Cisco Security AdvisoryMedium
Advisory ID:
cisco-sa-20150310-ssl
First Published:
2015 March 10 16:00 GMT
Last Updated:
2015 November 13 15:34 GMT
Version 1.17:
Workarounds:
Cisco Bug IDs:
CVSS Score:
Base 5.0,
Temporal 4.1
Click Icon to Copy Verbose Score
AV:N/AC:L/Au:N/C:N/I:P/A:N/E:F/RL:OF/RC:C
Click Icon to Copy Verbose Score
AV:N/AC:L/Au:N/C:N/I:P/A:N/E:F/RL:OF/RC:C
-
Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service condition or perform a man-in-the-middle attack. On January 8, 2015, the OpenSSL Project released a security advisory detailing eight distinct vulnerabilities. The vulnerabilities are referenced in this document as follows:
- CVE-2014-3571: OpenSSL DTLS Message Processing Denial of Service Vulnerability
- CVE-2015-0206: OpenSSL dtls1_buffer_record Function DTLS Message Processing Denial of Service Vulnerability
- CVE-2014-3569: OpenSSL no-ssl3 Option NULL Pointer Dereference Vulnerability
- CVE-2014-3572: OpenSSL Elliptic Curve Cryptographic Downgrade Vulnerability
- CVE-2015-0204: OpenSSL RSA Temporary Key Cryptographic Downgrade Vulnerability
- CVE-2015-0205: OpenSSL Diffie-Hellman Certificate Validation Authentication Bypass Vulnerability
- CVE-2014-8275: OpenSSL Certificate Fingerprint Validation Vulnerability
- CVE-2014-3570: OpenSSL BN_sql Function Incorrect Mathematical Results Issue
Workarounds that mitigate these vulnerabilities may be available.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150310-ssl
-
Vulnerable Products
The following Cisco products have been confirmed to be impacted by one or more of the vulnerabilities contained in the January 8, 2015, OpenSSL Project security advisory:
Product Defect Fixed releases availability Collaboration and Social Media Cisco WebEx Meetings Server versions 1.x CSCus42712 2.5MR2 Cisco WebEx Meetings Server versions 2.x CSCus42712 2.5MR2 Cisco Webex Social CSCus42817 No further releases are planned. Endpoint Clients and Client Software Cisco Agent for OpenFlow CSCus42902 Cisco AnyConnect Secure Mobility Client for Android CSCus42726 4.0.01233 (Android)
Cisco AnyConnect Secure Mobility Client for Apple iOS CSCus42726 3.0.12240 (Apple iOS) Cisco AnyConnect Secure Mobility Client for desktop platforms CSCus42726 3.1.07021
Cisco Jabber Software Development Kit CSCus42945 11.0(0) (26-Aug-2015) Cisco Jabber Video for TelePresence (Movi) CSCus42871 4.9 (March 2015) Cisco Jabber Voice for Android CSCus42947 10.6(1) Cisco Jabber for Android CSCus42952 10.6.1 Cisco Jabber for Mac CSCus42939 10.6(1) (Available)
11.0 (July 2014)Cisco Jabber for Windows CSCut82321 11.0(0)
10.6(1)Cisco Jabber for iOS CSCus42953 10.6.2 Cisco WebEx Connect Client for Windows CSCus42966 No further releases scheduled. Advise migration to Cisco Jabber. Cisco WebEx Meetings for Android CSCus42742 7.0 (Android) Cisco WebEx Meetings for WP8 CSCus42941 1.0.1k (Available) Network Application, Service, and Acceleration Cisco ACE30 Application Control Engine Module CSCus42709 Cisco Wide Area Application Services (WAAS) CSCus42766 5.1.1i (27-May-2015)
6.0.0 (10-Jun-2015)Network and Content Security Devices Cisco ASA CX Context-Aware Security CSCus42804 9.3.3.1-13 (July 2015) Cisco Adaptive Security Appliance (ASA) Software CSCus42901 9.2(3.1)
