Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: May 2016

Available Languages

Updated:May 4, 2016
Document ID:1462397017521612

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Cisco Security Advisory

Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: May 2016

Medium
Advisory ID:
cisco-sa-20160504-openssl
First Published:
2016 May 4 19:30 GMT
Last Updated: 
2016 December 5 16:10 GMT
Version 1.12:
Final
Workarounds:
No workarounds available
CVE-2016-2105
CVE-2016-2106
CVE-2016-2107

More...

CVE-2016-2105
CVE-2016-2106
CVE-2016-2107

More...

Summary

  • On May 3, 2016, the OpenSSL Software Foundation released a security advisory that included six vulnerabilities. Of the six vulnerabilities disclosed, four of them may cause memory corruption or excessive memory usage, one could allow a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server supports AES-NI, and, lastly, one is specific to a product performing an operation with Extended Binary Coded Decimal Interchange Code (EBCDIC) encoding.

    Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities.

    This advisory will be updated as additional information becomes available.

    This advisory is available at the following link:
    https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160504-openssl

Affected Products

  • Cisco investigated its product line to determine which products may be affected by these vulnerabilities and the impact on each affected product. Refer to the "Vulnerable Products" and "Products Confirmed Not Vulnerable" sections of this advisory for information about whether a product is affected.

    The "Vulnerable Products" section includes Cisco bug IDs for each affected product. The bugs are accessible through the Cisco Bug Search Tool and contain additional platform-specific information, including workarounds (if available) and fixed software releases.

    Vulnerable Products

    The following table lists Cisco products that are affected by one or more vulnerabilities described in this advisory.

