Cisco Secure Firewall Threat Defense/Firepower Hotfix Release Notes

Hotfixes are minor updates that address particular, urgent issues.

This document provides quicklinks to download pages for publicly available hotfixes. Some quicklinks may not go to the download page for your specific model. However, as long as the appliance is in the same family or series, you can safely download and apply the hotfix. If you want to be absolutely sure, browse to the page for your specific model.

Applying Hotfixes

Downloading Hotfixes

Download hotfixes from the Cisco Support & Download site: https://software.cisco.com/download/home.

To find a hotfix, select or search for your model, then browse to the software download page for your current version. Available hotfixes are listed along with upgrade and installation packages. If you cannot find a hotfix on the download page for your patch level—especially if that same hotfix applies to other patches—look on other download pages where the hotfix applies, especially the first version and the last version.

You use the same hotfix package for all models in a family or series. Most hotfix packages use the naming scheme: Platform_Hotfix_letter-version-build.sh.REL.tar. Do not untar signed (.tar) packages.

Installing Hotfixes

You install hotfixes the same way you install patches. For instructions, see one of the following guides. Note that in management center deployments, use the guide for the version of management center (not threat defense) that you are currently running. In device manager deployments, use the device manager guide even if you usually use CDO; you cannot use CDO to hotfix threat defense.

Table 1. Upgrade Guides for Management Center

Current Management Center Version

Guide

7.2+

Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center for your version: Upgrade Management Center

7.1

Cisco Firepower Threat Defense Upgrade Guide for Firepower Management Center, Version 7.1: Upgrade the FMC

7.0 or earlier

Cisco Firepower Management Center Upgrade Guide, Version 6.0–7.0: Upgrade Firepower Management Centers

Table 2. Upgrade Guides for Threat Defense with Management Center

Current Management Center Version

Guide

Cloud-delivered Firewall Management Center

Cisco Secure Firewall Threat Defense Upgrade Guide for Cloud-Delivered Firewall Management Center

7.2+

Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center for your version: Upgrade Threat Defense

7.1

Cisco Firepower Threat Defense Upgrade Guide for Firepower Management Center, Version 7.1: Upgrade FTD

7.0 or earlier

Cisco Firepower Management Center Upgrade Guide, Version 6.0–7.0: Upgrade Firepower Threat Defense

Table 3. Upgrade Guides for Threat Defense with Device Manager

Current Threat Defense Version

Guide

7.2+

Cisco Secure Firewall Threat Defense Upgrade Guide for Device Manager for your version: Upgrade Threat Defense

7.1

Cisco Firepower Threat Defense Upgrade Guide for Firepower Device Manager, Version 7.1: Upgrade FTD

7.0 or earlier

Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager for your version: System Management

Table 4. Upgrade Guides for NGIPS

Platform

Current Manager Version

Guide

Firepower 7000/8000 series with management center

6.0.0–7.0.x

Cisco Firepower Management Center Upgrade Guide, Version 6.0–7.0: Upgrade Firepower 7000/8000 Series and NGIPSv

NGIPSv with management center

6.0.0–7.1.x

7.2.0–7.2.5

7.3.x

7.4.0

Cisco Firepower Management Center Upgrade Guide, Version 6.0–7.0: Upgrade Firepower 7000/8000 Series and NGIPSv

7.2.6–7.2.x

7.4.1–7.4.x

Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center for your version: Upgrade Older ASA FirePOWER and NGIPSv Devices

ASA FirePOWER withmanagement center

6.0.0–7.1.x

7.2.0–7.2.5

7.3.x

7.4.0

Cisco Firepower Management Center Upgrade Guide, Version 6.0–7.0: Upgrade ASA with FirePOWER Services

7.2.6–7.2.x

7.4.1–7.4.x

Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center for your version: Upgrade Older ASA FirePOWER and NGIPSv Devices

ASA FirePOWER with ASDM

Any

Cisco Secure Firewall ASA Upgrade Guide: Upgrade the ASA FirePOWER Module

Verifying Hotfix Success

Applying a hotfix does not update the software version or build. To verify that a hotfix installed successfully, access the Linux shell (also called expert mode) and run the following command:

cat /etc/sf/patch_history

The system lists all successful upgrades, patches, hotfixes, and pre-install packages since the software was first installed.

Unresponsive or Unsuccessful Hotfixes

Do not make or deploy configuration changes while you are installing a hotfix. Even if the system appears inactive, do not manually reboot, shut down, or restart a hotfix in progress. You could place the system in an unusable state and require a reimage. Do not install the same hotfix more than once on a single appliance. If you encounter issues with a hotfix, including a failed hotfix or unresponsive appliance, contact Cisco TAC.

Uninstalling Hotfixes

Do not attempt to uninstall a hotfix. Instead, contact Cisco TAC.

Traffic Flow and Inspection

Device hotfixes can affect traffic flow and inspection, especially if the hotfix reboots the device, or if you need to deploy configuration changes. Device type, deployment type (standalone, high availability, clustered), and interface configurations determine the nature of the interruptions. Install hotfixes in a maintenance window or at a time when any interruption will have the least impact on your deployment. For specifics on traffic flow and inspection, see the appropriate upgrade guide (linked above).

BIOS and Firmware Hotfixes for Management Center Hardware

We provide updates for BIOS and RAID controller firmware on management center hardware. If your management center does not meet the requirements, apply the appropriate hotfix. If your management center model and version are not listed and you think you need to update, contact Cisco TAC.