9.1(5.106)
9.0(4.29)
8.4(7.26)Cisco Content Security Management Appliance (SMA) CSCus44454 9.1.2 (15-Jun-2015) Cisco Email Security Appliance (ESA) CSCus42818 10.0 (Oct 2015) Cisco FireSIGHT System Software CSCus77211 5.4.0.2
5.4.1.1Cisco IPS CSCus42768 Cisco IPS 7.1.10 (29-May-2015)
Cisco IPS 7.3.4 (TBD)Cisco Identity Services Engine (ISE) CSCus42710 1.4 (April 2015)
1.5 (October 2015)Cisco IronPort Encryption Appliance (IEA) CSCus44478 Cisco NAC Appliance (Clean Access Server) CSCus42836 Patch file is available for vulnerable versions. Cisco NAC Guest Server CSCus42834 No further releases are planned. Cisco NAC Manager (Clean Access Manager) CSCus42840 Patch file is available for vulnerable versions. Cisco Physical Access Gateway CSCus43000 1.5.3 (21-May-2015)
Cisco Secure Access Control Server (ACS) CSCus42781 5.6 (31-Jul-2015)
5.7 (14-Aug-2015)
Cisco Virtual Security Gateway for Microsoft Hyper-V CSCus43003 5.2(1)SV3(1.4) (May 2015) Cisco Virtual Security Gateway for VMware CSCus43003 5.2(1)SV3(1.4) (May 2015) Cisco Web Security Appliance (WSA) CSCus42705 9.0.0 (30-Apr-2015) Network Management and Provisioning Cisco Application Networking Manager CSCus42821 5.2.6 Cisco Intelligent Automation for Cloud CSCus42852 4.3 (July 2015) Cisco MATE Design CSCus42772 WAE 6.1.1 (31-Mar-2015)
MATE 6.0.5 (10-Mar-2015)
Cisco MATE Live CSCus42772 WAE 6.1.1 (31-Mar-2015)
MATE 6.0.5 (10-Mar-2015)
Cisco MATE collector CSCus42772 WAE 6.1.1 (31-Mar-2015)
MATE 6.0.5 (10-Mar-2015)
Cisco Netflow Collection Agent CSCus42819 1.0.3 (May 2015) Cisco Packet Tracer CSCus47080 6.2 Cisco Policy Suite (QPS) CSCus42789 Cisco Prime Access Registrar CSCus42968 7.0.0 (Available)
6.1.3 (Release TBD)Cisco Prime Collaboration Assurance CSCus42924 No release planned. Cisco Prime Collaboration Deployment CSCus42954 11.0 Cisco Prime Collaboration Provisioning 10.5 CSCus42816 11.0 (29-May-2015) Cisco Prime Data Center Network Manager (DCNM) CSCus42763 DCNM 7.1(2) (Late April 2015) Cisco Prime IP Express CSCus42967 8.3 (Available) Cisco Prime Infrastructure CSCus42748 3.0 Cisco Prime LAN Management Solution CSCus42883 4.2.5(3) (30-Jun-2015) Cisco Prime License Manager CSCus42699 11.0 (mid-April 2015) Cisco Prime Network Analysis Module (NAM) CSCus42792 006.002 (1-Jun-2015) Cisco Prime Network Registrar (CPNR) CSCus42701 8.3 (Available)
8.2.3 (31-May-2015)
8.1.3.3 (30-Apr-2015)
Virtual Appliance 7.3.2.5 (22-Apr-2015)Cisco Prime Network Services Controller CSCus42739 3.5.1x (April 2015) Note: PNSC will be no longer be released individually
and instead will be part Intercloud Fabric (ICF) 2.2.1x.Cisco Prime Network CSCus42882 Cisco Prime Optical for SPs CSCus42879 10.3.0.0.193 (Available)
10.0.0.1.2 (AvailableCisco Prime Performance Manager for SPs CSCus42880 1.6 SP1 Cisco Prime Security Manager CSCus42841 Cisco Security Manager CSCus42723 4.9 (Aug 2015)
4.7 SP1CP1 (Available)
Cisco Show and Share (SnS) CSCus42800 5.3.x (20-May-2015)
5.5 (20-May-2015)
5.6 (20-May-2015)
5.6.1 (20-Aug-2015)
Local Collector Appliance (LCA) CSCus42873 2.2.8 Routing and Switching - Enterprise and Service Provider Cisco 910 Industrial Router CSCus45971 1.2.1RB1 (15-May-2015) Cisco ASR 5000 Series CSCus42812 20.0.0 (Available) Cisco Application Policy Infrastructure Controller CSCus42749 1.0(3f)