    Product Cisco Bug ID Fixed Release Availability
    Collaboration and Social Media
    Cisco MeetingPlace CSCuz52556 CWMS 2.7 (Available)
    Cisco SocialMiner CSCuz63938 11.5.1 (Available)
    Cisco WebEx Meetings Server versions 1.x CSCuz52375 "
    2.6.1.2109 (Available)
    2.7.1.12 (Available)"
    Cisco WebEx Meetings Server versions 2.x CSCuz52375 "
    2.6.1.2109 (Available)
    2.7.1.12 (Available)"
    Cisco WebEx Node for MCS CSCuz52370 3.12.9.8 (Available)
    Endpoint Clients and Client Software
    Cisco Agent for OpenFlow CSCuz52503 2.1.5 (N3K/N9K) (Available) 2.0.7 (N7K) (Available) 2.0.7 (cat3k/cat4k) (Available)
    Cisco AnyConnect Secure Mobility Client for Android CSCuz52506 4.3 for Windows
    Linux
    OS X (10-JUN-2016) 4.2 for Windows
    Linux
    OS X (16-JUN-2016) 4.0 for Android
    iOS (30-JUN-2016)
    Cisco AnyConnect Secure Mobility Client for Android CSCuz52507 4.3 for Windows
    Linux
    OS X (Available) 4.2 for Windows
    Linux
    OS X (Available) 4.0 for Android
    iOS (Available)
    Cisco AnyConnect Secure Mobility Client for Linux CSCuz52506 4.3 for Windows
    Linux
    OS X (10-JUN-2016) 4.2 for Windows
    Linux
    OS X (16-JUN-2016) 4.0 for Android
    iOS (30-JUN-2016)
    Cisco AnyConnect Secure Mobility Client for OS X CSCuz52506 4.3 for Windows
    Linux
    OS X (10-JUN-2016) 4.2 for Windows
    Linux
    OS X (16-JUN-2016) 4.0 for Android
    iOS (30-JUN-2016)
    Cisco AnyConnect Secure Mobility Client for Windows CSCuz52506 4.3 for Windows
    Linux
    OS X (10-JUN-2016) 4.2 for Windows
    Linux
    OS X (16-JUN-2016) 4.0 for Android
    iOS (30-JUN-2016)
    Cisco AnyConnect Secure Mobility Client for iOS CSCuz52506 4.3 for Windows
    Linux
    OS X (10-JUN-2016) 4.2 for Windows
    Linux
    OS X (16-JUN-2016) 4.0 for Android
    iOS (30-JUN-2016)
    Cisco Jabber Guest 10.0(2) CSCuz52554 11.0 (Available)
    Cisco Jabber Software Development Kit CSCuz52552 11.7 (Available)
    Cisco Jabber for Android CSCuz52568 11.6 MR (Available)
    Cisco Jabber for Mac CSCuz52551 11.7 (Available)
    Cisco Jabber for Windows CSCuz60563 11.6(1) (Available)
    Cisco MMP server CSCuz52380 3.10.0 (Available)
    Cisco WebEx Meetings Client - Hosted CSCuz52379 T31R1SP6 (15-DEC-2016)
    Cisco WebEx Meetings Client - On Premises CSCuz52374 2.7.1.12 (Available)
    2.6.1.2109 (Available)
    Cisco WebEx Meetings for Android CSCuz52371 A patch file is available for vulnerable releases
    Cisco WebEx Meetings for WP8 CSCuz52373 No further releases are planned
    WebEx Meetings Server - SSL Gateway CSCuz52376 "
    2.6.1.2109 (Available)
    2.7.1.12 (Available)"
    WebEx Recording Playback Client CSCuz52378 T31R1SP6 (DEC-2016)
    Network Application, Service, and Acceleration
    Cisco ACE 30 Application Control Engine Module CSCuz52383 No fix available
    Cisco ACE 4710 Application Control Engine (A5) CSCuz52383 No fix available
    Cisco Application and Content Networking System (ACNS) CSCuz52468 5.5.41 (31-JUL-2016)
    Cisco InTracer CSCuz52350 Product is EOL so no fix is expected.
    Cisco Network Admission Control (NAC) CSCuz52469 No fix available
    Cisco Visual Quality Experience Server CSCuz52466 3.11(3.1) (Available)
    Cisco Visual Quality Experience Tools Server CSCuz52466 3.11(3.1) (Available)
    Cisco Wide Area Application Services (WAAS) CSCuz52481 5.5.7 (30-JUN-2016)
    6.2.3 (29-JUL-2016)
    Network and Content Security Devices
    Cisco ASA CX and Cisco Prime Security Manager CSCuz52482 9.5.4.3 (30-MAY-2016)
    Cisco ASA Next-Generation Firewall Services CSCuz52479 R2.1.1 (Available)
    Cisco Adaptive Security Appliance (ASA) CSCuz52474 All affected systems have been updated.
    Cisco Clean Access Manager CSCuz52470 No fix available
    Cisco Content Security Management Appliance (SMA) CSCuz52367 10.5 (APR-2017)
    Cisco FireSIGHT System Software CSCuz52366 6.0.1.2 (27-JUN-2016)
    Cisco IPS CSCuz52508 No fix available
    Cisco Identity Services Engine (ISE) CSCuz52493 2.2.1 (Available)
    Cisco Email Security Appliance (ESA)
    		 CSCuz52363 11.0 (APR-2017)
    Cisco IronPort Encryption Appliance (IEA) CSCuz52365 No fix available
