THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Revision | Publish Date | Comments |
---|---|---|
1.5 |
17-Mar-22 |
Updated the Products Affected and Workaround/Solution Sections and Added the Additional Information Section |
1.4 |
24-Feb-22 |
Updated the Problem Description, Background, Problem Symptom, and Workaround/Solution Sections |
1.3 |
14-Dec-21 |
Updated the Problem Description, Background, and Workaround/Solution Sections |
1.2 |
10-Nov-21 |
Updated the Products Affected, Defect Information, Problem Description, Background, Problem Symptoms, and Workaround/Solution Sections |
1.1 |
14-Apr-21 |
Updated the Workaround/Solution Section |
1.0 |
12-Mar-21 |
Initial Release |
Affected OS Type | Affected Software Product | Affected Release | Affected Release Number | Comments |
---|---|---|---|---|
NON-IOS |
AsyncOS for WSA |
11 |
11.7.0, 11.7.1, 11.7.2 |
All AsyncOS 11.7.x versions |
NON-IOS |
AsyncOS for Secure Email |
13 |
13.5.1 |
AsyncOS 13.5.2 and 13.0.0-13.0.3 versions affected also |
NON-IOS |
AsyncOS for Secure Email |
12 |
12.0.0, 12.1.0, 12.5.0 |
|
NON-IOS |
AsyncOS for Secure Email |
11 |
11.0.0, 11.0.3 |
AsyncOS 11.1.x and 11.5.x versions affected also |
Defect ID | Headline |
---|---|
CSCvx00434 | QuoVadis root CA decommission on wsa |
CSCvx00430 | QuoVadis root CA decommission on esa |
For affected versions of the Secure Email Gateway (ESA) and Web Security Appliance (WSA), some Secure Sockets Layer (SSL) certificates issued from the QuoVadis root certificate authority (CA) trust chain before March 31, 2021 can no longer be renewed from this CA. Once those certificates expire or are removed from the Cisco cloud servers, functions such as Smart Licensing, Threat Grid file analysis, and IP Reputation requests communication will fail to establish secure connections to Cisco and might not operate properly.
The QuoVadis Root CA 2 Public Key Infrastructure (PKI) used by the WSA and ESA to issue SSL certificates is subject to an industry-wide issue that affects revocation abilities. Due to this issue, no new QuoVadis Root CA 2 certificates will be issued or renewed by Cisco after March 31, 2021. This affects certificate renewals on devices, Cisco cloud servers, and third-party services.
Certificates issued before the QuoVadis Root CA 2 was decommissioned will continue to be valid. However, the certificates will not renew when they expire on either the device or the Cisco cloud server. This will cause functions such as Smart Licensing to fail to establish secure connections to Cisco cloud servers.
This table shows a summary of the QuoVadis Root CA 2 certificate expiration dates for affected Cisco services.
Cisco Cloud Server | QuoVadis Certificate Expiration Date | Affected Services |
---|---|---|
smartreceiver.cisco.com | January 26, 2023 | Smart Licensing |
*.amp.cisco.com panacea.threatgrid.com panacea.threatgrid.eu |
July 26, 2022 | File Analysis and File Reputation Services |
api-sse.cisco.com api.eu.sse.itd.cisco.com est.sco.cisco.com |
March 22, 2022 March 22, 2022 June 22, 2022 |
SecureX / Cisco Threat Response Connectivity |
*.talos.cisco.com v2.sds.cisco.com |
November 12, 2022 November 5, 2022 |
Talos SenderBase Reputation Scores (SBRS), Service Delivery Systems (SDS), Sender Domain Reputation (SDR) URL Reputation |
wbnp.ironport.com | June 26, 2022 | Telemetry |
aggregator.cisco.com | February 18, 2023 | Message Tracking (Click Tracking Service) |
res.cisco.com | December 17, 2022 | Cisco Registered Envelope Service (CRES) |
secure-web.cisco.com | November 4, 2022 | Secure URL Portal |
Expiration of the QuoVadis Root CA 2 certificates affects these services with the associated symptoms.
Affected Product | Affected Services | Symptoms for Affected Services |
---|---|---|
WSA/ESA | Smart Licensing | Failure to connect to the server (Details are provided in this section) |
WSA/ESA | Threat Grid / AMP Cloud | Failure to perform file reputation checks and to upload files for file analysis |
WSA/ESA | SecureX / Cisco Threat Response | Failure to communicate to SecureX and Cisco Threat Response Cloud services |
ESA | Talos Cloud Reputation | Failure to perform reputation checks; ESA appliances work queue will commence to back up |
ESA | Message Tracking (Click Tracking Service) | Failure to upload individual tracking events to the Cisco URL click tracking cloud service |
ESA | CRES | Failure to encrypt new messages as well as receive decrypted messages from CRES |
ESA | Cisco Secure URL Portal | Failure to perform URL rewrite functionality |
For ESA and WSA, affected devices will be unable to connect to the Smart Licensing services hosted by Cisco. Smart licenses might fail entitlement and reflect an Out of Compliance status.
The features that use Smart Licensing will continue to function for 90 days after the last successful secure connection. Some Smart Licensing symptoms are:
Note: Offline licensing, such as Permanent License Reservation (PLR) and Specific License Reservation (SLR), is not affected by the certificate change on the Smart Licensing server.
For additional information, refer to the Cisco Smart Licensing Guide and Smart Licensing Overview and Best Practices for Cisco Email and Web Security (ESA, WSA, SMA).
Cisco has migrated from the QuoVadis Root CA 2 to the IdenTrust Commercial Root CA 1 for SSL certificates. Cisco recommends to upgrade AsyncOS to one of these versions in order to add the new IdenTrust Commercial Root CA 1 certificate.
For WSA
Cisco recommends that WSA customers who run AsyncOS Version 11.7.x or earlier with the Smart Licensing feature enabled on any physical or virtual model upgrade to AsyncOS Version 11.8.3-021 or later.
For ESA
Affected Version | Fixed Version | Comment |
---|---|---|
11.0.x | 12.5.3-035 or later | - |
11.1.x | 12.5.3-035 or later | - |
11.5.x | 12.5.3-035 or later | - |
12.0.x | 12.5.3-035 or later | - |
12.1.x | 12.5.3-035 or later | - |
12.5.2 | 12.5.3-035 or later | - |
13.0.0 13.0.1 |
13.5.3-010 or later | - |
13.0.2 | 13.5.4-020 or later | - |
13.0.3 | 13.0.4-007 | If Common Criteria is required |
13.5.1 13.5.2 |
13.5.3-010 or later | - |
Other versions | 12.5.3-035, 13.5.3 or later | - |
Cisco has created a web page to provide customers and partners with additional information on this issue. Consult the QuoVadis Root CA 2 Decommission page for a full list of products affected, associated Field Notices, and frequently asked questions.
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.
Unleash the Power of TAC's Virtual Assistance