1.1(1j)
Cisco Connected Grid Routers (CGR) CSCus43029 No further releases scheduled (End of Life). Customers are encouraged to upgrade to a supported Cisco IOS Software release. Cisco IOS Software and Cisco IOS-XE Software CSCus61884 15.5(03)S Cisco IOS XR Software CSCus42773 Cisco IOS-XE (WebUI feature only) CSCut32908 Cisco MDS 9000 Series Multilayer Switches CSCus42713 7.2 (29-May-2015)
7.3 (3-Jul-2015)Cisco Mobile Wireless Transport Manager CSCus42993 6.1.7 Cisco Nexus 1000V Intercloud CSCus42717 2.2.1 (Available) Cisco Nexus 1000V Series Switches CSCut14256 5.2(1)SV3(1.4) (May 2015) Cisco Nexus 3X00 Series Switches CSCus43046 Cisco Nexus 4000 Series Switches CSCus42972 4.1(2)E1(1o) (15-May-2015) Cisco Nexus 5000 Series Switches CSCus42713 7.2 (29-May-2015)
7.3 (3-Jul-2015)Cisco Nexus 6000 Series Switches CSCus42713 7.2 (29-May-2015)
7.3 (3-Jul-2015)Cisco Nexus 7000 Series Switches CSCus42713 7.2 (29-May-2015)
7.3 (3-Jul-2015)Cisco Nexus 9000 Series Switches CSCus42784 7.0(3)I2(1) (Available) Cisco ONS 15400 Series CSCus42787 10.51 (20-Nov-2015) Cisco OnePK All-in-One VM CSCus42732 Admin to update package via CLI Routing and Switching - Small Business Cisco WAG310G Residential Gateway CSCus43007 Unified Computing Cisco UCS C-Series (Standalone Rack) Servers CSCus42715 2.0.4 (Apr 2015) Cisco UCS Central CSCus42724 1.3 (March 2015) Cisco UCS Invicta Series Solid State Systems CSCus42989 5.0.1.2b (April 2015) Cisco Unified Computing System B-Series (Blade) Servers CSCus61833 2.2(4a) (Available)
2.2(5a) (22-May-2015)
3.1(1a) (TBD)Voice and Unified Communications Devices Cisco ATA 187 Analog Telephone Adaptor CSCus42814 Fix release due March 2016 Cisco ATA 190 Series Analog Telephone Adapter CSCus42791 1.2.1 (30-Jun-2015) Cisco Agent Desktop CSCus42910 10.0(2) Cisco Computer Telephony Integration Object Server (CTIOS) CSCut45829 11.0 (30-Apr-2015) Cisco DX Series IP Phones CSCut08817 10.2.4 (5-Jun-2015) Cisco Emergency Responder CSCus42904 11.0 Cisco Finesse CSCus42853 Cisco Hosted Collaboration Mediation Fulfillment CSCus42794 10.6.1 Cisco IP Interoperability and Collaboration System (IPICS) CSCus43020 4.9(2) (July 2015) Cisco IP Phone 8800 Series
CSCuw30989
11.0 Cisco MediaSense CSCus42906 11.0(1) (Release Date TBD) Cisco MeetingPlace CSCus42786 8.6 Maintenance Release (15-Jun-2015) Cisco Paging Server (Informacast) CSCus42905 11.0.1 (May 2015) Cisco Paging Server CSCus42905 11.0.1 (May 2015) Cisco SPA112 2-Port Phone Adapter CSCus42824 1.3.7 (31-Dec-2015) Cisco SPA122 ATA with Router CSCus42824 1.3.7 (31-Dec-2015) Cisco SPA232D Multi-Line DECT ATA CSCus42824 1.3.7 (31-Dec-2015) Cisco SocialMiner CSCus42851 11.0(1) (30-Aug-2015) Cisco Unified 6900 series IP Phones CSCus42734 9.4(1)ES12 (11 Nov 2015) Cisco Unified 7800 series IP Phones CSCus42707 10.4.1 (August 2015) Cisco Unified 8945 IP Phone CSCus42735 9.4(2)2SR2 (11-Dec-2015) Cisco Unified 8961 IP Phone CSCus42706 9.4(2)SR2 (Release Date TBD) Cisco Unified 9951 IP Phone CSCus42706 9.4(2)SR2 (Release Date TBD) Cisco Unified 9971 IP Phone CSCus42706 9.4(2)SR2 (Release Date TBD) Cisco Unified Attendant Console (all editions) CSCus42803 11.0.1 (Sep 2015) Cisco Unified Attendant Console Standard CSCus42959 Patch files are available for vulnerable releases. Cisco Unified Communication Manager IM and Presence Service (CUPS) CSCus42751 11.0 (Available) Cisco Unified Communications Domain Manager CSCus42711 10.1(2) Cisco Unified Communications Manager (UCM) CSCus60116 10.5.2 (Available)