Table 5. BIOS and Firmware Minimum Requirements

Platform

Version

Hotfix

BIOS

RAID Controller Firmware

CIMC Firmware

FMC 1700, 2700, 4700

7.6

7.4

BIOS Update Hotfix FC

C225M6.4.3.4b.0

52.26.0-5016

4.3(4.242038)

FMC 1600, 2600, 4600

7.6

7.4

7.3

7.2

7.1

7.0

BIOS Update Hotfix FC

C220M5.4.3.2b.0

51.23.0-5009

4.3(2.240077)

6.7

6.6

6.4

BIOS Update Hotfix EN

C220M5.4.2.3b.0

51.10.0-3612

4.2(3b)

FMC 1000, 2500, 4500

7.0

6.7

6.6

6.4

BIOS Update Hotfix EN

C220M5.4.2.3b.0

51.10.0-3612

4.2(3b)

6.2.3

BIOS Update Hotfix EL

C220M4.4.1.2c.0

24.12.1-0456

4.1(2g)

FMC 2000, 4000

6.6

6.4

6.2.3

BIOS Update Hotfix EI

C220M3.3.0.4e.0

23.33.1-0060

3.0(4s)

FMC 750, 1500, 3500

6.4

6.2.3

BIOS Update Hotfix EI

C220M3.3.0.4e.0

23.33.1-0060

3.0(4s)

Hotfixing is the only way to update the BIOS and RAID controller firmware. Upgrading the software does not accomplish this task, nor does reimaging to a later version. If the management center is already up to date, the hotfix has no effect.


Tip


These hotfixes also update the CIMC firmware; for resolved issues see Release Notes for Cisco UCS Rack Server Software. Note that in general, we do not support changing configurations on the management center using CIMC. However, to enable logging of invalid CIMC usernames, apply the latest hotfix, then follow the instructions in the Viewing Faults and Logs chapter in the Cisco UCS C-Series Servers Integrated Management Controller CLI Configuration Guide, Version 4.0 or later.



Note


The management center web interface may display these hotfixes with a version that is different from (usually later than) the current software version. This is expected behavior and the hotfixes are safe to apply.


Determining BIOS and Firmware Versions

To determine the current versions on the management center, run these commands from the Linux shell/expert mode:

  • BIOS: sudo dmidecode -t bios -q

  • RAID controller firmware (FMC 4500): sudo MegaCLI -AdpAllInfo -aALL | grep "FW Package"

  • RAID controller firmware (all other models): sudo storcli /c0 show | grep "FW Package"

Version 7.6.x Hotfixes

Table 6. Version 7.6.x Hotfixes

Hotfix

Versions

Platforms

Resolves

Hotfix FC

7.6.0

7.6.x

7.6.x.x

Management Center (all hardware models):

Cisco_Secure_FW_Mgmt_Center_Hotfix_FC_BIOSUPDATE-7.6.99.99-1

Note

 

This hotfix replaces all other BIOS and firmware hotfixes for these management center models. Apply this hotfix even if you have applied previous BIOS and firmware hotfixes.

Updates the BIOS, CIMC firmware, and RAID controller firmware.

See BIOS and Firmware Hotfixes for Management Center Hardware.

Hotfix B

7.6.0

Management Center:

Cisco_Secure_FW_Mgmt_Center_Hotfix_B-7.6.0.99-5

CSCwd08098: cacert.pem on FMC expired and all the devices showing as disabled.

See Firewall Management Center Certificate Expiration After 10 Years.

Version 7.4.x Hotfixes

Table 7. Version 7.4.x Hotfixes

Hotfix

Versions

Platforms

Resolves

Hotfix FC

7.4.0

7.4.x

7.4.x.x

Management Center (all hardware models):

Cisco_Secure_FW_Mgmt_Center_Hotfix_FC_BIOSUPDATE-7.4.99.99-1

Note

 

This hotfix replaces all other BIOS and firmware hotfixes for these management center models. Apply this hotfix even if you have applied previous BIOS and firmware hotfixes.

Updates the BIOS, CIMC firmware, and RAID controller firmware.

See BIOS and Firmware Hotfixes for Management Center Hardware.

Hotfix AO

7.4.0–7.4.2.1

Management Center:

Cisco_Secure_FW_Mgmt_Center_Hotfix_AO-7.4.2.99-5

CSCwd08098: cacert.pem on FMC expired and all the devices showing as disabled.

See Firewall Management Center Certificate Expiration After 10 Years.

Version 7.3.x Hotfixes

Table 8. Version 7.3.x Hotfixes

Hotfix

Versions

Platforms

Resolves

Hotfix FC

7.3.0

7.3.x

7.3.x.x

Management Center (all hardware models):

Cisco_Secure_FW_Mgmt_Center_Hotfix_FC_BIOSUPDATE-7.3.99.99-1

Note

 

This hotfix replaces all other BIOS and firmware hotfixes for these management center models. Apply this hotfix even if you have applied previous BIOS and firmware hotfixes.

Updates the BIOS, CIMC firmware, and RAID controller firmware.

See BIOS and Firmware Hotfixes for Management Center Hardware.

Hotfix AE

7.3.0–7.3.1.2

Management Center:

Cisco_Secure_FW_Mgmt_Center_Hotfix_AE-7.3.1.99-5

CSCwd08098: cacert.pem on FMC expired and all the devices showing as disabled.

