Cisco Security Advisory
Medium
Advisory ID:
cisco-sa-20160927-openssl
First Published:
2016 September 27 22:40 GMT
Last Updated:
2019 January 2 16:44 GMT
Version 1.18:
Workarounds:
No workarounds available
Cisco Bug IDs:
-
On September 22, 2016, the OpenSSL Software Foundation released an advisory that describes 14 vulnerabilities. Of these 14 vulnerabilities, the OpenSSL Software Foundation classifies one as “Critical Severity,” one as “Moderate Severity,” and the other 12 as “Low Severity.”
Subsequently, on September 26, the OpenSSL Software Foundation released an additional advisory that describes two new vulnerabilities. These vulnerabilities affect the OpenSSL versions that were released to address the vulnerabilities disclosed in the previous advisory. One of the new vulnerabilities was rated as “High Severity” and the other as “Moderate Severity.”
Of the 16 released vulnerabilities:
- Fourteen track issues that could result in a denial of service (DoS) condition
- One (CVE-2016-2183, aka SWEET32) tracks an implementation of a Birthday attack against Transport Layer Security (TLS) block ciphers that use a 64-bit block size that could result in loss of confidentiality
- One (CVE-2016-2178) is a timing side-channel attack that, in specific circumstances, could allow an attacker to derive the private DSA key that belongs to another user or service running on the same system
Five of the 16 vulnerabilities exclusively affect the recently released OpenSSL versions that are part of the 1.1.0 release series, which has not yet been integrated into any Cisco product.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160927-openssl
-
Cisco investigated its product line to determine which products may be affected by these vulnerabilities and the impact on each affected product. Refer to the "Vulnerable Products" and "Products Confirmed Not Vulnerable" sections of this advisory for information about whether a product is affected.
The "Vulnerable Products" section includes Cisco bug IDs for each affected product. The bugs are accessible through the Cisco Bug Search Tool and contain additional platform-specific information, including workarounds (if available) and fixed software releases.Vulnerable Products
Product Cisco Bug ID Fixed Release Availability Cable Modems Cisco IOS XE Software - Web user interface only CSCvc32062
Collaboration and Social Media Cisco SocialMiner CSCvb50787
Cisco Unified MeetingPlace CSCvb48712 8.6MR1 (14-Oct-2016) Cisco WebEx Meetings Server Release 1.x CSCvb48548 2.6.1.3xx (12-Oct-2016) Cisco WebEx Meetings Server Release 2.x CSCvb48548 2.6.1.3xx (12-Oct-2016) Cisco WebEx Node for MCS CSCvb48543 Affected versions will be updated (25-Oct-2016) Endpoint Clients and Client Software Cisco Agent for OpenFlow CSCvb48661 No fix is expected.
Cisco AnyConnect Secure Mobility Client for Android CSCvb48664 4.0.7 (31-Oct-2016) Cisco AnyConnect Secure Mobility Client for Desktop Platforms CSCvb48665 4.4 (30-Nov-2016)
4.3.4 (31-Dec-2016)Cisco AnyConnect Secure Mobility Client for Linux CSCvb48663 4.0.7 (31-Oct-2016) Cisco AnyConnect Secure Mobility Client for Mac OS X CSCvb48663 4.0.7 (31-Oct-2016) Cisco AnyConnect Secure Mobility Client for Windows CSCvb48663 4.0.7 (31-Oct-2016) Cisco AnyConnect Secure Mobility Client for iOS CSCvb48663 4.0.7 (31-Oct-2016) Cisco Jabber Client Framework (JCF) Components CSCvb45724 11.8.0 (15-Nov-2016) Cisco Jabber Guest CSCvb48710 11.0 (30-Nov-2016) Cisco Jabber Software Development Kit CSCvb47717 11.8.0 (15-Nov-2016) Cisco Jabber for Android CSCvb48725 11.8.0 1 (15-Nov-2016)
Cisco Jabber for Mac CSCvb48290 11.8.0 (15-Nov-2016) Cisco Jabber for Windows CSCvb48708 11.8.0 (15-Nov-2016) Cisco WebEx Business Suite CSCvb48552
Cisco WebEx Meetings Client - Hosted CSCvb48553 T32 (21-Nov-2016) Cisco WebEx Meetings Client - On-Premises CSCvb48547 T32 (1-Nov-2016) Cisco WebEx Meetings Server - Multimedia Platform (MMP) CSCvb48554 Affected versions have been updated. Cisco WebEx Meetings for Android CSCvb48544 Affected versions will be updated (31-Oct-2016) Cisco WebEx Meetings for BlackBerry CSCvb48545 Users need to Update BlackBerry OS Cisco WebEx Meetings for Windows Phone 8 CSCvb48546 2.8 (11-Nov-2016) Network Application, Service, and Acceleration Cisco ACE 4710 Application Control Engine - Running Software Release A5 CSCvb48557 No fix is expected.
