Field Notice: FN - 72501 - Firepower Software: Automatic Software Downloads And Content Updates Might Fail After January 10, 2023 - Software Upgrade Recommended

Available Languages

Updated:December 12, 2022
Document ID:FN72501

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision Publish Date Comments
2.0
12-Dec-22
Updated the Workaround/Solution Section
1.0
31-Oct-22
Initial Release

Products Affected

Affected OS Type Affected Software Product Affected Release Affected Release Number Comments
NON-IOS
FirePOWER Services Software for ASA
6.1
6.1.0, 6.1.0.1, 6.1.0.2, 6.1.0.3, 6.1.0.4, 6.1.0.5, 6.1.0.6, 6.1.0.7
NON-IOS
FirePOWER Services Software for ASA
6.2
6.2.0, 6.2.0.1, 6.2.0.2, 6.2.0.3, 6.2.0.4, 6.2.0.5, 6.2.0.6, 6.2.2, 6.2.2.1, 6.2.2.2, 6.2.2.3, 6.2.2.4, 6.2.2.5, 6.2.3, 6.2.3.1, 6.2.3.2, 6.2.3.3, 6.2.3.4, 6.2.3.5, 6.2.3.6, 6.2.3.7, 6.2.3.9, 6.2.3.10, 6.2.3.11, 6.2.3.12, 6.2.3.13, 6.2.3.14, 6.2.3.15, 6.2.3.16, 6.2.3.17
NON-IOS
FirePOWER Services Software for ASA
6.3
6.3.0, 6.3.0.1, 6.3.0.2, 6.3.0.3, 6.3.0.4, 6.3.0.5
NON-IOS
FirePOWER Services Software for ASA
6.4
6.4.0, 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, 6.4.0.8, 6.4.0.9, 6.4.0.10, 6.4.0.11, 6.4.0.12, 6.4.0.13, 6.4.0.14
NON-IOS
FirePOWER Services Software for ASA
6.5
6.5.0, 6.5.0.2, 6.5.0.4, 6.5.0.5
NON-IOS
FirePOWER Services Software for ASA
6.6
6.6.0, 6.6.0.1, 6.6.1, 6.6.3, 6.6.4, 6.6.5, 6.6.5.1, 6.6.5.2
NON-IOS
FirePOWER Services Software for ASA
6.7
6.7.0, 6.7.0.1, 6.7.0.2, 6.7.0.3
NON-IOS
FirePOWER Services Software for ASA
7.0
7.0.0, 7.0.0.1, 7.0.1, 7.0.1.1
NON-IOS
Firepower Threat Defense (FTD) Software
6.1
6.1.0, 6.1.0.1, 6.1.0.2, 6.1.0.3, 6.1.0.4, 6.1.0.5, 6.1.0.6, 6.1.0.7
NON-IOS
Firepower Threat Defense (FTD) Software
6.2
6.2.0, 6.2.0.1, 6.2.0.2, 6.2.0.3, 6.2.0.4, 6.2.0.5, 6.2.0.6, 6.2.2, 6.2.2.1, 6.2.2.2, 6.2.2.3, 6.2.2.4, 6.2.2.5, 6.2.3, 6.2.3.1, 6.2.3.2, 6.2.3.3, 6.2.3.4, 6.2.3.5, 6.2.3.6, 6.2.3.7, 6.2.3.9, 6.2.3.10, 6.2.3.11, 6.2.3.12, 6.2.3.13, 6.2.3.14, 6.2.3.15, 6.2.3.16, 6.2.3.17
NON-IOS
Firepower Threat Defense (FTD) Software
6.3
6.3.0, 6.3.0.1, 6.3.0.2, 6.3.0.3, 6.3.0.4, 6.3.0.5
NON-IOS
Firepower Threat Defense (FTD) Software
6.4
6.4.0, 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, 6.4.0.8, 6.4.0.9, 6.4.0.10, 6.4.0.11, 6.4.0.12, 6.4.0.13, 6.4.0.14
NON-IOS
Firepower Threat Defense (FTD) Software
6.5
6.5.0, 6.5.0.2, 6.5.0.4, 6.5.0.5
NON-IOS
Firepower Threat Defense (FTD) Software
6.6
6.6.0, 6.6.0.1, 6.6.1, 6.6.3, 6.6.4, 6.6.5, 6.6.5.1, 6.6.5.2
NON-IOS
Firepower Threat Defense (FTD) Software
6.7
6.7.0, 6.7.0.1, 6.7.0.2, 6.7.0.3
NON-IOS
Firepower Threat Defense (FTD) Software
7.0
7.0.0, 7.0.0.1, 7.0.1, 7.0.1.1
NON-IOS
Firepower Threat Defense (FTD) Software
7.1
7.1.0
NON-IOS
Firepower Management Center Software
6.1
6.1.0, 6.1.0.1, 6.1.0.2, 6.1.0.3, 6.1.0.4, 6.1.0.5, 6.1.0.6, 6.1.0.7
NON-IOS
Firepower Management Center Software
6.2
6.2.0, 6.2.0.1, 6.2.0.2, 6.2.0.3, 6.2.0.4, 6.2.0.5, 6.2.0.6, 6.2.2, 6.2.2.1, 6.2.2.2, 6.2.2.3, 6.2.2.4, 6.2.2.5, 6.2.3, 6.2.3.1, 6.2.3.2, 6.2.3.3, 6.2.3.4, 6.2.3.5, 6.2.3.6, 6.2.3.7, 6.2.3.9, 6.2.3.10, 6.2.3.11, 6.2.3.12, 6.2.3.13, 6.2.3.14, 6.2.3.15, 6.2.3.16, 6.2.3.17
NON-IOS
Firepower Management Center Software
6.3
6.3.0, 6.3.0.1, 6.3.0.2, 6.3.0.3, 6.3.0.4, 6.3.0.5
NON-IOS
Firepower Management Center Software
6.4
6.4.0, 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.6, 6.4.0.7, 6.4.0.8, 6.4.0.9, 6.4.0.10, 6.4.0.11, 6.4.0.12, 6.4.0.13, 6.4.0.14
NON-IOS
Firepower Management Center Software
6.5
6.5.0, 6.5.0.1, 6.5.0.2, 6.5.0.4, 6.5.0.5
NON-IOS
Firepower Management Center Software
6.6
6.6.0, 6.6.0.1, 6.6.1, 6.6.3, 6.6.4, 6.6.5, 6.6.5.1, 6.6.5.2
NON-IOS
Firepower Management Center Software
6.7
6.7.0, 6.7.0.1, 6.7.0.2, 6.7.0.3
NON-IOS
Firepower Management Center Software
7.0
7.0.0, 7.0.0.1, 7.0.1, 7.0.1.1
NON-IOS
Firepower Management Center Software
7.1
7.1.0