    Cisco NAC Guest Server CSCuz52472 No fix available
    Cisco NAC Server CSCuz52471 No fix available
    Cisco Physical Access Control Gateway CSCuz52487
    Cisco Secure Access Control Server (ACS) CSCuz52504 5.8 patch 5 (JUL-2016)
    Cisco Secure Access Control System (ACS) CSCuz52505 5.8 patch 5 (Available)
    Cisco Virtual Security Gateway for Microsoft Hyper-V CSCuz52403 5.2(1) (20-AUG-2016)
    VSG2(1.4) (20-AUG-2016)
    Cisco Web Security Appliance (WSA) CSCuz52369 10.5 (MAR-2017)
    Lancope Stealthwatch SMC
    		   6.7.3   End of May 2016
    6.8.0   End of May 2016
    6.8.1   June 2016
    6.8.2   End of Jun 2016
    Lancope Stealthwatch FlowCollector NetFlow
    		   6.7.3   End of May 2016
    6.8.0   End of May 2016
    6.8.1   June 2016
    6.8.2   End of Jun 2016
    Lancope Stealthwatch FlowCollector sFlow
    		   6.7.3   End of May 2016
    6.8.0   End of May 2016
    6.8.1   June 2016
    6.8.2   End of Jun 2016
    Lancope Stealthwatch FlowSensor
    		   6.7.3   End of May 2016
    6.8.0   End of May 2016
    6.8.1   June 2016
    6.8.2   End of Jun 2016
    Lancope Stealthwatch UDP Director
    		   6.7.3   End of May 2016
    6.8.0   End of May 2016
    6.8.1   June 2016
    6.8.2   End of Jun 2016
    Network Management and Provisioning
    Cisco Application Networking Manager CSCuz52384 Contact TAC for upgrade options
    Cisco Application Policy Infrastructure Controller (APIC) CSCuz52389 11.6 MR (Available)
    Cisco Digital Media Manager CSCuz52441 5.3.0 (Available)
    5.3.6 (Available)
    5.3.6(RB1) (Available)
    5.3.6(RB2) (Available)
    5.4.0 (Available)
    5.4.1 (Available)
    5.4.1(RB1) (Available)
    5.4.1(RB2) (Available)
    Cisco MATE Collector CSCuz52583 6.3.5dev-19-g2329292 (Available)
    6.4dev-2206-g9361bc4 (Available)
    6.4dev-2250-g50ed411 (Available)
    Cisco MATE Design CSCuz52583 6.3.5dev-19-g2329292 (Available)
    6.4dev-2206-g9361bc4 (Available)
    6.4dev-2250-g50ed411 (Available)
    Cisco MATE Live CSCuz52583 6.3.5dev-19-g2329292 (Available)
    6.4dev-2206-g9361bc4 (Available)
    6.4dev-2250-g50ed411 (Available)
    Cisco Management Appliance (MAP) CSCuz52355 0.9.8e (Available)
    0.9.8-39.el5_11 (08-JUN-2016)
    Cisco Mobile Wireless Transport Manager CSCuz52431 No fix expected.
    Cisco NetFlow Generation Appliance CSCuz52426 Affected systems will be updated (01-AUG-2016)
    Cisco Network Analysis Module CSCuz52423 6.3.1 (Available)
    Cisco Packet Tracer CSCuz52451 7.0 (Available)
    Cisco Policy Suite (CPS) CSCuz52587 10.0 (Available)
    Cisco Prime Access Registrar CSCuz52418 7.0.1.7 (JUN-2016)
    7.1.x (JUN-2016)
    7.2 (SEP-2016)
    Cisco Prime Collaboration Assurance CSCuz52430 11.5 SP1 (Aug. 2016)
    Cisco Prime Collaboration Deployment CSCuz52537 11.5 (Available)
    Cisco Prime Collaboration Provisioning CSCuz52429 11.2 (Available)
    Cisco Prime Data Center Network Manager (DCNM) CSCuz52387 10.0(1.28)S0 (Available)
    Cisco Prime IP Express CSCuz52421
    Cisco Prime Infrastructure Standalone Plug and Play Gateway CSCuz52424
    Cisco Prime Infrastructure CSCuz52425 3.1.1 (JUN-2016)
    Cisco Prime LAN Management Solution (LMS - Solaris) CSCuz52413 No fix is expected.
    Cisco Prime License Manager CSCuz52452 11.5 (JUN-2016)
    Cisco Prime Network Registrar (CPNR) CSCuz52415
    Cisco Prime Network Services Controller CSCuz52433 3.4.2 (AUG-2016)
    Cisco Prime Network CSCuz52408 Affected systems will be updated (30-Jun-2016)
    Cisco Prime Optical for SPs CSCuz52420 10.6 (Available)
    Cisco Prime Performance Manager CSCuz52409 1.7.0.6 (30-JUL-2016)
    Cisco Prime Security Manager CSCuz52477 9.5.4.3 (Available)
    Cisco Security Manager CSCuz52432 4.12 (Available)
    Cisco UCS Central CSCuz52405 1.5(1a) (Available)
    Cisco Unified Intelligence Center (CUIC) CSCuz63935 11.5.1 (Available)
    Local Collector Appliance (LCA) CSCuz52524 2.2.12 (20-MAY-2016)
    Routing and Switching - Enterprise and Service Provider
    Cisco ASR 5000 Series CSCuz52351 19.4.0 (30-JUN-2016)
    20.2.0 (29-JUL-2016)
    21.0.0 (30-SEP-2016)