10.5.2 SU2 (Available)
9.1.2 SU3 (TBD)
8.6.2 (TBD)Cisco Unified Communications Manager Session Management Edition (SME) CSCus60116 10.5.2 (Available)
10.5.2 SU2 (Available)
9.1.2 SU3 (TBD)
8.6.2 (TBD)Cisco Unified Contact Center Enterprise CSCut45829 11.0 (30-Apr-2015) Cisco Unified Contact Center Express CSCus42785 11.0(1) (June 2015) Cisco Unified IP Conference Phone 8831 CSCus42757 Cisco Unified IP Conference Station 7937G CSCus42758 10.3.2 (Sep 2015) Cisco Unified IP Phone 7900 Series CSCus42733 9.4(2)SR2 (11-Nov-2015) Cisco Unified Intelligence Center CSCus42908 Cisco Unified Intelligent Contact Management Enterprise CSCut45829 11.0 (30-Apr-2015) Cisco Unified Sip Proxy CSCus42917 Cisco Unified Workforce Optimization CSCus42996 10.5 SR6
11.0Cisco Unity Connection (UC) CSCus42900 11.0(0.72) Cisco Virtualization Experience Media Engine CSCus42958 Windows 10.6.0.10706 (Available)
Windows 10.6.0.10730 (Available)
Linux 10.6.0-203 (Available)
Linux 10.6.0-221 (Available)Video, Streaming, TelePresence, and Transcoding Devices Cisco AnyRes Live (CAL) CSCus42909 9.5.0 Cisco D9036 Modular Encoding Platform CSCus42887 V02.03.30 Cisco Edge 300 Digital Media Player CSCus42801 1.6RB2 (Available) Cisco Edge 340 Digital Media Player CSCus43052 Patch file available for vulnerable releases. (4-Apr-2015) Cisco Enterprise Content Delivery System (ECDS) CSCum57065 2.6.4 (mid-May 2015) Cisco Expressway Series CSCus42702 X8.5.1 Cisco Internet Streamer CDS CSCus42921 VDS-IS 3.3.1 (30-Jun-2015)
VDS-IS 4.2.0 (31-Jul-2015)
Cisco Model D9485 DAVIC QPSK CSCus43043 1.2.19 Cisco TelePresence 1310 CSCus42737 1.10.11 (30-Apr-2015)
6.1.8 (30-Apr-2015)Cisco TelePresence Advanced Media Gateway Series CSCus42833 1.1(1.40) (Available) Cisco TelePresence Conductor CSCus42987 XC3.0.1 Cisco TelePresence Content Server (TCS) CSCus42976 6.2 Cisco TelePresence EX Series CSCus42827 7.3.1 Cisco TelePresence ISDN GW 3241 CSCus42753 2.2 Maintenance Release (mid May 2015) Cisco TelePresence ISDN GW MSE 8321 CSCus42753 2.2 Maintenance Release (mid May 2015) Cisco TelePresence ISDN Link CSCus42828 1.1.5 (June 2015) Cisco TelePresence MCU (8510, 8420, 4200, 4500 and 5300) CSCus42831 4.5 Maintenance Release (July 2015) Cisco TelePresence MX Series CSCus42827 7.3.1 Cisco TelePresence Profile Series CSCus42827 7.3.1 Cisco TelePresence SX Series CSCus42827 7.3.1 Cisco TelePresence Serial Gateway Series CSCus42754 1.0(1.42) Cisco TelePresence Server 8710, 7010 CSCus42752 4.1 (Mar 2015) Cisco TelePresence Server on Multiparty Media 310, 320 CSCus42752 4.1 (Mar 2015) Cisco TelePresence Server on Virtual Machine CSCus42752 4.1 (Mar 2015) Cisco TelePresence Supervisor MSE 8050 CSCus42755 2.3(1.38) Cisco TelePresence System 1000 CSCus42737 1.10.11 (30-Apr-2015)
6.1.8 (30-Apr-2015)Cisco TelePresence System 1100 CSCus42737 1.10.11 (30-Apr-2015)