Cisco ACE30 Application Control Engine Module CSCvb48557 No fix is expected.
Cisco Application and Content Networking System (ACNS) CSCvb48634 No fix is expected.
Cisco InTracer CSCvb48517 No fix is expected. Cisco NAC Appliance - Clean Access Manager CSCvb48635 No fix is expected. Cisco Visual Quality Experience Server CSCvb48633 Affected versions will be fixed (28-Oct-16) Cisco Visual Quality Experience Tools Server CSCvb48633 Affected versions will be fixed (28-Oct-16) Cisco Wide Area Application Services (WAAS) CSCvb48643 All affected versions fixed (11-Sept-2016) Network and Content Security Devices Cisco ASA Next-Generation Firewall Services CSCvb48642 2.1.2 (Dec. 2016) Cisco Adaptive Security Appliance (ASA) CSCvb48640
Cisco Clean Access Manager CSCvb48636 No fix is expected. Cisco Content Security Appliance Update Servers CSCvb48539 Affected versions will be updated (21-Oct-2016) Cisco Content Security Management Appliance (SMA) CSCvb48537 11.0.0-115 Cisco Email Security Appliance (ESA) CSCvb48533 11.0 (Available)
Cisco FireSIGHT System Software CSCvb48536 5.4.0.10 (5-Dec-2016)
5.4.1.9 (5-Dec-2016)
6.0.1.3 (21-Nov-2016)
6.1.0.1 (31-Oct-2016)Cisco Identity Services Engine (ISE) CSCvb48654
Cisco Intrusion Prevention System (IPS) Solutions CSCvb48667 No fix is expected.
Cisco NAC Appliance - Clean Access Server CSCvb48637 No fix is expected. Cisco NAC Guest Server CSCvb48638 No fix is expected. Cisco Secure Access Control System (ACS) CSCvb48662 5.8.0.32.7 (Jan-2017) 5.8.0.32.8 (Jan-2017) Cisco Web Security Appliance (WSA) CSCvb48542 Affected versions will be updated (1-May-2017) Network Management and Provisioning Cisco Application Networking Manager CSCvb48558 No fix is expected.
Cisco Application Policy Infrastructure Controller (APIC) CSCvb48563 2.2(1) (Jan-2017) Cisco Cloupia Unified Infrastructure Controller CSCvb48560 FB_MR1 (9-Dec-2016) Cisco Digital Media Manager CSCvb48609 5.3.6_RB3 (29-Oct-2016)
5.4.1_RB4 (29-Oct-2016)Cisco Management Appliance CSCvb48524 Affected versions will be fixed (25-Jan-2017) Cisco Mobile Wireless Transport Manager CSCvb48600 No fix is expected.
Cisco Multicast Manager CSCvb48586 No fix is expected.
Cisco NetFlow Generation Appliance CSCvb48596 1.1(1) (14-Oct-2016) Cisco Network Analysis Module CSCvb48593 6.2(1-b) (14-Oct-2016)
6.2(2) (14-Oct-2016)Cisco Packet Tracer CSCvb48617 Affected versions have been updated. Cisco Policy Suite CSCvc39197 12.0 (3-Mar-2017) Cisco Prime Access Registrar CSCvb48589
Cisco Prime Collaboration Assurance CSCvb48599 PCA 11.6 (Nov-2016) Cisco Prime Collaboration Deployment CSCvb48693
Cisco Prime Collaboration Provisioning CSCvb48598 11.6 (7-Oct-2016) Cisco Prime Data Center Network Manager CSCvb48562 DCNM 10.2.(1) (1-May-2017) Cisco Prime IP Express CSCvb48591
Cisco Prime Infrastructure Plug and Play Standalone Gateway CSCvb48594 No fix is expected. Cisco Prime Infrastructure CSCvb48595 3.2: (First quarter 2017) Cisco Prime LAN Management Solution - Solaris CSCvb48585 4.2.5 (Available)
MR5 (30-May-2017)Cisco Prime License Manager CSCvb48619
Cisco Prime Network Registrar CSCvb48587 CPNR 8.3.5 (Jan. 2017) CPNR 9.0 (Dec. 2016) Cisco Prime Network Services Controller CSCvb48602 Moved to openssl 1.01u (6-Oct-2016) Cisco Prime Network CSCvb48581 PN 431 (Dec. 2016) Cisco Prime Optical for Service Providers CSCvb48590
Cisco Prime Performance Manager CSCvb48582 1.7.0 SP1611 (30-Nov-2016) Cisco Security Manager CSCvb17176 4.13 (30-Jan-2017)