    Cisco Connected Grid Router - CGOS CSCuz52385 15.6.2.15T (5-JUN-2016)
    Cisco Connected Grid Router CSCuz52529 15.6.2.15T (05-JUN-2016)
    Cisco IOS Software and Cisco IOS-XE Software CSCuz52528 "
    15.4(1)IA1.73 (Available)
    15.6(2)T0.1 (Available)
    15.6(2.19)T (Available)
    16.3(0.232) (Available)
    16.4(0.49) (Available)"
    Cisco IOS-XR CSCuz52437 Affected systems will be updated (08-Jun-2016)
    Cisco MDS 9000 Series Multilayer Switches CSCuz52394 6.2.17 (MDS) (JUN-2016)
    7.3.1DX (N7k and MDS) (AUG-2016)
    7.3.1NX (N5k/N6k) (AUG-2016)
    8.3 (N3k/N9k) (NOV-2016)
    Cisco Nexus 1000V InterCloud CSCuz52393 Affected systems will be updated (30-Jun-2016)
    Cisco Nexus 1000V Series Switches (ESX) CSCuz52399 5.2(1)SV3(2.1) (30-JUN-2016)
    Cisco Nexus 1000V Series Switches CSCuz52397 5.2(1)SV3(2.1) (Available)
    Cisco Nexus 3X00 Series Switches CSCuz52400 6.0(2)A8(1) (Available)
    Cisco Nexus 4000 Series Blade Switches CSCuz52512 0.9.8zf (Available)
    Cisco Nexus 5000 Series Switches CSCuz52401 7.3.1 (Available)
    Cisco Nexus 6000 Series Switches CSCuz52395 6.2.17 (MDS) (JUN-2016)
    7.3.1DX (N7k and MDS) (AUG-2016)
    7.3.1NX (N5k/N6k) (AUG-2016)
    8.3 (N3k/N9k) (NOV-2016)
    Cisco Nexus 7000 Series Switches CSCuz52395 6.2.17 (MDS) (JUN-2016)
    7.3.1DX (N7k and MDS) (AUG-2016)
    7.3.1NX (N5k/N6k) (AUG-2016)
    8.3 (N3k/N9k) (NOV-2016)
    Cisco Nexus 9000 (ACI/Fabric Switch) CSCuz52391 12.0(0.133) (Available)
    Cisco Nexus 9000 Series (standalone, running NxOS) CSCuz52396 10.6(3.11002.7)
    Cisco ONS 15454 Series Multiservice Provisioning Platforms CSCuz52486 10.6.1 (30-JUN-2016)
    Cisco OnePK All-in-One VM CSCuz52485 No fix available
    Cisco Service Control Operating System CSCuz52530 5.1 (Available)
    5.2 (Available)
    Routing and Switching - Small Business
    Cisco Sx220 switches CSCuz52497 1.4.7 (NOV-2016)
    Cisco Sx300 switches CSCuz52500 1.4.7 (NOV-2016)
    Cisco Sx500 switches CSCuz52502 1.4.7 (NOV-2016)
    Unified Computing
    Cisco Cloupia Unified Infrastructure Controller CSCuz52386 5.5 (Available)
    Cisco Common Services Platform Collector CSCuz52352 1.10 (SEPT-2016)
    Cisco Standalone rack server CIMC CSCuz52406 2.0(13) (Available)
    Cisco Unified Computing System (Management software) CSCuz52483 3.1.2 (AUG-2016)
    Cisco Virtual Security Gateway CSCuz52402 5.2(1) (20-AUG-2016)
    VSG2(1.4) (20-AUG-2016)
    Voice and Unified Communications Devices
    Cisco 190 ATA Series Analog Terminal Adaptor CSCuz52534 1.3.0 (APR-2017)
    Cisco 8800 Series IP Phones - VPN Feature CSCuz52565 11.5.2 (12-DEC-2016)
    Cisco ATA 187 Analog Telephone Adaptor CSCuz52560 9.2.5 (05-APR-2017)
    Cisco Agent Desktop for Cisco Unified Contact Center Express CSCuz52539 No fix is expected
    Cisco Computer Telephony Integration Object Server (CTIOS) CSCuz52360 11.51 (Available)
    Cisco DX Series IP Phones CSCuz52563 No fix is expected
    Cisco Emergency Responder CSCuz52543 11.5 (Available)
    Cisco Finesse CSCuz63940 11.5.1 (09-AUG-2016)
    Cisco Hosted Collaboration Mediation Fulfillment CSCuz52547 10.6(1.99000.17) (Available)
    10.6(1.99000.18) (Available)
    10.6(3.11002.7) (Available)
    Cisco IM and Presence Service (CUPS) CSCuz52545 11.5 (Available)
    Cisco IP Interoperability and Collaboration System (IPICS) CSCuz52461 5.0 (30-AUG-2016)
    Cisco Jabber for Apple iOS CSCuz52550 11.7.0 (Available)
    Cisco MediaSense CSCuz52562 11.5.1 (Available)
    Cisco Paging Server (Informacast) CSCuz52548 11.5.1 (Available)
    Cisco Paging Server CSCuz52548 11.5.1 (Available)
    Cisco SPA112 2-Port Phone Adapter CSCuz52494 1.4.5 (05-OCT-2016)
    Cisco SPA122 ATA with Router CSCuz52494 1.4.5 (05-OCT-2016)
    Cisco SPA232D Multi-Line DECT ATA CSCuz52494 1.4.5 (05-OCT-2016)
    Cisco SPA30X Series IP Phones CSCuz52496 No further releases are planned
    Cisco SPA50X Series IP Phones CSCuz52496 No further releases are planned
    Cisco SPA51X Series IP Phones CSCuz52496 No further releases are planned
    Cisco SPA525G CSCuz52495 7.6.5 (05-APR-2017)
    Cisco Unified 6901 IP Phones CSCuz52557 9.3(1)SR3 (05-APR-2017)