See Firewall Management Center Certificate Expiration After 10 Years.

Version 7.2.x Hotfixes

Table 9. Version 7.2.x Hotfixes

Hotfix

Versions

Platforms

Resolves

Hotfix FC

7.2.0

7.2.x

7.2.x.x

Management Center (all hardware models):

Cisco_Secure_FW_Mgmt_Center_Hotfix_FC_BIOSUPDATE-7.2.99.99-1

Note

 

This hotfix replaces all other BIOS and firmware hotfixes for these management center models. Apply this hotfix even if you have applied previous BIOS and firmware hotfixes.

Updates the BIOS, CIMC firmware, and RAID controller firmware.

See BIOS and Firmware Hotfixes for Management Center Hardware.

Hotfix FZ

7.2.0–7.2.9

Management Center:

Cisco_Secure_FW_Mgmt_Center_Hotfix_FZ-7.2.9.99-4

CSCwd08098: cacert.pem on FMC expired and all the devices showing as disabled.

See Firewall Management Center Certificate Expiration After 10 Years.

Hotfix BJ

7.2.5

Firepower 1000:

Cisco_FTD_SSP_FP1K_Hotfix_BJ-7.2.5.1-1

Firepower 2100:

Cisco_FTD_SSP_FP2K_Hotfix_BJ-7.2.5.1-1

Secure Firewall 3100:

Cisco_FTD_SSP_FP3K_Hotfix_BJ-7.2.5.1-1

Firepower 4100/9300

Cisco_FTD_SSP_Hotfix_BJ-7.2.5.1-1

ISA 3000:

Cisco_FTD_Hotfix_BJ-7.2.5.1-1

Threat Defense Virtual:

Cisco_FTD_Hotfix_BJ-7.2.5.1-1

CSCwh23100: Cisco ASA and FTD Software Remote Access VPN Unauthorized Access Vulnerability

CSCwh45108: Cisco ASA and FTD Software Remote Access VPN Unauthorized Access Vulnerability

Hotfix AW

7.2.4

Firepower 1000:

Cisco_FTD_SSP_FP1K_Hotfix_AW-7.2.4.1-1

Firepower 2100:

Cisco_FTD_SSP_FP2K_Hotfix_AW-7.2.4.1-1

Secure Firewall 3100:

Cisco_FTD_SSP_FP3K_Hotfix_AW-7.2.4.1-1

Firepower 4100/9300

Cisco_FTD_SSP_Hotfix_AW-7.2.4.1-1

ISA 3000:

Cisco_FTD_Hotfix_AW-7.2.4.1-1

Threat Defense Virtual:

Cisco_FTD_Hotfix_AW-7.2.4.1-1

CSCwf71606: Cisco ASA and FTD ACLs Not Installed upon Reload

Hotfix AN

7.2.4-165

Management Center:

Cisco_Secure_FW_Mgmt_Center_Hotfix_AN-7.2.4.1-2

Note

 

Apply this hotfix to Version 7.2.4-165 only. Do not apply to Version 7.2.4-169, which fixes this issue.

CSCwf28592: In some specific scenarios, object optimizer can cause incorrect rules to be deployed to the device

Version 7.1.x Hotfixes

Table 10. Version 7.1.x Hotfixes

Hotfix

Versions

Platforms

Resolves

Hotfix FC

7.1.0

7.1.x

7.1.x.x

FMC (all hardware models):

Cisco_Firepower_Mgmt_Center_Hotfix_FC_BIOSUPDATE-7.1.99.99-1

Note

 

This hotfix replaces all other BIOS and firmware hotfixes for these management center models. Apply this hotfix even if you have applied previous BIOS and firmware hotfixes.

Updates the BIOS, CIMC firmware, and RAID controller firmware.

See BIOS and Firmware Hotfixes for Management Center Hardware.

Hotfix Q

7.1.0.2

Secure Firewall 3100:

Cisco_FTD_SSP_FP3K_Hotfix_Q-7.1.0.3-2

CSCwb88651: Cisco ASA and FTD Software RSA Private Key Leak Vulnerability

CSCwc28334: Cisco ASA and FTD Software RSA Private Key Leak Vulnerability

Hotfix P

7.1.0.1

Firepower 1000:

Cisco_FTD_SSP_FP1K_Hotfix_P-7.1.0.2-2

Firepower 2100:

Cisco_FTD_SSP_FP2K_Hotfix_P-7.1.0.2-2

Firepower 4100/9300

Cisco_FTD_SSP_Hotfix_P-7.1.0.2-2

ISA 3000:

Cisco_FTD_Hotfix_P-7.1.0.2-2

FTDv:

Cisco_FTD_Hotfix_P-7.1.0.2-2

CSCwb88651: Cisco ASA and FTD Software RSA Private Key Leak Vulnerability

CSCwc28334: Cisco ASA and FTD Software RSA Private Key Leak Vulnerability

Hotfix A

7.1.0

Firepower 1000 with FDM:

Cisco_FTD_SSP_FP1K_Hotfix_A-7.1.0.1-7

Firepower 2100 with FDM:

Cisco_FTD_SSP_FP2K_Hotfix_A-7.1.0.1-7

Firepower 4100/9300 with FDM:

Cisco_FTD_SSP_Hotfix_A-7.1.0.1-7

ISA 3000 with FDM:

Cisco_FTD_Hotfix_A-7.1.0.1-7

FTDv with FDM:

Cisco_FTD_Hotfix_A-7.1.0.1-7

Note

 

Apply this hotfix to FDM and FDM/CDO-managed devices. FMC-managed devices are not vulnerable to this exploit.