4.12 (30-Oct-2016)Cisco Smart Net Total Care - Local Collector appliance CSCvb48680 Affected versions will be updated (4-Nov-2016) Cisco UCS Central Software CSCvb48578 Affected versions will be fixed Mar 2017. Cisco Unified Intelligence Center CSCvb50784 11.6(1) (15-Jun-2017) Lancope Stealthwatch Endpoint Concentrator lancopeSep 6.7.4 (Available)
6.8.3 (14-Nov-2016)
6.9.0 (Feb 2017)
Patches:
patch-common-LVA-ROLLUP001-6.7.x-6.7.4-03.swu (Available)
patch-common-LVA-ROLLUP001-6.8.x-6.8.3-03.swu (Available)Lancope Stealthwatch FlowCollector NetFlow lancopeSep 6.7.4 (Available)
6.8.3 (14-Nov-2016)
6.9.0 (Feb 2017)
Patches:
patch-common-LVA-ROLLUP001-6.7.x-6.7.4-03.swu (Available)
patch-common-LVA-ROLLUP001-6.8.x-6.8.3-03.swu (Available)Lancope Stealthwatch FlowCollector sFlow lancopeSep 6.7.4 (Available)
6.8.3 (14-Nov-2016)
6.9.0 (Feb 2017)
Patches:
patch-common-LVA-ROLLUP001-6.7.x-6.7.4-03.swu (Available)
patch-common-LVA-ROLLUP001-6.8.x-6.8.3-03.swu (Available)Lancope Stealthwatch FlowSensor lancopeSep 6.7.4 (Available)
6.8.3 (14-Nov-2016)
6.9.0 (Feb 2017)
Patches:
patch-common-LVA-ROLLUP001-6.7.x-6.7.4-03.swu (Available)
patch-common-LVA-ROLLUP001-6.8.x-6.8.3-03.swu (Available)Lancope Stealthwatch SMC lancopeSep 6.7.4 (Available)
6.8.3 (14-Nov-2016)
6.9.0 (Feb 2017)
Patches:
patch-common-LVA-ROLLUP001-6.7.x-6.7.4-03.swu (Available)
patch-common-LVA-ROLLUP001-6.8.x-6.8.3-03.swu (Available)Lancope Stealthwatch UDP Director lancopeSep 6.7.4 (Available)
6.8.3 (14-Nov-2016)
6.9.0 (Feb 2017)
Patches:
patch-common-LVA-ROLLUP001-6.7.x-6.7.4-03.swu (Available)
patch-common-LVA-ROLLUP001-6.8.x-6.8.3-03.swu (Available)Routing and Switching - Enterprise and Service Provider Cisco 910 Industrial Router CSCvb48671 1.2.1RB4 (Available) Cisco ASR 5000 Series CSCvb31279 21.2.0 (30-Apr-2017) Cisco Connected Grid Routers - Running Cisco CG-OS Software CSCvb48559 7.3 (27-Oct-2016) Cisco Connected Grid Routers CSCvb48684 15.008.009 (26-Oct-2016) Cisco IOS XR Software CSCvb48604 6.3.1 (1-July-2017) Cisco IOS and Cisco IOS XE Software (16.3 and earlier releases) CSCvb92562 16.4(2)
16.3(2)
15.5(3)M5
15.5(3)S5
See BST for more fix information.Cisco IOS and Cisco IOS XE Software (16.4 and later releases) CSCvb48683 16.4(2)
16.3(2)
15.5(3)M5
15.5(3)S5
See BST for more fix information.Cisco MDS 9000 Series Multilayer Switches CSCvb48567 5.2.8(i) (Dec 2016)
6.2.19 (Dec. 2016)Cisco MDS 9000 Series Multilayer Switches CSCvb48568 5.2.8(i) (Dec. 2016)
6.2.19 (Dec. 2016)
Cisco Nexus 1000V InterCloud CSCvb48566
Cisco Nexus 1000V Series Switches CSCvb48570 5.2(1)SV3(2.5) (17-Dec-2016) Cisco Nexus 3000 Series Switches CSCvb48572 6.0(2)A8(3) (Available) Cisco Nexus 4000 Series Blade Switches CSCvb48670 4.1(2)E1(1r) (3-Mar-2017) Cisco Nexus 5000 Series Switches CSCvb48568 5.2.8(i) (Dec. 2016)
6.2.19 (Dec. 2016)
Cisco Nexus 5000 Series Switches CSCvb48573
Cisco Nexus 6000 Series Switches CSCvb48568 5.2.8(i) (Dec. 2016)
6.2.19 (Dec. 2016)
Cisco Nexus 7000 Series Switches CSCvb48568 5.2.8(i) (Dec. 2016)
6.2.19 (Dec. 2016)
Cisco Nexus 9000 Series Fabric Switches - ACI mode CSCvb48565 Danube 12.2(2x) (1-Dec-2016) Cisco Nexus 9000 Series Switches - Standalone, NX-OS mode CSCvb48569 7.0(3)I5(1) (15-Oct-2016) Cisco ONS 15454 Series Multiservice Provisioning Platforms CSCvb48647 10.7 (31-Jan-2017) Cisco Service Control Operating System CSCvb48685 Affected versions will be updated (15-Jan-2017) Cisco onePK All-in-One Virtual Machine CSCvb48646 Customers are advised to keep the software in their virtual machine installations up to date using the software upgrade utilities provided by the operating system. Routing and Switching - Small Business Cisco 220 Series Smart Plus (Sx220) Switches CSCvb48655
Cisco 500 Series Stackable (Sx500) Managed Switches CSCvb48660 No fix is expected.