    Cisco Unified 6945 IP Phones CSCuz52561 No fix available
    Cisco Unified 7800 Series IP Phones CSCuz52566 11.5.2 (Available)
    Cisco Unified 8831 series IP Conference Phone CSCuz52559 79xx: 9.4.2 SR2 (JUN-2016)
    8831: 10.3.2 (JUL-2016)
    99xx: 9.4.2SR3 (JUL-2016)
    8941/45: 9.4.2SR3 (AUG-2016)
    Cisco Unified 8945 IP Phone CSCuz52558 9.4.2SR3 (Available)
    Cisco Unified 8961 IP Phone CSCuz52546 9.4.2SR3 (Available)
    Cisco Unified 9951 IP Phone CSCuz52546 9.4.2SR3 (Available)
    Cisco Unified 9971 IP Phone CSCuz52546 9.4.2SR3 (Available)
    Cisco Unified Attendant Console Advanced CSCuz52532 11.5.1 (Available)
    Cisco Unified Attendant Console Business Edition CSCuz52532 11.5.1 (Available)
    Cisco Unified Attendant Console Department Edition CSCuz52532 11.5.1 (Available)
    Cisco Unified Attendant Console Enterprise Edition CSCuz52532 11.5.1 (Available)
    Cisco Unified Attendant Console Premium Edition CSCuz52532 11.5.1 (Available)
    Cisco Unified Attendant Console Standard CSCuz52533 11.5.1 (Available)
    Cisco Unified Communications Manager (UCM) CSCuz52535 11.5 (Available)
    Cisco Unified Communications Manager Session Management Edition (SME) CSCuz52535 11.5 (Available)
    Cisco Unified Communications for Microsoft Lync CSCuz52541 11.6(0.39070) (Available)
    Cisco Unified Contact Center Enterprise CSCuz52360 11.51 (Available)
    Cisco Unified Contact Center Express - Live Data Server CSCuz63936
    Cisco Unified Contact Center Express CSCuz63939 11.5.1 (Available)
    Cisco Unified IP Conference Phone 8831 for Third-Party Call Control CSCuz52320 No further releases are planned.
    Cisco Unified IP Phone 7900 Series CSCuz52567 No fix available
    Cisco Unified Intelligent Contact Management Enterprise CSCuz52360 11.51 (Available)
    Cisco Unified Sip Proxy CSCuz52349 CUSP 10.0 (Sept. 2016)
    Cisco Unified Wireless IP Phone CSCuz52573 1.5.1 (05-APR-2017)
    Cisco Unified Workforce Optimization Quality Management CSCuz52571 11.0 SR3 ES5 (30-JUN-2016)
    Cisco Unified Workforce Optimization CSCuz52572 11.0 SR3 ES5 (Available)
    Cisco Unity Connection (UC) CSCuz52538 11.5 (Available)
    Cisco Unity Express CSCuz52348 10.0 (JAN-2017)
    Cisco Virtualization Experience Media Engine CSCuz52570 11.7(0) (Available)
    11.5.1 (Available)
    Video, Streaming, TelePresence, and Transcoding Devices
    Cisco AnyRes Live (CAL) CSCuz52522 9.4.5 (30-JUN-2016)
    Cisco DCM Series 9900-Digital Content Manager CSCuz52407 19.0.0 (Available)
    Cisco Digital Media Players (DMP) 4300 Series CSCuz52440 "
    5.4(1)RB(2P11) (Available)
    5.3(6) RB(2P8) (Available)"
    Cisco Digital Media Players (DMP) 4400 Series CSCuz52440 "
    5.4(1)RB(2P11) (Available)
    5.3(6) RB(2P8) (Available)"
    Cisco Edge 300 Digital Media Player CSCuz52514 1.6RB4_5 (29-JUN-2016)
    Cisco Edge 340 Digital Media Player CSCuz52515 1.2.0.20 (23-JUN-2016)
    Cisco Enterprise Content Delivery System (ECDS) CSCuz52442 2.6.8 (Available)
    Cisco Expressway Series CSCuz55590 8.8 (Available)
    Cisco Internet Streamer (CDS) CSCuz52465 4.3.2 (JUN-2016)
    Cisco Media Experience Engines (MXE) CSCuz52449 3.5.2 (Available)
    Cisco Media Services Interface CSCuz52438 No fix is expected
    Cisco Show and Share (SnS) CSCuz52454 No fixes are expected.
    Cisco TelePresence 1310 CSCuz52531 "
    6.1.13 (15-JAN-2016)
    1.10.16 (15-JAN-2016)
    1.9.12 (15-JAN-2016)"
    Cisco TelePresence Conductor CSCuz52439 4.3 (Available)
    Cisco TelePresence Content Server (TCS) CSCuz52456 7.2 (Available)
    Cisco TelePresence EX Series CSCuz52455 7.3.7(SEP-2016)
    8.2.0 (JUL-2016)
    Cisco TelePresence ISDN GW 3241 CSCuz52444 2.2(113) (Available)
    Cisco TelePresence ISDN GW MSE 8321 CSCuz52444 2.2(113) (Available)
    Cisco TelePresence ISDN Link CSCuz52446 1.1.6 (Available)
    Cisco TelePresence MCU (8510, 8420, 4200, 4500 and 5300) CSCuz52447 4.5(1.86) (NOV-2016)
    Cisco TelePresence MX Series CSCuz52455 7.3.7(SEP-2016)
    8.2.0 (JUL-2016)
    Cisco TelePresence Profile Series CSCuz52455 7.3.7(SEP-2016)
    8.2.0 (JUL-2016)
    Cisco TelePresence SX Series CSCuz52455 7.3.7(SEP-2016)
    8.2.0 (JUL-2016)