CSCwa46963: Security: CVE-2021-44228 -> Log4j 2 Vulnerability

Version 7.0.x Hotfixes

Table 11. Version 7.0.x Hotfixes

Hotfix

Versions

Platforms

Resolves

Hotfix FC

7.0.0

7.0.x

7.0.x.x

FMC (1600, 2600, 4600):

Cisco_Firepower_Mgmt_Center_Hotfix_FC_BIOSUPDATE-7.0.99.99-1

Note

 

This hotfix replaces all other BIOS and firmware hotfixes for these management center models. Apply this hotfix even if you have applied previous BIOS and firmware hotfixes.

Updates the BIOS, CIMC firmware, and RAID controller firmware.

See BIOS and Firmware Hotfixes for Management Center Hardware.

Hotfix FK

7.0–7.0.6.3

Management Center:

Cisco_Firepower_Mgmt_Center_Hotfix_FK-7.0.6.99-9

CSCwd08098: cacert.pem on FMC expired and all the devices showing as disabled.

See Firewall Management Center Certificate Expiration After 10 Years.

Hotfix FJ

7.0.6.3

Firepower 2100:

Cisco_FTD_SSP_FP2K_Hotfix_FJ-7.0.6.4-1

CSCwk48488: Cisco FTD for Cisco Firepower 2100 Series TCP UDP Snort 2 and Snort 3 DoS Vulnerability

Hotfix FI

7.0.6.3

Management Center:

Cisco_Firepower_Mgmt_Center_Hotfix_FI-7.0.6.4-1

CSCwj01321: FMC Stored XSS via Edit AnyConnect custom Attribute

Hotfix EN

7.0.0

7.0.x

7.0.x.x

Management Center (1000, 2500, 4500):

Cisco_Firepower_Mgmt_Center_BIOSUPDATE_700_EN-11

Note

 

This hotfix replaces all other BIOS and firmware hotfixes for these management center models. Apply this hotfix even if you have applied previous BIOS and firmware hotfixes.

Updates the BIOS, CIMC firmware, and RAID controller firmware.

See BIOS and Firmware Hotfixes for Management Center Hardware.

Hotfix EI

7.0.6

Firepower 1000:

Cisco_FTD_SSP_FP1K_Hotfix_EI-7.0.6.1-3

Firepower 2100:

Cisco_FTD_SSP_FP2K_Hotfix_EI-7.0.6.1-3

Firepower 4100/9300:

Cisco_FTD_SSP_Hotfix_EI-7.0.6.1-3

ASA 5500-X and ISA 3000 with FTD:

Cisco_FTD_Hotfix_EI-7.0.6.1-3

FTDv:

Cisco_FTD_Hotfix_EI-7.0.6.1-3

CSCwh23100: Cisco ASA and FTD Software Remote Access VPN Unauthorized Access Vulnerability

CSCwh45108: Cisco ASA and FTD Software Remote Access VPN Unauthorized Access Vulnerability

Hotfix DC

7.0.5

FMC:

Cisco_Firepower_Mgmt_Center_Hotfix_DC-7.0.5.1-5

CSCwd88641: Deployment changes to push VDB package based on Device model and snort engine

Hotfix S

7.0.1

Firepower 1000 with FDM:

Cisco_FTD_SSP_FP1K_Hotfix_S-7.0.1.1-10

Firepower 2100 with FDM:

Cisco_FTD_SSP_FP2K_Hotfix_S-7.0.1.1-10

Firepower 4100/9300 with FDM:

Cisco_FTD_SSP_Hotfix_S-7.0.1.1-10

ASA 5500-X and ISA 3000 with FDM:

Cisco_FTD_Hotfix_S-7.0.1.1-10

FTDv with FDM:

Cisco_FTD_Hotfix_S-7.0.1.1-10

Note

 

This hotfix was originally released as build 9 on 2021-12-19. It was rereleased as build 10 on 2021-12-21. If you installed the earlier build, you do not have to install the later build.

Apply this hotfix to FDM and FDM/CDO-managed devices. FMC-managed devices are not vulnerable to this exploit.

CSCwa46963: Security: CVE-2021-44228 -> Log4j 2 Vulnerability

CSCwa55039: Firepower Threat Defense Hotfix S for 7.0.1 cause system failing when ran twice

Version 6.7.x Hotfixes

Table 12. Version 6.7.x Hotfixes

Hotfix

Versions

Platforms

Resolves

Hotfix EN

6.7.0

6.7.x

6.7.x.x

FMC (all hardware models):

Cisco_Firepower_Mgmt_Center_BIOSUPDATE_670_EN-11

Note

 

This hotfix replaces all other BIOS and firmware hotfixes for these management center models. Apply this hotfix even if you have applied previous BIOS and firmware hotfixes.

Updates the BIOS, CIMC firmware, and RAID controller firmware.

See BIOS and Firmware Hotfixes for Management Center Hardware.

