.7 (Base) \| 3.8 (Base) \| 3.9 (Base) \| 3.10 (Base) \| 3.11 (.0, .3)
	HP StoreOnce Gen 2 Backup	2.3 (.00)
	HP StoreEver MSL6480 Tape Library firmware	4 (.10, .20, .30, .40, .50)
	HP Virtual Library System (VLS)	Original Release (Base)
	Operations Analytics	2.0 (Base) \| 2.1 (Base)
IBM	AIX	5.3 (Base, .7.0, .7.1, .8, .9, .10, .11, .12) \| 6.1 (.0, .1, .2, .3, .4, .5, .6, .7, .8, TL9) \| 7.1 (.0, .1, .2, .3)
IBM	Power Hardware Management Console (HMC)	V7 R7.3.0 (Base, SP2) \| V7 R7.6.0 (Base) \| V7 R7.7.0 (Base) \| V7 R7.8.0 (Base) \| V7 R7.9.0 (Base) \| V8 R8.1.0 (Base)
Juniper Networks, Inc.	NetScreen-Security Manager (NSM)	2004 (Base, FP 1, FP 2, FP 3, FP 3-IDP) \| 2005 (.1, .2, .3) \| 2009 (Base) \| 2010 (Base) \| 2012 (Base, .1, .2) \| 3000 (Base)
	Security Threat Response Manager (STRM)	2010 (Base) \| 2012 (.0, .1) \| 2013 (Base, .1, .2)
	Junos Space Software	11.1 (Base) \| 11.2 (Base) \| 11.3 (Base) \| 12.1 (Base) \| 12.2 (Base) \| 12.3 (Base)
	Juniper Secure Analytics Platforms	2013.2 (Base) \| 2014.1 (Base) \| 2014.2 (Base)
MontaVista	CGE	6.0 (Base)
MontaVista	MVL 6	ARM (Base) \| Power (Base) \| x86 (Base)
Oracle Corporation	Solaris	11 (11/11, 11/11 SRU 2, 11/11 SRU 3, 11/11 SRU 4, 11/11 SRU 6.6, 11/11 SRU 7.5, 11/11 SRU 8.5, 11/11 SRU 9.5, 11/11 SRU 10.5, 11/11 SRU 11.4, 11/11 SRU 12.4) \| 11.2 (Base)
Red Hat, Inc.	Red Hat Enterprise Linux	5 (IA-32, IA-64, PPC, ppc64, s390, s390x, x86_64)
	Red Hat Enterprise Linux Server AUS	6.2 (x86_64) \| 6.4 (x86_64) \| 6.5 (x86_64)
	Red Hat Enterprise Linux Desktop	5 (IA-32, x86_64) \| 6 (IA-32, x86_64) \| 7 (x86_64)
	Red Hat Enterprise Linux ELS (Extended Life Cycle Support)	4 (IA-32, IA-64, x86_64)
	Red Hat Enterprise Linux EUS (Extended Update Support)	5.9.z (Base, IA-32, IA-64, PPC, PPC-64, s390x, x86_64)
	Red Hat Enterprise Linux HPC Node	6 (x86_64) \| 7 (x86_64)
	Red Hat Enterprise Linux Long Life	5.6 (IA-32, i386, IA-64, x86_64) \| 5.9 (Base, IA-32, IA-64, x86_64)
	Red Hat Enterprise Linux Server	6 (IA-32, PPC, PPC 64, s390, s390x, x86_64) \| 7 (x86_64, ppc, ppc64, s390, s390x)
	Red Hat Enterprise Linux Server EUS	6.4.z (Base, IA-32, x86_64, PPC, PPC64, s390, s390X) \| 6.5.z (IA-32, PPC, PPC64, s390, s390x, x86_64)
	Red Hat Enterprise Linux Workstation	6 (IA-32, x86_64) \| 7 (x86_64)
	Red Hat Enterprise S-JIS Service	IA-32 (Base) \| IA-64 (Base) \| x86_64 (Base)
	Red Hat Enterprise Virtualization	3.4 (x86_64)
Sun Microsystems, Inc.	Solaris	8 (sparc, X86) \| 9 (sparc, X86) \| 10 (sparc, x64/x86, 05/08 (Update 5))
VMware, Inc.	Horizon DaaS Platform	5.4 (Base, .1, .2) \| 6.0 (Base, .1) \| 6.1 (Base)
	IT Business Management Suite	1.0 (Base)
	NSX-MH	4.0 (Base, .1, .2, .3, .4) \| 4.1 (Base, .1, .2, .3) \| 4.2 (Base)
	NSX-V	6.0 (Base, .1, .2, .3, .4, .5, .6) \| 6.1 (Base)
	NVP	3.0 (Base) \| 3.2 (Base, .1, .2, .3)
	vCenter Converter Standalone	5.1 (Base, 0.1087880) \| 5.5 (Base, .1, .2)