    Cisco TelePresence Serial Gateway Series CSCuz52453 No fix is planned
    Cisco TelePresence Server 8710, 7010 CSCuz52458 4.2 MR2 (Available)
    4.4 (Available)
    Cisco TelePresence Server on Multiparty Media 310, 320 CSCuz52458 4.2 MR2 (Available)
    4.4 (Available)
    Cisco TelePresence Server on Virtual Machine CSCuz52458 4.2 MR2 (Available)
    4.4 (Available)
    Cisco TelePresence Supervisor MSE 8050 CSCuz52448 2.3(1.50) (Available)
    Cisco TelePresence System 1000 CSCuz52531 "
    6.1.13 (15-JAN-2016)
    1.10.16 (15-JAN-2016)
    1.9.12 (15-JAN-2016)"
    Cisco TelePresence System 1100 CSCuz52531 "
    6.1.13 (15-JAN-2016)
    1.10.16 (15-JAN-2016)
    1.9.12 (15-JAN-2016)"
    Cisco TelePresence System 1300 CSCuz52531 "
    6.1.13 (15-JAN-2016)
    1.10.16 (15-JAN-2016)
    1.9.12 (15-JAN-2016)"
    Cisco TelePresence System 3000 Series CSCuz52531 "
    6.1.13 (15-JAN-2016)
    1.10.16 (15-JAN-2016)
    1.9.12 (15-JAN-2016)"
    Cisco TelePresence System 500-32 CSCuz52531 "
    6.1.13 (15-JAN-2016)
    1.10.16 (15-JAN-2016)
    1.9.12 (15-JAN-2016)"
    Cisco TelePresence System 500-37 CSCuz52531 "
    6.1.13 (15-JAN-2016)
    1.10.16 (15-JAN-2016)
    1.9.12 (15-JAN-2016)"
    Cisco TelePresence TX 9000 Series CSCuz52531 "
    6.1.13 (15-JAN-2016)
    1.10.16 (15-JAN-2016)
    1.9.12 (15-JAN-2016)"
    Cisco TelePresence Video Communication Server (VCS) CSCuz55590 8.8 (Available)
    Cisco Telepresence Integrator C Series CSCuz52455 7.3.7(SEP-2016)
    8.2.0 (JUL-2016)
    Cisco Video Distribution Suite for Internet Streaming (VDS-IS/CDS-IS) CSCuz52464 4.3.2 (JUN-2016)
    Cisco Video Surveillance 3000 Series IP Cameras CSCuz52490 2.8(0.297) (Available)
    Cisco Video Surveillance 3000 Series IP Cameras CSCuz52491 2.8(0.297) (Available)
    Cisco Video Surveillance 4000 Series High-Definition IP Cameras CSCuz52488 2.4(6.309) (Available)
    Cisco Video Surveillance 4300E/4500E High-Definition IP Cameras CSCuz52489 3.2.8 (MAY-2016)
    Cisco Video Surveillance 6000 Series IP Cameras CSCuz52490 2.8(0.297) (Available)
    Cisco Video Surveillance 6000 Series IP Cameras CSCuz52491 2.8(0.297) (Available)
    Cisco Video Surveillance 7000 Series IP Cameras CSCuz52490 2.8(0.297) (Available)
    Cisco Video Surveillance 7000 Series IP Cameras CSCuz52491 2.8(0.297) (Available)
    Cisco Video Surveillance Media Server CSCuz52492 7.9 (DEC-2016)
    Cisco Video Surveillance PTZ IP Cameras CSCuz52490 2.8(0.297) (Available)
    Cisco Video Surveillance PTZ IP Cameras CSCuz52491 2.8(0.297) (Available)
    Cisco Videoscape Control Suite CSCuz52462 Affected systems will be updated (30-Jun-2016)
    Cloud Object Store (COS) CSCuz52463 3.8 (Available)
    Tandberg Codian ISDN GW 3210/3220/3240 CSCuz52444 2.2(113) (Available)
    Tandberg Codian MSE 8320 model CSCuz52444 2.2(113) (Available)
    Wireless
    Cisco Aironet 2700 Series Access Point CSCuz52410
    Cisco Mobility Services Engine (MSE) CSCuz52422 8.0 (Available)
    Cisco Wireless Control System CSCuz73565 No fix expected.
    Cisco Wireless LAN Controller (WLC) CSCuz52435 8.0 MR4 (NOV-2016)
    8.2 MR1 (JUL-2016)
    8.3 (JUN-2016)
    Cisco Hosted Services
    Cisco Connected Analytics For Collaboration CSCuz52356 1.0.1q (29-Jul-2016)
    Cisco Intelligent Automation for Cloud CSCuz52460 0.9.8 (Available)
    Cisco Proactive Network Operations Center CSCuz52354 3.0.19 (SEP-2016)
    Cisco Registered Envelope Service (CRES) CSCuz52362 Affected systems have been updated.
    Cisco Smart Care CSCuz52473
    Cisco Universal Small Cell 5000 Series running V3.4.2.x software CSCuz52520 3.5.12.21 (30-JUN-2016)
    Cisco Universal Small Cell 7000 Series running V3.4.2.x software CSCuz52520 3.5.12.21 (30-JUN-2016)
    Cisco WebEx Meeting Center CSCuz52382 3.9.0.5 (25-MAY-2016)
    3.9.1 (25-MAY-2016)
    Cisco WebEx Messenger Service CSCuz52377 Affected systems have been updated
    Network Health Framework (NHF) CSCuz52525 No further releases are planned
    Network Performance Analytics (NPA) CSCuz52526 No further releases are planned
    Services Analytic Platform CSCuz52357 Affected versions will be updated (30-Jul-2016)