Hotfix AA

6.7.0.3

Firepower 1000:

Cisco_FTD_SSP_FP1K_Hotfix_AA-6.7.0.4-2

Firepower 2100:

Cisco_FTD_SSP_FP2K_Hotfix_AA-6.7.0.4-2

Firepower 4100/9300:

Cisco_FTD_SSP_Hotfix_AA-6.7.0.4-2

ASA 5500-X and ISA 3000 with FTD:

Cisco_FTD_Hotfix_AA-6.7.0.4-2

FTDv:

Cisco_FTD_Hotfix_AA-6.7.0.4-2

CSCvw94160: CIAM: openssl CVE-2020-1971

CSCvx64478: Unwanted console output during SAML transactions

CSCvz70595: Traceback observed on ASA while handling SAML handler

CSCvz76966: Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software DNS DoS

CSCvz81480: IV in the outbound pkt is not updated on Nitrox V platforms when GCM is used for IPsec

CSCvz84850: ASA/FTD traceback and reload caused by "timer services" function

CSCvz85683: Wrong syslog message format for 414004

CSCvz85913: ASN.1 strings are represented internally within OpenSSL as an ASN1_STR for CISCO-SSL-1.0.2

CSCvz89545: SSL VPN performance degraded and significant stability issues after upgrade

CSCvz92016: ASA Privilege Escalation with valid user in AD

CSCwa04461: Cisco ASA Software and FTD Software Remote Access SSL VPN Denial of Service

CSCwa14485: Cisco Firepower Threat Defense Software Denial of Service Vulnerability

CSCwa15185: ASA/FTD: remove unwanted process call from LUA

CSCwa33898: Cisco Adaptive Security Appliance Software Clientless SSL VPN Heap Overflow Vulnerability

CSCwa36678: Random FTD reloads with the traceback during deployment from FMC

CSCwa65389: ASA traceback and reload in Unicorn Admin Handler when change interface configuration via ASDM

Hotfix Y

6.7.0.2

Firepower 1000 with FDM:

Cisco_FTD_SSP_FP1K_Hotfix_Y-6.7.0.3-7

Firepower 2100 with FDM:

Cisco_FTD_SSP_FP2K_Hotfix_Y-6.7.0.3-7

Firepower 4100/9300 with FDM:

Cisco_FTD_SSP_Hotfix_Y-6.7.0.3-7

ASA 5500-X and ISA 3000 with FDM:

Cisco_FTD_Hotfix_Y-6.7.0.3-7

FTDv with FDM:

Cisco_FTD_Hotfix_Y-6.7.0.3-7

Note

 

Apply this hotfix to FDM and FDM/CDO-managed devices. FMC-managed devices are not vulnerable to this exploit.

CSCwa46963: Security: CVE-2021-44228 -> Log4j 2 Vulnerability

Hotfix C

6.7.0

6.7.x.x

ISA 3000 with FTD:

Cisco_FTD_Hotfix_C-6.7.0.999-2

CSCvw53884: M500IT Model Solid State Drives on ASA5506 may go unresponsive after 3.2 Years in service

Version 6.6.x Hotfixes

Table 13. Version 6.6.x Hotfixes

Hotfix

Versions

Platforms

Resolves

Hotfix EN

6.6.0

6.6.x

6.6.x.x

FMC (1000, 1600, 2500, 2600, 4500, 4600):

Cisco_Firepower_Mgmt_Center_BIOSUPDATE_660_EN-11

Note

 

This hotfix replaces all other BIOS and firmware hotfixes for these management center models. Apply this hotfix even if you have applied previous BIOS and firmware hotfixes.

Updates the BIOS, CIMC firmware, and RAID controller firmware.

See BIOS and Firmware Hotfixes for Management Center Hardware.

Hotfix EB

6.6.7.1

FMC/FMCv:

Cisco_Firepower_Mgmt_Center_Hotfix_EB-6.6.7.2-4

CSCwd88641: Deployment changes to push VDB package based on Device model and snort engine

Hotfix DE

6.6.5

6.6.5.1

FMC/FMCv:

Cisco_Firepower_Mgmt_Center_Hotfix_DE-6.6.5.2-8

Firepower 1000 with FDM:

Cisco_FTD_SSP_FP1K_Hotfix_DE-6.6.5.2-8

Firepower 2100 with FDM:

Cisco_FTD_SSP_FP2K_Hotfix_DE-6.6.5.2-8

Firepower 4100/9300 with FDM:

Cisco_FTD_SSP_Hotfix_DE-6.6.5.2-8

ASA 5500-X and ISA 3000 with FDM:

Cisco_FTD_Hotfix_DE-6.6.5.2-8

FTDv with FDM:

Cisco_FTD_Hotfix_DE-6.6.5.2-8

ASA FirePOWER with ASDM:

Cisco_Network_Sensor_Hotfix_DE-6.6.5.2-8

Note

 

Apply this hotfix to the FMC and to FDM, FDM/CDO, and ASDM managed devices only. FMC-managed devices are covered by the FMC hotfix.

CSCwa70008: Expired certs cause Security Intel. and malware file preclassification signature updates to fail

Hotfix DA

6.6.5.1

Firepower 1000 with FDM:

Cisco_FTD_SSP_FP1K_Hotfix_DA-6.6.5.2-4

Firepower 2100 with FDM

Cisco_FTD_SSP_FP2K_Hotfix_DA-6.6.5.2-4

Firepower 4100/9300 with FDM:

Cisco_FTD_SSP_Hotfix_DA-6.6.5.2-4

ASA 5500-X and ISA 3000 with FDM:

Cisco_FTD_Hotfix_DA-6.6.5.2-4

FTDv with FDM:

Cisco_FTD_Hotfix_DA-6.6.5.2-4

Note

 

Apply this hotfix to FDM and FDM/CDO-managed devices. FMC-managed devices are not vulnerable to this exploit.