Cisco Small Business 300 Series (Sx300) Managed Switches CSCvb48659 No fix is expected.
Unified Computing Cisco Common Services Platform Collector CSCvb48520 CASP 1.11 (Dec-2016) Cisco UCS 6200 Series and 6300 Series Fabric Interconnects CSCvb48644 Affected systems will be updated (15-Dec-2016) Cisco UCS B-Series Blade Servers CSCvb48577 3.1.3: TBD Cisco UCS Director CSCvb48561
Cisco UCS Manager CSCvb48645 Affected versions will be fixed (15-Dec-2016) Cisco UCS Standalone C-Series Rack Server - Integrated Management Controller CSCvb48579 3.0.0 (30-Nov-2016) Cisco Virtual Security Gateway CSCvb48574 2.1.6 (2-Feb-2017) Voice and Unified Communications Devices Cisco ATA 187 Analog Telephone Adaptor CSCvb48718
Cisco ATA 190 Series Analog Terminal Adaptors CSCvb48690 1.3.0: (1-Oct-2017) Cisco Agent Desktop for Cisco Unified Contact Center Express CSCvb48695
Cisco Computer Telephony Integration Object Server (CTIOS) CSCvb48529 11.6.1 (1-July-2017) Cisco DX Series IP Phones CSCvb48720 Affected versions will be updated (3-Mar-2017) Cisco Emergency Responder CSCvb48700 Affected versions will be updated (20-Oct-2016) Cisco Hosted Collaboration Mediation Fulfillment CSCvb48703 11.5(1) (22-Dec-2016) Cisco IP 7800 Series Phones CSCvb48723
Cisco IP 8800 Series Phones - VPN feature CSCvb48721
Cisco IP Interoperability and Collaboration System (IPICS) CSCvb48628 5.0.2 (14-April-2017) Cisco Jabber for iPhone and iPad CSCvb48705 11.8.0 (15-Nov-2016) Cisco MediaSense CSCvb50790
Cisco Packaged Contact Center Enterprise CSCvb48530 No fix is expected.
Cisco Paging Server (InformaCast) CSCvb48704 All affected versions will be fixed (Oct-2016) Cisco Paging Server CSCvb48704 All affected versions will be fixed (Oct-2016) Cisco SPA112 2-Port Phone Adapter CSCvb48656 1.4.2: (1-Oct-2017) Cisco SPA122 Analog Telephone Adapter (ATA) with Router CSCvb48656 1.4.2: (1-Oct-2017) Cisco SPA232D Multi-Line DECT Analog Telephone Adapter (ATA) CSCvb48656 1.4.2: (1-Oct-2017) Cisco SPA525G 5-Line IP Phone CSCvb48657 No fix is expected.
Cisco TAPI Service Provider (TSP) CSCvb48692 No fix is expected.