    Products Confirmed Not Vulnerable

    Endpoint Clients and Client Software
    • Cisco WebEx Meetings for BlackBerry

    Network Management and Provisioning
    • Cisco Configuration Professional
    • Cisco Multicast Manager
    • Cisco Prime Home
    • Cisco Prime Network Registrar IP Address Manager (IPAM)

    Routing and Switching - Enterprise and Service Provider
    • Cisco 910 Industrial Router
    • Cisco Broadband Access Center Telco Wireless

    Unified Computing
    • Cisco Unified Computing System B-Series (Blade) Servers

    Voice and Unified Communications Devices
    • Cisco Agent Desktop
    • Cisco Packaged Contact Center Enterprise
    • Cisco TAPI Service Provider (TSP)
    • Cisco Unified Communications Domain Manager

    Video, Streaming, TelePresence, and Transcoding Devices
    • Cisco D9859 Advanced Receiver Transcoder

    Cisco Hosted Services
    • Cisco Cloud Web Security
    • Cisco One Portal
    • Cisco Services Provisioning Platform (SPP)
    • Cisco Universal Small Cell usc-iuh
    • Cisco WebEx Meetings (Meeting Center, Training Center, Event Center, Support Center)
    • Serial Number Assessment Service (SNAS)
    • Small Cell factory recovery root filesystem V2.99.4 or later

Details

  • The names and associated Common Vulnerabilities and Exposures (CVE) IDs for the vulnerabilities that were disclosed on May 3, 2016, in the OpenSSL Software Foundation security advisory are as follows.

    OpenSSL Untrusted ASN.1 Structures Out-of-Bounds Write Vulnerability

    A vulnerability in the ASN.1 encoder in OpenSSL could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition.

    The vulnerability is due to the way the affected software encodes certain ASN.1 data structures. An attacker could exploit this vulnerability by sending a crafted certificate to the targeted system. An exploit could cause the affected software to crash or allow the attacker to execute arbitrary code with the privileges of a targeted user running an application that is using the OpenSSL library. If the user has elevated privileges, a successful exploit could result in a complete system compromise.

    This vulnerability has been assigned CVE ID CVE-2016-2108.

    OpenSSL AES CBC Cipher Man-in-the-Middle Vulnerability

    A vulnerability in OpenSSL could allow an unauthenticated, remote attacker to decrypt and access sensitive information.

    The vulnerability is due to insufficient padding checks by the affected software. An attacker could exploit this vulnerability by conducting a padding oracle attack if the attacker is in a man-in-the-middle position between a targeted system and a Transport Layer Security/Secure Sockets Layer (TLS/SSL) or Datagram Transport Layer Security (DTLS) server supporting Advanced Encryption Standards New Instructions (AES-NI) and the connection uses an AES Cipher Block Chaining (CBC) cipher. A successful exploit could allow the attacker to decrypt sensitive information in encrypted packets, which could be leveraged to conduct further attacks.