6.1.8 (30-Apr-2015)Cisco TelePresence System 1300 CSCus42737 1.10.11 (30-Apr-2015)
6.1.8 (30-Apr-2015)Cisco TelePresence System 3000 Series CSCus42737 1.10.11 (30-Apr-2015)
6.1.8 (30-Apr-2015)Cisco TelePresence System 500-32 CSCus42737 1.10.11 (30-Apr-2015)
6.1.8 (30-Apr-2015)Cisco TelePresence System 500-37 CSCus42737 1.10.11 (30-Apr-2015)
6.1.8 (30-Apr-2015)Cisco TelePresence TE Software (for E20 - EoL) CSCus42829 4.1.6 Cisco TelePresence TX 9000 Series CSCus42737 1.10.11 (30-Apr-2015)
6.1.8 (30-Apr-2015)Cisco TelePresence Video Communication Server (VCS) CSCus42702 X8.5.1 Cisco Telepresence Integrator C Series CSCus42827 7.3.1 Cisco VDS Service Broker CSCus43022 Cisco Video Surveillance 3000 Series IP Cameras CSCus42721 2.7 (30-Jul-2015) Cisco Video Surveillance 4000 Series High-Definition IP Cameras CSCus42983 2.4.6 (30-Jul-2015) Cisco Video Surveillance 4300E/4500E High-Definition IP Cameras CSCus42982 3.2.7 (30-Jul-2015) Cisco Video Surveillance 6000 Series IP Cameras CSCus42721 2.7 (30-Jul-2015) Cisco Video Surveillance 7000 Series IP Cameras CSCus42721 2.7 (30-Jul-2015) Cisco Video Surveillance Media Server CSCus43015 7.7 Cisco Video Surveillance Operations Manager CSCus43016 7.7.0 (15-Aug-2015)
Cisco Video Surveillance PTZ IP Cameras CSCus42721 2.7 (30-Jul-2015) Cisco Videoscape Control Suite CSCus43009 3.6 (Available) Cloud Object Store (COS) CSCus43014 2.1.2 (Available)
3.0.0 (27-May-2015)Media Services Interface CSCus43013 No further releases planned. Tandberg Codian ISDN GW 3210/3220/3240 CSCus42753 2.2 Maintenance Release (mid May 2015) Tandberg Codian MSE 8320 model CSCus42753 2.2 Maintenance Release (mid May 2015) Wireless Cisco IOS Access Points CSCus42764 15.5(03)S (Available) Cisco Mobility Services Engine (MSE) CSCus42729 8.0.110.002 Cisco Wireless Lan Controller (WLC) CSCus42727 7.0.252.0 (Available)
7.4.140.0 (Available)
8.1.102.0 (Available)
8.0.120.0 (June 2015)
7.6.130.26 (Contact Cisco TAC for this version)Cisco Hosted Services Cisco Common Services Platform Collector CSCus95785 Cisco Network Configuration and Change Management Service CSCus42860 1.5 (Available) Cisco Proactive Network Operations Center CSCus42796 Cisco Universal Small Cell 5000 Series running V3.4.2.x software CSCus42775 3.5.11.11
3.4.5.7Cisco Universal Small Cell 7000 Series running V3.4.2.x software CSCus42775 3.5.11.11
3.4.5.7Network Performance Analytics (NPA) CSCus42893 1.11.3 (30-Aug-2015)
Products Confirmed Not Vulnerable
The following Cisco products have been analyzed and are not affected by any of the listed vulnerabilities:
Collaboration and Social Media
- Cisco WebEx Node for MCS
Endpoint Clients and Client Software
- Cisco IP Communicator
- Cisco NAC Agent for Mac
- Cisco NAC Agent for Web
- Cisco NAC Agent for Windows
- Cisco UC Integration for Microsoft Lync
- Cisco Unified Personal Communicator
- Cisco Unified Video Advantage
- Cisco WebEx Meetings (client)
- Cisco WebEx Meetings for BlackBerry
- Cisco WebEx Productivity Tools
- Cisco Webex App for iOS
Network Application, Service, and Acceleration
- Cisco Application and Content Networking System (ACNS)
- Cisco Extensible Network Controller (XNC)