Cisco UC Integration for Microsoft Lync CSCvb48697 11.6.3 (1-Nov-2016) Cisco Unified Attendant Console Advanced CSCvb48688 12.0(1) (Available) Cisco Unified Attendant Console Business Edition CSCvb48688 12.0(1) (Available) Cisco Unified Attendant Console Department Edition CSCvb48688 12.0(1) (Available) Cisco Unified Attendant Console Enterprise Edition CSCvb48688 12.0(1) (Available) Cisco Unified Attendant Console Premium Edition CSCvb48688 12.0(1) (Available) Cisco Unified Attendant Console Standard CSCvb48689 11.0.2 patch (Available) Cisco Unified Communications Domain Manager CSCvb48696 11.5(1) (16-Dec-2016) Cisco Unified Communications Manager IM & Presence Service (formerly CUPS) CSCvb48701 Affected versions will be updated (20-Oct-2016) Cisco Unified Communications Manager Session Management Edition CSCvb48691 Affected versions will be updated (20-Oct-2016) Cisco Unified Communications Manager CSCvb48691 Affected versions will be updated (20-Oct-2016) Cisco Unified Contact Center Enterprise - Live Data server CSCvb50785
Cisco Unified Contact Center Enterprise CSCvb48529 11.6.1 (1-July-2017) Cisco Unified Contact Center Express CSCvb50788 11.6: (10-Nov-2016) Cisco Unified IP 6901 Phone CSCvb48713 9.3(1)SR3 (June 2016) Cisco Unified IP 6945 Phone CSCvb48719
Cisco Unified IP 7900 Series Phones CSCvb48724 No fix is expected. Cisco Unified IP 8831 Conference Phone for Third-Party Call Control CSCvb48687 9.3(4)SR3 (13-May-2017) Cisco Unified IP 8831 Conference Phone CSCvb48716 10.3.1SR4 (30-Nov-2017) Cisco Unified IP 8945 Phone CSCvb48715 9.4.2SR4 (10-Nov-2017) Cisco Unified IP 8961 Phone CSCvb48702
Cisco Unified IP 9951 Phone CSCvb48702
Cisco Unified IP 9971 Phone CSCvb48702
Cisco Unified Intelligent Contact Management Enterprise CSCvb48529 11.6.1 (1-July-2017) Cisco Unified SIP Proxy Software CSCvb48516 10.0 (Mar-2017) Cisco Unified Wireless IP Phone CSCvb48729
Cisco Unified Workforce Optimization - Quality Management Solution CSCvb48727 11.5(1)SU1 (31-Dec-2016) Cisco Unified Workforce Optimization CSCvb48728
Cisco Unity Connection CSCvb48694
Cisco Unity Express CSCvb48514 10.0 (1-Feb-2017) Cisco Virtualization Experience Media Edition CSCvb48726 11.8.0 (29-Nov-2016) Video, Streaming, TelePresence, and Transcoding Devices Cisco 4300 Series Digital Media Players CSCvb48608 5.3.6_RB3 (29-Oct-2016)
5.4.1_RB4 (29-Oct-2016)
Cisco 4400 Series Digital Media Players CSCvb48608 5.3.6_RB3 (29-Oct-2016)
5.4.1_RB4 (29-Oct-2016)
Cisco Cloud Object Storage CSCvb48630 Affected versions will be fixed (30-Oct-2016) Cisco DCM Series D990x Digital Content Manager CSCvb48580
Cisco Edge 300 Digital Media Player CSCvb48672 1.6RB5 (26-Oct-2016) Cisco Edge 340 Digital Media Player CSCvb48673 1.2RB1.0.3 (26-Oct-2016) Cisco Enterprise Content Delivery System (ECDS) CSCvb48610 2.6.9 (7-Jan-2017) Cisco Expressway Series CSCvb48625 X8.8.3 (24-Oct-2016) Cisco MXE 3500 Series Media Experience Engines CSCvb48615 Affected versions will be fixed (7-Oct-2016) Cisco Media Services Interface CSCvb48605 No fix is expected. Cisco Show and Share CSCvb48621 No fix is expected.