    This vulnerability has been assigned CVE ID CVE-2016-2107.

    OpenSSL EVP_EncryptUpdate Function Overflow Heap Corruption Vulnerability

    A vulnerability in OpenSSL could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition on a targeted system.

    The vulnerability is due to improper validation of user-supplied input by the affected software. An attacker could exploit this vulnerability by submitting large amounts of specially crafted data to the EVP_EncryptUpdate() function of the affected software. A successful exploit could allow the attacker to execute arbitrary code with the privileges of the user or cause a DoS condition on a targeted system.

    This vulnerability has been assigned CVE ID CVE-2016-2106.

    OpenSSL EVP_EncodeUpdate Function Overflow Vulnerability

    A vulnerability in the EVP_EncodeUpdate() function in OpenSSL could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition.

    The vulnerability is due to insufficient bounds checks by the affected software. An attacker could exploit this vulnerability by submitting large amounts of data to an application that uses the OpenSSL library on a targeted system. A successful exploit could trigger an overflow condition that results in heap corruption. The attacker could use the heap corruption to cause the application to crash or to execute arbitrary code in the security context of the user who is running the application. If the user is running the application with elevated privileges, the attacker could execute arbitrary code with those privileges and compromise the system completely.

    This vulnerability has been assigned CVE ID CVE-2016-2105.

    OpenSSL d2i_CMS_bio Function Denial of Service Vulnerability

    A vulnerability in OpenSSL could allow a local attacker to cause a denial of service (DoS) condition on a targeted system.

    The vulnerability is due to memory exhaustion while processing certain data. An attacker could exploit this vulnerability by sending crafted ASN.1 data to a targeted system. An exploit could cause the consumption of excessive memory resources, resulting in a DoS condition.

    This vulnerability has been assigned CVE ID CVE-2016-2109.

    OpenSSL ASN.1 Strings X509_NAME_oneline Function Overread Vulnerability

    A vulnerability in OpenSSL could allow an unauthenticated, remote attacker to gain access to sensitive information on a targeted system.

    The vulnerability is due to improper memory processes by the affected software. An attacker could exploit this vulnerability by sending a crafted ASN.1 string greater than 1004 bytes to the X509_NAME_oneline() function of the affected software. A successful exploit could allow an attacker to cause a memory overread condition and gain access to sensitive information on a targeted system.

    This vulnerability has been assigned CVE ID CVE-2016-2176.

Workarounds

  • Any workarounds, when available, will be documented in the Cisco bugs, which are accessible through the Cisco Bug Search Tool.

Fixed Software

  • Cisco has released free software updates that address the vulnerabilities described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:
    http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html

    Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.

    When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.

    In all cases, customers should ensure that the devices to upgrade contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC):
    http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html

    Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.

    To determine the affected and fixed releases for each vulnerable product, refer to the Cisco bug identified for the product in the "Vulnerable Products" section of this advisory. Cisco bugs are accessible through the Cisco Bug Search Tool.

Exploitation and Public Announcements

  • The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

Source

Cisco Security Vulnerability Policy

  • To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

URL

Revision History

  • Version Description Section Status Date
    1.12 Updated the list of vulnerable products. Vulnerable Products Final 2016-December-05
    1.11 Updated the list of vulnerable products and products not vulnerable. Vulnerable Products, Products Confirmed Not Vulnerable Final 2016-November-08
    1.10 Updated the list of vulnerable products. Vulnerable Products Final 2016-July-22
    1.9 Updated the list of vulnerable products. Vulnerable Products Final 2016-June-29
    1.8 Updated the lists of products under investigation, vulnerable, and not vulnerable. Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable Final 2016-June-22
    1.7 Updated the lists of products under investigation, vulnerable, and not vulnerable. Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable Interim 2016-June-01
    1.6 Updated the lists of products under investigation, vulnerable, and not vulnerable. Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable Interim 2016-May-17
    1.5 Updated the lists of products under investigation, vulnerable, and not vulnerable. Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable Interim 2016-May-13
    1.4 Updated the lists of products under investigation, vulnerable, and not vulnerable. Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable Interim 2016-May-10
    1.3 Updated the lists of products under investigation, vulnerable, and not vulnerable. Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable Interim 2016-May-09
    1.2 Updated the lists of products under investigation, vulnerable, and not vulnerable. Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable Interim 2016-May-06
    1.1 Updated the lists of products under investigation, vulnerable, and not vulnerable. Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable Interim 2016-May-05
    1.0 Initial public release. Interim 2016-May-04
    Show Less

Cisco Security Vulnerability Policy

  • To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.

Subscribe to Cisco Security Notifications