Network and Content Security Devices
- Cisco Adaptive Security Device Manager
- Cisco Physical Access Manager
Network Management and Provisioning
- Cisco Configuration Professional
- Cisco Connected Grid Device Manager
- Cisco Connected Grid Network Management System
- Cisco Discovery Service
- Cisco Insight Reporter
- Cisco Linear Stream Manager
- Cisco Multicast Manager
- Cisco Prime Analytics
- Cisco Prime Cable Provisioning
- Cisco Prime Central for SPs
- Cisco Prime Home
- Cisco SON Suite
- Cisco Unified Provisioning Manager (CUPM)
- CiscoWorks Network Compliance Manager
- Digital Media Manager 5.4
Routing and Switching - Enterprise and Service Provider
- Cisco Broadband Access Center Telco Wireless
- Cisco Prime Provisioning for SPs
- Cisco Service Control Operating System
Routing and Switching - Small Business
- Cisco VEN401 Wireless Access Point
- Cisco VEN501 Wireless Access Point
Voice and Unified Communications Devices
- Cisco Desktop Collaboration Experience DX650
- Cisco Packaged Contact Center Enterprise
- Cisco Remote Silent Monitoring
- Cisco SPA8000 8-port IP Telephony Gateway
- Cisco SPA8800 IP Telephony Gateway with 4 FXS and 4 FXO Ports
- Cisco Unified Communications Domain Manager
- Cisco Unified 3900 series IP Phones
- Cisco Unified Client Services Framework
- Cisco Unified Communications Sizing Tool
- Cisco Unified Communications Widgets Click To Call
- Cisco Unified E-Mail Interaction Manager
- Cisco Unified Integration for IBM Sametime
- Cisco Unified Web Interaction Manager
- Cisco Virtual PGW 2200 Softswitch
- Cisco Voice Portal (CVP)
- xony VIM/CCDM/CCMP
Video, Streaming, TelePresence, and Transcoding Devices
- Cisco AnyRes VOD (CAV)
- Cisco D9034-S Encoder
- Cisco D9054 HDTV Encoder
- Cisco D9804 Multiple Transport Receiver
- Cisco D9824 Advanced Multi Decryption Receiver
- Cisco D9854/D9854-I Advanced Program Receiver
- Cisco D9858 Advanced Receiver Transcoder
- Cisco D9859 Advanced Receiver Transcoder
- Cisco D9865 Satellite Receiver
- Cisco DCM Series 9900-Digital Content Manager
- Cisco Digital Media Players
- Cisco TelePresence Exchange System (CTX)
- Cisco TelePresence Management Suite (TMS)
- Cisco TelePresence Management Suite Analytics Extension (TMSAE)
- Cisco TelePresence Management Suite Extension (TMSXE)
- Cisco TelePresence Management Suite Extension for IBM
- Cisco TelePresence Management Suite Provisioning Extension
Wireless- Cisco Wireless Location Appliance
Cisco Hosted Services
- Cisco Connected Analytics For Collaboration
- Cisco Install Base Management (IBM)
- Cisco Registered Envelope Service (CRES)
- Cisco Services Platform Collector (CSPC)
- Cisco SmartConnection
- Cisco SmartReports
- Cisco WebEx WebOffice & Workspace
- Cisco Webex Messenger Service
- Connected Analytics for Network Deployment (CAND)
- Services Analytic Platform
- Webex Meeting Center
-
The OpenSSL Project disclosed eight vulnerabilities on January 8, 2015. One or more of these vulnerabilities affect both client and server installations of OpenSSL. The vulnerability names and the associated Common Vulnerabilities and Exposures (CVE) IDs are as follows.
The impact of these vulnerabilities on Cisco products may vary depending on the affected product.