Cisco TelePresence Conductor CSCvb48607 XC4.3.1 (29-March-2017) Cisco TelePresence Content Server CSCvb48623 Affected versions will be updated (17-Oct-2016) Cisco TelePresence ISDN Gateway 3241 CSCvb48611 2.2(1.122) (31-March-2017) Cisco TelePresence ISDN Gateway MSE 8321 CSCvb48611 2.2(1.122) (31-March-2017) Cisco TelePresence ISDN Link CSCvb48612
Cisco TelePresence MCU 4200 Series, 4500 Series, 5300 Series, MSE 8420, and MSE 8510 CSCvb48613 MCU 4.5(1.89) (9-Dec-2016) Cisco TelePresence MX Series CSCvb51602 TC7.3.7 (Fix Available Now) CE8.2.2 (Oct. 2016) Cisco TelePresence Profile Series CSCvb51602 TC7.3.7 (Fix Available Now) CE8.2.2 (Oct. 2016) Cisco TelePresence SX Series CSCvb51602 TC7.3.7 (Fix Available Now) CE8.2.2 (Oct. 2016) Cisco TelePresence Serial Gateway Series CSCvb48620
Cisco TelePresence Server 7010 and MSE 8710 CSCvb48624 4.4 (Nov 2016) Cisco TelePresence Server on Multiparty Media 310 and 320 CSCvb48624 4.4 (Nov 2016) Cisco TelePresence Server on Multiparty Media 820 CSCvb48624 4.4 (Nov 2016) Cisco TelePresence Server on Virtual Machine CSCvb48624 4.4 (Nov 2016) Cisco TelePresence Supervisor MSE 8050 CSCvb48614
Cisco TelePresence System 1000 CSCvb48686 1.0.2 (28-Feb-2017) Cisco TelePresence System 1100 CSCvb48686 1.0.2 (28-Feb-2017) Cisco TelePresence System 1300 CSCvb48686 1.0.2 (28-Feb-2017) Cisco TelePresence System 3000 Series CSCvb48686 1.0.2 (28-Feb-2017) Cisco TelePresence System 500-32 CSCvb48686 1.0.2 (28-Feb-2017) Cisco TelePresence System 500-37 CSCvb48686 1.0.2 (28-Feb-2017) Cisco TelePresence System EX Series CSCvb51602 TC7.3.7 (Fix Available Now) CE8.2.2 (Oct.2016) Cisco TelePresence System TX1310 CSCvb48686 1.0.2 (28-Feb-2017) Cisco TelePresence TX9000 Series CSCvb48686 1.0.2 (28-Feb-2017) Cisco TelePresence Video Communication Server (VCS) CSCvb48625 X8.8.3 (24-Oct-2016) Cisco Telepresence Integrator C Series CSCvb51602 TC7.3.7 (Fix available now) CE8.2.2 (Oct.2016) Cisco Video Distribution Suite for Internet Streaming (VDS-IS/CDS-IS) CSCvb48631 4.003(002) (Oct. 2016) Cisco Video Surveillance 3000 Series IP Cameras CSCvb48651 2.9 (16-Jan-2017) Cisco Video Surveillance 4000 Series High-Definition IP Cameras CSCvb48649 2.9 (16-Jan-2017) Cisco Video Surveillance 4300E and 4500E High-Definition IP Cameras CSCvb48650 2.9 (16-Jan-2017) Cisco Video Surveillance 6000 Series IP Cameras CSCvb48651 2.9 (16-Jan-2017) Cisco Video Surveillance 7000 Series IP Cameras CSCvb48651 2.9 (16-Jan-2017) Cisco Video Surveillance Media Server CSCvb48653 VSM 7.9 (16-Dec-2016) Cisco Video Surveillance PTZ IP Cameras CSCvb48651 2.9 (16-Jan-2017) Cisco Videoscape AnyRes Live CSCvb48677 CAL 9.7.2 (Oct. 2016) Cisco Videoscape Control Suite CSCvb48629
Tandberg Codian ISDN Gateway 3210, 3220, and 3240 CSCvb48611 2.2(1.122) (31-March-2017) Tandberg Codian MSE 8320 CSCvb48611 2.2(1.122) (31-March-2017) Wireless Cisco 5760 Wireless LAN Controller CSCvd82146 No fix is expected.
Cisco Aironet 1040 Series CSCvb48583 16.4 (20-Oct-2016)
16.3 (20-Oct-2016)
16.2 (25-Oct-2016)
16.1 (25-Oct-2016)
15.5(3) (25-Oct-2016)Cisco Aironet 1130 AG Series CSCvb48583 16.4 (20-Oct-2016)
16.3 (20-Oct-2016)
16.2 (25-Oct-2016)
16.1 (25-Oct-2016)
15.5(3) (25-Oct-2016)Cisco Aironet 1140 Series CSCvb48583 16.4 (20-Oct-2016)
16.3 (20-Oct-2016)
16.2 (25-Oct-2016)
16.1 (25-Oct-2016)
15.5(3) (25-Oct-2016)Cisco Aironet 1200 Series CSCvb48583 16.4 (20-Oct-2016)
16.3 (20-Oct-2016)
16.2 (25-Oct-2016)