Defect Information

Defect ID Headline
CSCwa67488 Modify remote updates to use expanded root certificate bundle

Problem Description

For affected versions of Firepower software, automatic software downloads, Snort Rule Updates (SRUs), Vulnerability Database (VDB) updates, and Geolocation Database (GeoDB) updates might fail after January 10, 2023 due to a Secure Sockets Layer (SSL) certificate change.

Background

The existing SSL certificate authority (CA) used to sign certificates for Secure Firewall software updates will be decommissioned and replaced on January 10, 2023.

The Sourcefire Customer Center has been signed by this CA and is used to obtain Secure Firewall software and content updates.

Problem Symptom

Affected Secure Firewall devices will be unable to automatically receive the latest Secure Firewall software, SRU, VDB, and GeoDB updates from the Sourcefire Customer Center.

The Secure Firewall device might experience a degraded security posture for future threats. Health monitoring indications regarding failures to download software and receive content updates should be ignored until the device software is upgraded to a fixed release.

Workaround/Solution

Workaround

There are two workaround options.

Option 1. Manually download the Secure Firewall software and content updates from Cisco Software Central and upload to the Secure Firewall device using the Firepower Management Center (FMC) or Firepower Device Manager (FDM).

Option 2. For Firepower appliances running software versions 6.2.3.17, 6.4.0.13, 6.6.5, or 7.0.0 or later, enter these commands to point the Firepower software and content update downloads to the new SSL certificate authority.

Do not use this workaround when you use Common Criteria (CC) Mode or when devices are managed by the FDM. Instead, upgrade to one of the Firepower software versions provided in the Solution section.

  1. Enter sudo su in order to elevate to root.
  2. Enter mv /etc/sf/keys/fireamp/thawte_roots /etc/sf/keys/fireamp/thawte_roots_bk in order to back up the current CA root bundle used for downloads.
  3. Enter ln -s /etc/ssl/certs/ /etc/sf/keys/fireamp/thawte_roots to cause the updated CA root bundle to be used for subsequent downloads.

Use this command to verify that the Firepower software points to the new SSL certificate authority.

  1. Enter sudo su in order to elevate to root.
  2. Enter ls -l /etc/sf/keys/fireamp/thawte_roots to display the curent CA root bundle used for downloads.

lrwxrwxrwx 1 root root <Date & Timestamp> /etc/sf/keys/fireamp/thawte_roots -> /etc/ssl/certs/

If the output contains "/etc/ssl/certs/" then the Firepower software points to the new SSL certificate authority.

Solution

Cisco recommends to upgrade to one of the Firepower software versions shown in the table in order to continue to receive the latest Secure Firewall software, SRU, VDB, and GeoDB updates.

The FMC software must be updated to fix the certificate issue. The Secure Firewall device managed by the FMC does NOT need to be updated to fix the certificate issue.

The FDM must be updated to fix the certificate issue for the Secure Firewall device managed by the FDM.

Release Version Fixed Version
Firepower 6.1.x

Migrate to a fixed release

(End-of-Life announcement November 2019)
Firepower 6.2.x

Firepower 6.2.3.18 or later

(End-of-Life announcement August 2021)
Firepower 6.3.x

Migrate to a fixed release

(End-of-Life announcement October 2019)
Firepower 6.4.x Firepower 6.4.0.15 or later
Firepower 6.5.x

Migrate to a fixed release

(End-of-Life announcement May 2020)
Firepower 6.6.x Firepower 6.6.7 or later
Firepower 6.7.x

Firepower 6.7.0.3 or later

(End-of-Life announcement January 2021)
Firepower 7.0.x Firepower 7.0.2 or later
Firepower 7.1.x Firepower 7.1.0.1 or later

 

Note: Firepower Release Versions 7.2.x or later are not affected by the certificate issue.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products