CSCwa46963: Security: CVE-2021-44228 -> Log4j 2 Vulnerability

Hotfix EI

6.6.0

6.6.x

6.6.x.x

FMC 2000, 4000:

Cisco_Firepower_Mgmt_Center_BIOSUPDATE_660_EI-15

Note

 

This hotfix replaces all other BIOS and firmware hotfixes for these management center models. Apply this hotfix even if you have applied previous BIOS and firmware hotfixes.

Updates the BIOS, CIMC firmware, and RAID controller firmware.

See BIOS and Firmware Hotfixes for Management Center Hardware.

Hotfix AB

6.6.1

ISA 3000 with FTD:

Cisco_FTD_Hotfix_AB-6.6.1.999-1

CSCvw53884: M500IT Model Solid State Drives on ASA5506 may go unresponsive after 3.2 Years in service

Hotfix N

6.6.0

6.6.0.x

ISA 3000 with FTD:

Cisco_FTD_Hotfix_N-6.6.0.999-1

CSCvw53884: M500IT Model Solid State Drives on ASA5506 may go unresponsive after 3.2 Years in service

Version 6.4.0 Hotfixes

Table 14. Version 6.4.0 Hotfixes

Hotfix

Versions

Platforms

Resolves

Hotfix EN

6.4.0

6.4.x

6.4.x.x

FMC (1000, 1600, 2500, 2600, 4500, 4600):

Cisco_Firepower_Mgmt_Center_BIOSUPDATE_640_EN-11

Note

 

This hotfix replaces all other BIOS and firmware hotfixes for these management center models. Apply this hotfix even if you have applied previous BIOS and firmware hotfixes.

Updates the BIOS, CIMC firmware, and RAID controller firmware.

See BIOS and Firmware Hotfixes for Management Center Hardware.

Hotfix EP

6.4.0.13

Firepower 1000 with FDM:

Cisco_FTD_SSP_FP1K_Hotfix_EP-6.4.0.14-9

Firepower 2100 with FDM:

Cisco_FTD_SSP_FP2K_Hotfix_EP-6.4.0.14-9

ASA 5500-X and ISA 3000 with FDM:

Cisco_FTD_Hotfix_EP-6.4.0.14-9

FTDv with FDM:

Cisco_FTD_Hotfix_EP-6.4.0.14-9

Note

 

Apply this hotfix to FDM and FDM/CDO-managed devices. FMC-managed devices are not vulnerable to this exploit.

CSCwa46963: Security: CVE-2021-44228 -> Log4j 2 Vulnerability

Hotfix EI

6.4.0

6.4.0.x

FMC 750, 1500, 2000, 3500, 4000:

Cisco_Firepower_Mgmt_Center_BIOSUPDATE_640_EI-15

Note

 

This hotfix replaces all other BIOS and firmware hotfixes for these management center models. Apply this hotfix even if you have applied previous BIOS and firmware hotfixes.

Updates the BIOS, CIMC firmware, and RAID controller firmware.

See BIOS and Firmware Hotfixes for Management Center Hardware.

Hotfix DV

6.4.0

6.4.0.x

ISA 3000 with FTD:

Cisco_FTD_Hotfix_DV-6.4.0.999-1

CSCvw53884: M500IT Model Solid State Drives on ASA5506 may go unresponsive after 3.2 Years in service

Hotfix BM

6.4.0.9

Firepower 1000:

Cisco_FTD_SSP_FP1K_Hotfix_BM-6.4.0.10-2

Firepower 2100:

Cisco_FTD_SSP_FP2K_Hotfix_BM-6.4.0.10-2

Firepower 4100/9300:

Cisco_FTD_SSP_Hotfix_BM-6.4.0.10-2

ASA 5500-X and ISA 3000 with FTD:

Cisco_FTD_Hotfix_BM-6.4.0.10-2

FTDv:

Cisco_FTD_Hotfix_BM-6.4.0.10-2

CSCvt03598: Cisco ASA Software and FTD Software Web Services Read-Only Path Traversal Vulnerability

Hotfix AY

6.4.0.8

Firepower 1000:

Cisco_FTD_SSP_FP1K_Hotfix_AY-6.4.0.9-3

Firepower 2100:

Cisco_FTD_SSP_FP2K_Hotfix_AY-6.4.0.9-3

Firepower 4100/9300:

Cisco_FTD_SSP_Hotfix_AY-6.4.0.9-3

ASA 5500-X and ISA 3000 with FTD:

Cisco_FTD_Hotfix_AY-6.4.0.9-3

FTDv:

Cisco_FTD_Hotfix_AY-6.4.0.9-3

Note

 

We recommend you patch to Version 6.4.0.9+ instead of applying this hotfix. If you cannot patch, note that this hotfix was originally released as build 2 on 2020-05-06, and was rereleased on 2020-05-15 as build 3. If you installed the earlier build, install the new one also. You do not have to uninstall.