16.1 (25-Oct-2016)
15.5(3) (25-Oct-2016)Cisco Aironet 1530 Series CSCvb48583 16.4 (20-Oct-2016)
16.3 (20-Oct-2016)
16.2 (25-Oct-2016)
16.1 (25-Oct-2016)
15.5(3) (25-Oct-2016)Cisco Aironet 1550 Series CSCvb48583 16.4 (20-Oct-2016)
16.3 (20-Oct-2016)
16.2 (25-Oct-2016)
16.1 (25-Oct-2016)
15.5(3) (25-Oct-2016)Cisco Aironet 1570 Series CSCvb48583 16.4 (20-Oct-2016)
16.3 (20-Oct-2016)
16.2 (25-Oct-2016)
16.1 (25-Oct-2016)
15.5(3) (25-Oct-2016)Cisco Aironet 1600 Series CSCvb48583 16.4 (20-Oct-2016)
16.3 (20-Oct-2016)
16.2 (25-Oct-2016)
16.1 (25-Oct-2016)
15.5(3) (25-Oct-2016)Cisco Aironet 1700 Series CSCvb48583 16.4 (20-Oct-2016)
16.3 (20-Oct-2016)
16.2 (25-Oct-2016)
16.1 (25-Oct-2016)
15.5(3) (25-Oct-2016)Cisco Aironet 2600 Series CSCvb48583 16.4 (20-Oct-2016)
16.3 (20-Oct-2016)
16.2 (25-Oct-2016)
16.1 (25-Oct-2016)
15.5(3) (25-Oct-2016)Cisco Aironet 2700 Series CSCvb48583 16.4 (20-Oct-2016)
16.3 (20-Oct-2016)
16.2 (25-Oct-2016)
16.1 (25-Oct-2016)
15.5(3) (25-Oct-2016)Cisco Aironet 3500 Series CSCvb48583 16.4 (20-Oct-2016)
16.3 (20-Oct-2016)
16.2 (25-Oct-2016)
16.1 (25-Oct-2016)
15.5(3) (25-Oct-2016)Cisco Aironet 3600 Series CSCvb48583 16.4 (20-Oct-2016)
16.3 (20-Oct-2016)
16.2 (25-Oct-2016)
16.1 (25-Oct-2016)
15.5(3) (25-Oct-2016)Cisco Aironet 3700 Series CSCvb48583 16.4 (20-Oct-2016)
16.3 (20-Oct-2016)
16.2 (25-Oct-2016)
16.1 (25-Oct-2016)
15.5(3) (25-Oct-2016)Cisco Aironet 700 Series CSCvb48583 16.4 (20-Oct-2016)
16.3 (20-Oct-2016)
16.2 (25-Oct-2016)
16.1 (25-Oct-2016)
15.5(3) (25-Oct-2016)Cisco Aironet 700W Series CSCvb48583 16.4 (20-Oct-2016)
16.3 (20-Oct-2016)
16.2 (25-Oct-2016)
16.1 (25-Oct-2016)
15.5(3) (25-Oct-2016)Cisco Industrial Wireless 3700 Series CSCvb48583 16.4 (20-Oct-2016)
16.3 (20-Oct-2016)
16.2 (25-Oct-2016)
16.1 (25-Oct-2016)
15.5(3) (25-Oct-2016)Cisco Mobility Services Engine CSCvb48592 8.0.150.0 (31-Dec-2016) Cisco Wireless LAN Controller CSCvb48603 8.4 (Feb. 2017)
8.3 (Feb. 2017)Cisco Hosted Services Cisco Cloud Web Security CSCvb48668
Cisco Network Performance Analysis CSCvb48682 Affected versions will be fixed (28-Oct-2016) Cisco Partner Support Service 1.x CSCvb48641 No fix is expected.
Cisco Proactive Network Operations Center CSCvb48523 No fix is expected.
Cisco Registered Envelope Service CSCvb48531 Affected services have been updated. Cisco Services Provisioning Platform CSCvb48730 SFP1.1 (26-Oct-2016) Cisco Smart Care CSCvb48639 No fix is expected.
Cisco Universal Small Cell 5000 Series - Running Release 3.4.2.x CSCvb48676 3.5.12.23 (31-Jan-2017) Cisco Universal Small Cell 7000 Series - Running Release 3.4.2.x CSCvb48676 3.5.12.23 (31-Jan-2017) Cisco Universal Small Cell CloudBase Factory Recovery Root Filesystem - Releases 2.99.4 and later CSCvb48674 3.17.3 (30-Nov-2016) Cisco Universal Small Cell Iuh CSCvb48675 3.17.3 (30-Nov-2016) Cisco WebEx Centers - Meeting Center, Training Center, Event Center, Support Center CSCvb48555 T32 (15-Nov-2016) Cisco WebEx Meeting Center CSCvb48556 WebEx11 v1.3.26 (31-Dec-2016) Cisco WebEx Messenger Service CSCvb48551 Affected versions have been updated.
Network Health Framework CSCvb48681 Affected versions will be fixed (28-Oct-2016) Services Analytics Platform CSCvb48526 The deployment will be updated during the second quarter of 2017.