	vCenter Hyperic Server	5.0 (Base, .1, .2) \| 5.7 (Base, .1) \| 5.8 (Base, .1, .2)
	vCenter Infrastructure Navigator	2.0 (Base) \| 5.7 (Base) \| 5.8 (Base, .1, .2)
	vCenter Log Insight	1 (Base, .0, .5) \| 2 (Base, .0, .2)
	vCenter Operations Management Suite (vCOps)	5.7 (Base) \| 5.8 (Base)
	vCenter Orchestrator (vCO)	4.0 (Base, Update 1, Update 2, Update 3) \| 4.1 (Base, Update 1) \| 4.2 (Base) \| 5.1 (Base) \| 5.5 (Base, .1, .2)
	vCloud Automation Center (vCAC)	5.1 (Base) \| 5.2 (Base) \| 6.1 (Base)
	vCloud Application Director	5.2 (Base) \| 6.0 (Base)
	vCloud Connector	2.6 (Base)
	vCloud Director	5.1 (Base) \| 5.5 (Base, .1, .1.1, .1.2)
	vCloud Networking and Security (vCNS)	5.1 (Base, .3) \| 5.5 (Base, .1)
	vCloud Usage Meter	3.3 (Base, .1)
	vFabric Postgres	9.1.5 (Base) \| 9.1.6 (Base) \| 9.1.7 (Base) \| 9.1.8 (Base) \| 9.2.1 (Base) \| 9.2.2 (Base) \| 9.2.3 (Base) \| 9.3 (.5.0)
	VMware Application Dependency Planner	2.0 (Base)
	VMware Data Recovery	2.0 (Base, .1, .2, .3)
	VMware HealthAnalyzer	5.0 (Base, .3)
	VMware Horizon Workspace	1.0 (Base) \| 1.5 (Base, .1, .2) \| 1.8 (Base, .1, .2) \| 2.0 (.0) \| 2.1 (.0)
	VMware Mirage	5.0 (Base) \| 5.1 (Base)
	VMware Studio	2.0 (Base)
	VMWare View	3.0 (Base, .1)
	VMware Workbench	3.0 (Base, .1)
	VMware vCenter Site Recovery Manager	5.1 (Base, .0.1, .1.1, .2, .2.1) \| 5.5 (Base, .1.2)
	vSphere App HA	1.1 (Base)
	vSphere Big Data Extensions	2.0 (Base)
	vSphere Data Protection	5 (Base)
	vSphere Management Assistant	5.0 (Base) \| 5.1 (Base) \| 5.5 (Base)
	vSphere Replication	5.1 (.0.1, .2, .2.1) \| 5.5 (Base, .1, .1.2) \| 5.8 (Base)
	vSphere Storage Appliance	5.5 (Base, .1)
	vCenter Server Appliance (vCSA)	5.0 (Base, Patch 1) \| 5.1 (Base, Patch 1) \| 5.5 (Base)

Legal Disclaimer

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.

A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products

Identifying and Mitigating Exploitation of the GNU Bash Environment Variable Command Injection Vulnerability

Available Languages

Bias-Free Language

Cisco Applied Mitigation Bulletin

Identifying and Mitigating Exploitation of the GNU Bash Environment Variable Command Injection Vulnerability

Cisco Response

Contents

Vulnerability Characteristics

Vulnerability Overview

Mitigation Technique Overview

Risk Management

Device-Specific Mitigation and Identification

Cisco IOS Routers and Switches

Mitigation: IOS Zone Based Firewall

Cisco ASA, Cisco ASASM, and Cisco FWSM Firewalls

Mitigation: Application Layer Protocol Inspection

Cisco Intrusion Prevention System

Mitigation: Cisco IPS Signature Table

Sourcefire Signature Information

Mitigation: Sourcefire Signature Table

Additional Information

Related to This Bulletin

Revision History

Cisco Security Procedures

Related Information

Affected Products

Legal Disclaimer

Related to This Bulletin