CSCvp49481, CSCvp93468: Cisco ASA Software and Cisco FTD Software SSL VPN Denial of Service Vulnerability

CSCvs10748: Cisco Adaptive Security Appliance and Firepower Threat Defense Denial of Service Vuln

CSCvo80853: Cisco Firepower Threat Defense Software Packet Flood Denial of Service Vulnerability

CSCvs50459: Cisco ASA and Cisco FTD Malformed OSPF Packets Processing Denial of Service Vulnerability

CSCvr86783: Standby FDM lost connectivity after forming HA

CSCvr92168: ASA/FTD Slow memory leak in OSPF process when processing OSPF Hellos

CSCvt15163: Cisco ASA and FTD Software Web Services Information Disclosure Vulnerability

CSCvq89361: Cisco Firepower 1000 Series SSL/TLS Denial of Service Vulnerability

CSCvu20521: OSPF is not forming after HF installation

Hotfix U

6.4.0.5 and 6.4.0.6

FMC/FMCv:

Cisco_Firepower_Mgmt_Center_Hotfix_U-6.4.0.7-2

CSCvr95287: Cisco Firepower Management Center LDAP Authentication Bypass Vulnerability

Hotfix T

6.4.0

6.4.0.1 to 6.4.0.4

FMC/FMCv:

Cisco_Firepower_Mgmt_Center_Hotfix_T-6.4.0.5-1

CSCvr95287: Cisco Firepower Management Center LDAP Authentication Bypass Vulnerability

Hotfix AA

6.4.0.4 to 6.4.0.7

FMC/FMCv:

Cisco_Firepower_Mgmt_Center_Hotfix_AA-6.4.0.8-4

Note

 

You must also update to VDB 329+ and deploy configuration changes. You can do this before or after you apply the hotfix.

Resolves issues with application identification.

Hotfix X

6.4.0.6

FMC/FMCv:

Cisco_Firepower_Mgmt_Center_Hotfix_X-6.4.0.7-2

CSCvr52109: FTD has hitcounts on access-lists but traffic is not hitting Access Policy rules

Hotfix F

6.4.0.2

FMC/FMCv:

Cisco_Firepower_Mgmt_Center_Hotfix_F-6.4.0.3-2

Firepower 2100:

Cisco_FTD_SSP_FP2K_Hotfix_F-6.4.0.3-2

Firepower 4100/9300:

Cisco_FTD_SSP_Hotfix_F-6.4.0.3-2

ASA 5500-X and ISA 3000 with FTD:

Cisco_FTD_Hotfix_F-6.4.0.3-2

FTDv (VMware, FVM):

Cisco_FTD_Hotfix_F-6.4.0.3-2

CSCvq34224: Firepower Primary Detection Engine process terminated after Manager upgrade

Version 6.2.3 Hotfixes

Table 15. Version 6.2.3 Hotfixes

Hotfix

Versions

Platforms

Resolves

Hotfix EM

6.2.3.17

Firepower 2100 with FDM:

Cisco_FTD_SSP_FP2K_Hotfix_EM-6.2.3.18-13

ASA 5500-X and ISA 3000 with FDM:

Cisco_FTD_Hotfix_EM-6.2.3.18-13

FTDv with FDM:

Cisco_FTD_Hotfix_EM-6.2.3.18-13

Note

 

Apply this hotfix to FDM and FDM/CDO-managed devices. FMC-managed devices are not vulnerable to this exploit.

CSCwa46963: Security: CVE-2021-44228 -> Log4j 2 Vulnerability

Hotfix EL

6.2.3

6.2.3.x

FMC 1000, 2500, 4500:

Sourcefire_3D_Defense_Center_S3_BIOSUPDATE_623_EL-7

Note

 

This hotfix replaces all other BIOS and firmware hotfixes for these management center models. Apply this hotfix even if you have applied previous BIOS and firmware hotfixes.

Updates the BIOS, CIMC firmware, and RAID controller firmware.

See BIOS and Firmware Hotfixes for Management Center Hardware.

Hotfix EI

6.2.3

6.2.3.x

FMC 750, 1500, 2000, 3500, 4000:

Sourcefire_3D_Defense_Center_S3_BIOSUPDATE_623_EI-15

Note

 

This hotfix replaces all other BIOS and firmware hotfixes for these management center models. Apply this hotfix even if you have applied previous BIOS and firmware hotfixes.

Updates the BIOS, CIMC firmware, and RAID controller firmware.

See BIOS and Firmware Hotfixes for Management Center Hardware.

Hotfix EH

6.2.3

6.2.3.x

ASA 5506-X with FTD:

Cisco_FTD_Hotfix_EH-6.2.3.999-6

CSCvw53884: M500IT Model Solid State Drives on ASA5506 may go unresponsive after 3.2 Years in service

Hotfix DT

6.2.3.15

Firepower 2100:

Cisco_FTD_SSP_FP2K_Hotfix_DT-6.2.3.16-3

Firepower 4100/9300:

Cisco_FTD_SSP_Hotfix_DT-6.2.3.16-3

ASA 5500-X and ISA 3000 with FTD:

Cisco_FTD_Hotfix_DT-6.2.3.16-3

FTDv:

Cisco_FTD_Hotfix_DT-6.2.3.16-3

CSCvr55825: Cisco ASA and FTD Software Path Traversal Vulnerability

CSCvp49481, CSCvp93468: Cisco ASA Software and Cisco FTD Software SSL VPN Denial of Service Vulnerability

CSCvp16945, CSCvp16949: Cisco ASA Software and FTD Software MGCP Denial of Service Vulnerabilities