Products Confirmed Not Vulnerable
Network Management and Provisioning
- Cisco Configuration Professional
- Cisco Prime Home
- Cisco Prime Network Registrar IP Address Manager (IPAM)
Routing and Switching - Enterprise and Service Provider
- Cisco Broadband Access Center for Telco and Wireless
Cisco Hosted Services
- Cisco ONE Portal
-
The associated Common Vulnerabilities and Exposures (CVE) IDs for the vulnerabilities that were disclosed on September 22, 2016, and September 26, 2016, in the OpenSSL Software Foundation security advisories are as follows:
- CVE-2016-2177
- CVE-2016-2178
- CVE-2016-2179
- CVE-2016-2180
- CVE-2016-2181
- CVE-2016-2182
- CVE-2016-2183
- CVE-2016-6302
- CVE-2016-6303
- CVE-2016-6304
- CVE-2016-6305
- CVE-2016-6306
- CVE-2016-6307
- CVE-2016-6308
- CVE-2016-6309
- CVE-2016-7052
Additional Details
OpenSSL OCSP Stapling Status Request Memory Exhaustion Vulnerability
A vulnerability in the Online Certificate Status Protocol (OCSP) stapling implementation of OpenSSL could allow an unauthenticated, remote attacker to keep consuming memory on the targeted system. The vulnerability is due to the implementation of the OCSP Status Request SSL/TLS extension.
An attacker could exploit this vulnerability by establishing an SSL/TLS session to the targeted system and iteratively performing renegotiation, sending an OCSP Status Request each time. An exploit could allow the attacker to indefinitely keep increasing the memory allocated to the process that is running the vulnerable OpenSSL code.
This vulnerability has been assigned the following CVE ID: CVE-2016-6304.
OpenSSL 3DES CBC Mode Information Disclosure Vulnerability
A vulnerability in OpenSSL could allow an unauthenticated, remote attacker to access sensitive information.
The vulnerability is due to a cipher block collision that may occur during an encrypted session where OpenSSL uses a 64-bit block cipher, such as 3DES Cipher Block Chaining (CBC) mode. An attacker who is able to capture nearly a terabyte of network traffic could exploit this vulnerability to monitor a cipher block collision, which could be leveraged to decrypt data in transit and gain access to sensitive information. A successful exploit could be leveraged to conduct further attacks.
This vulnerability has been assigned the following CVE ID: CVE-2016-2183.
Vulnerabilities Not Applicable to Cisco Products
The vulnerabilities identified by the following CVE IDs exclusively affect the recently released OpenSSL versions that are part of the 1.1.0 release series, which has not yet been integrated into any Cisco product:
- CVE-2016-6305
- CVE-2016-6307
- CVE-2016-6308
- CVE-2016-6309
- CVE-2016-7052
For details about the remainder of the vulnerabilities, please refer to the security advisories published by the OpenSSL Software Foundation:
-
There are no workarounds that address these vulnerabilities.
-
Updates for affected software releases will be published when they are available and information about those updates will be documented in Cisco bugs, which are accessible from the Cisco Bug Search Tool.
When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
-
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.
-
These vulnerabilities were publicly disclosed by the OpenSSL Software Foundation on September 22, 2016, and September 26, 2016.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Show LessVersion Description Section Status Date 1.18 Updated the fixed release information for Cisco SMA to reflect the SMA version that was fixed. Vulnerable Products Final 2018-December-27 1.17 Updated the fixed release information for Cisco ESA to convey that the fixes were not integrated in any 10.x release. Vulnerable Products Final 2018-December-19 1.16 Updated the fixed release information. Vulnerable Products Final 2017-September-15 1.15 Updated the list of vulnerable products. Vulnerable Products Final 2017-April-24 1.14 Updated the fixed release information for Cisco ESA. Vulnerable Products Final 2017-April-21 1.13 Updated the lists of products under investigation and vulnerable products. Affected Products, Vulnerable Products Final 2017-February-03 1.12 Updated the list of vulnerable products. Vulnerable Products Interim 2016-November-16 1.11 Updated the lists of products under investigation and vulnerable products. Affected Products, Vulnerable Products Interim 2016-October-28 1.10 Updated the lists of products under investigation and vulnerable products. Affected Products, Vulnerable Products Interim 2016-October-26 1.9 Updated the lists of products under investigation and vulnerable products. Affected Products, Vulnerable Products Interim 2016-October-19 1.8 Updated the lists of products under investigation and vulnerable products. Affected Products, Vulnerable Products Interim 2016-October-14 1.7 Updated the lists of products under investigation and vulnerable products. Affected Products, Vulnerable Products Interim 2016-October-12 1.6 Updated the lists of products under investigation and vulnerable products. Affected Products, Vulnerable Products Interim 2016-October-07 1.5 Updated the lists of products under investigation, vulnerable, and not vulnerable. Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable Interim 2016-October-05 1.4 Updated the lists of products under investigation, vulnerable, and not vulnerable. Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable Interim 2016-October-03 1.3 Updated the lists of products under investigation and vulnerable products. Affected Products, Vulnerable Products Interim 2016-September-30 1.2 Updated the lists of products under investigation and vulnerable products. Affected Products, Vulnerable Products Interim 2016-September-29 1.1 Updated the lists of products under investigation, vulnerable, and not vulnerable. Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable Interim 2016-September-28 1.0 Initial public release. — Interim 2016-September-27
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.