For Cisco products, please refer to the information provided in the Cisco bug IDs listed in the Affected Products section of this document. Additional information and detailed instructions are available in the Cisco installation, configuration, and maintenance guides for each product. If additional clarification or advice is needed, please contact your support organization.
OpenSSL DTLS Message Processing Denial of Service Vulnerability
A vulnerability in OpenSSL could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.
The vulnerability is due to improper processing of network messages. An attacker could exploit this vulnerability by sending malicious network messages to a targeted system.
This vulnerability has been assigned CVE ID CVE-2014-3571.
OpenSSL dtls1_buffer_record Function DTLS Message Processing Denial of Service Vulnerability
OpenSSL contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.
The vulnerability is due to an error condition that occurs when the affected software processes crafted Datagram Transport Layer Security (DTLS) packets. An unauthenticated, remote attacker could exploit this vulnerability by sending crafted DTLS packets to an affected OpenSSL-based server. An exploit could allow the attacker to consume excessive memory resources, resulting in a DoS condition.
This vulnerability has been assigned CVE ID CVE-2015-0206.
OpenSSL no-ssl3 Option NULL Pointer Dereference Vulnerability
A vulnerability in OpenSSL could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a targeted system.
The vulnerability is due to improper implementation of the OpenSSL build configuration. An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted SSL 3.0 handshake request to the targeted client. Processing the request could cause the affected software to terminate abnormally, leading to a DoS condition.
This vulnerability has been assigned CVE ID CVE-2014-3569.
OpenSSL Elliptic Curve Cryptographic Downgrade Vulnerability
A vulnerability in OpenSSL could allow an unauthenticated, remote attacker to conduct downgrade attacks.
The vulnerability is due to insecure implementation of ephemeral Elliptic Curve Diffie-Hellman (ECDH) ciphersuites by the affected software. An unauthenticated, remote attacker could exploit this vulnerability by transmitting crafted handshake requests to the targeted client system. When processed, the requests could allow the attacker to downgrade the server to use the weaker encryption protocol, which could allow the attacker to obtain sensitive information from the system.
This vulnerability has been assigned CVE ID CVE-2014-3572.
OpenSSL RSA Temporary Key Cryptographic Downgrade Vulnerability
A vulnerability in OpenSSL could allow an unauthenticated, remote attacker to bypass security restrictions.
The vulnerability is due to improper handling of an RSA temporary key. An attacker with a privileged network position could exploit the vulnerability by returning a weak temporary RSA key to a system using an application that uses the vulnerable OpenSSL library. When processed, the insecure temporary key could result in reduced cryptographic protections, which could allow the attacker to bypass security protections.
This vulnerability has been assigned CVE ID CVE-2015-0204.
OpenSSL Diffie-Hellman Certificate Validation Authentication Bypass Vulnerability
OpenSSL contains a vulnerability that could allow an unauthenticated, remote attacker to bypass certain security restrictions and access sensitive information on a targeted system.
The vulnerability is due to improper certificate verification by the affected software. An unauthenticated, remote attacker could exploit this vulnerability by transmitting a crafted Diffie-Hellman certificate without the certificate verify message to the affected server. The processing of such certificates could allow the attacker to bypass certain security restrictions and access sensitive information on the system.
This vulnerability has been assigned CVE ID CVE-2015-0205.
OpenSSL Certificate Fingerprint Validation Vulnerability
A vulnerability in OpenSSL could allow an unauthenticated, remote attacker to bypass fingerprint-based certificate validation mechanisms implemented by the affected software.
The vulnerability exists due to insufficient constraints applied on certificate data by the affected software. An attacker could exploit this vulnerability by including crafted data within a certificate's unsigned portion and submitting it to be processed by the affected software. If successful, an attacker could bypass the fingerprint-based certificate-blacklist protection mechanism implemented by the affected software.
This vulnerability has been assigned CVE ID CVE-2014-8275.
OpenSSL BN_sql Function Incorrect Mathematical Results Issue
An issue in OpenSSL could result in the calculation of incorrect mathematical results.
The issue is in the BN_sql function because the function does not properly calculate the square of a BIGNUM value. An unauthenticated, remote attacker could exploit this issue using an unspecified vector. Successful exploitation could cause the software to calculate incorrect results.
Reports suggest that no exploits are known and straightforward bug attacks fail because the attacker cannot control when the bug triggers and no private key material is involved.
This vulnerability has been assigned CVE ID CVE-2014-3570.
-
For potential workarounds on a specific Cisco product, refer to the Cisco bug ID, available from the Cisco Bug Search Tool.
-
When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Notices archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
-
In early March 2015, CVE-2015-0204: OpenSSL RSA Temporary Key Cryptographic Downgrade Vulnerability, received media attention for research done into the factoring attack on RSA-EXPORT Keys (dubbed FREAK).
These vulnerabilities were publicly disclosed by the OpenSSL Project on January 5, 2015. Consistent with our security vulnerability disclosure policy, the Cisco PSIRT began disclosing the effect to Cisco products through public release notes, before increased public discussion of FREAK led to this security advisory.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Show LessVersion Description Section Status Date 1.17 Updated first fixed releases for the APIC from 1.1(0.625), 1.0(2.136a) to 1.1(1j) and 1.0(3f) Affected Products Final 2015-November-13 1.16 Added Cisco IP Phone 8800 Series to affected products section. 2015-September-22 1.15 Updated fixed releases availability. 2015-June-02 1.14 Moved the Cisco Mobility Services Engine (MSE) to an affected product. Updated Fixed releases availability. 2015-May-28 1.13 Updated Vulnerable Products Fixed releases availability column. 2015-May-14 1.12 Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections. 2015-May-06 1.11 Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections. 2015-April-30 1.10 Updated the Vulnerable Products fixed column. Added Cisco IOS Access Points to under investigation. 2015-April-27 1.9 Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections. 2015-April-17 1.8 Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections. 2015-April-13 1.7 Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections. Removed End of Life product - Cisco Small Business ISA500 Series Integrated Security Appliances. 2015-April-09 1.6 Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections. 2015-April-02 1.5 Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections. Several End of Life products were removed from the advisory. 2015-March-26 1.4 Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections. Added Cisco TelePresence IP Gateway Series to the advisory. 2015-March-19 1.3 Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections. 2015-March-16 1.2 Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections. 2015-March-13 1.1 Moved Cisco Content Security Management Appliance (SMA) from Not Vulnerable to under Investigation. Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections. 2015-March-11 1.0 Initial public release. 2015-March-10
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.