CSCvo62077: Cisco Firepower Threat Defense Software VPN System Logging Denial of Service Vulnerability

CSCvs10748: Cisco Adaptive Security Appliance and Firepower Threat Defense Denial of Service Vuln

CSCvs50459: Cisco ASA and Cisco FTD Malformed OSPF Packets Processing Denial of Service Vulnerability

CSCvo80853: Cisco Firepower Threat Defense Software Packet Flood Denial of Service Vulnerability

CSCvr07419: Cisco ASA and FTD Software IPv6 DNS Denial of Service Vulnerability

CSCvt15163: Cisco ASA and FTD Software Web Services Information Disclosure Vulnerability

Hotfix DW

6.2.3.15

Firepower 2100:

Cisco_FTD_SSP_FP2K_Hotfix_DW-6.2.3.16-6

Firepower 4100/9300:

Cisco_FTD_SSP_Hotfix_DW-6.2.3.16-6

ASA 5500-X and ISA 3000 with FTD:

Cisco_FTD_Hotfix_DW-6.2.3.16-6

FTDv:

Cisco_FTD_Hotfix_DW-6.2.3.16-6

CSCvs84578: Upgrading FTD on 4100/9300 Platform to 6.2.3.15 break SSHD, preventing FTD instance from booting up

CSCvs84713: Cannot SSH to the device after upgrading FTD on ASA55XX/ISA 3000/FTDv to 6.2.3.15 build 38

CSCvs95725: Virtual FTD Running on 6.2.3.15 blocks SSH request and loses connection with the FMC

Hotfix DO

6.2.3

6.2.3.1 to 6.2.3.15

FMC/FMCv:

Sourcefire_3D_Defense_Center_S3_Hotfix_DO-6.2.3.16-3

CSCvr95287: Cisco Firepower Management Center LDAP Authentication Bypass Vulnerability

Hotfix DQ

6.2.3.15

FMC/FMCv:

Sourcefire_3D_Defense_Center_S3_Hotfix_DQ-6.2.3.16-2

Note

 

You must also update to VDB 329+ and deploy configuration changes. You can do this before or after you apply the hotfix.

Resolves issues with application identification.

Hotfix CY

6.2.3.14

FMC/FMCv:

Sourcefire_3D_Defense_Center_S3_Hotfix_CY-6.2.3.15-2

CSCvq34224: Firepower Primary Detection Engine process terminated after Manager upgrade

Hotfix CK

6.2.3.12

Firepower 2100:

Cisco_FTD_SSP_FP2K_Hotfix_CK-6.2.3.13-1

CSCvn77248: Cisco Secure Boot Hardware Tampering Vulnerability

Hotfix Local Malware Cert

6.2.3

6.2.3.x

FMC/FMCv:

Hotfix_Local_Malware_Cert-6.2.3.999-4

CSCvm81052: local malware detection updates not downloading to FMC due to invalid certificate chain.

Hotfix H

6.2.3

6.2.3.1 to 6.2.3.3

FMC/FMCv:

Sourcefire_3D_Defense_Center_S3_Hotfix_H-6.2.3.999-5

Firepower 7000/8000:

Sourcefire_3D_Device_S3_Hotfix_H-6.2.3.999-5

ASA FirePOWER:

Cisco_Network_Sensor_Hotfix_H-6.2.3.999-5

NGIPSv:

Sourcefire_3D_Device_VMware_Hotfix_H-6.2.3.999-5

CSCvj07038: Firepower devices need to trust Threat Grid certificate.

Hotfix G

6.2.3

6.2.3.1 to 6.2.3.3

Firepower 2100:

Cisco_FTD_SSP_FP2K_Hotfix_G-6.2.3.999-6

Firepower 4100/9300:

Cisco_FTD_SSP_Hotfix_G-6.2.3.999-6

ASA 5500-X with FTD:

Cisco_FTD_Hotfix_G-6.2.3.999-6

FTDv (VMware, KVM, AWS):

Cisco_FTD_Hotfix_G-6.2.3.999-6

CSCvj07038: Firepower devices need to trust Threat Grid certificate.

Hotfix T

6.2.3.1 to 6.2.3.3

FMC/FMCv:

Sourcefire_3D_Defense_Center_S3_Hotfix_T-6.2.3.4-4

CSCvk06176: SSEConnector is not coming up because of Wrong Executable.

Hotfix A

6.2.3

Firepower 2100:

Cisco_FTD_SSP_FP2K_Hotfix_A-6.2.3.1-10

Firepower 4100/9300:

Cisco_FTD_SSP_Hotfix_A-6.2.3.1-10

ASA 5500-X with FTD:

Cisco_FTD_Hotfix_A-6.2.3.1-10

FTDv (VMware, KVM, AWS):

Cisco_FTD_Hotfix_A-6.2.3.1-10

CSCvg65072: ASA, Threat Defense, and AnyConnect Secure Mobility Client SAML Auth Session Fixation Vulnerability.

CSCvi16029: ASA Web Interface Authentication Bypass.

For Assistance

Online Resources

Cisco provides the following online resources to download documentation, software, and tools; to query bugs; and to open service requests. Use these resources to install and configure Cisco software and to troubleshoot and resolve technical issues.

Access to most tools on the Cisco Support & Download site requires a Cisco.com user ID and password.

Contact Cisco

If you cannot resolve an issue using the online resources listed above, contact Cisco TAC: