https://community.cisco.com/t5/network-security/cisco-security-manager-is-vulnerable-to-cve-2014-0160-aka/m-p/2474466#M921849 <P>I am running 4.5.0, it is vulnerable because I have scanned it and tested it. I see version 4.6.0 has just popped up on cisco.com. Anyone confirm if that fixes the bug?</P> Wed, 16 Apr 2014 04:43:29 GMT Network Operation 2014-04-16T04:43:29Z https://community.cisco.com/t5/network-security/cisco-security-manager-is-vulnerable-to-cve-2014-0160-aka/m-p/2474463#M921844 <P>Dear All,</P><P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; We have CSM 4.4.0 SP2 patch 1 installed with no default configuration.</P><P>According to cisco, CSM is under&nbsp;Vulnerable Products list with cisco bug ID&nbsp;CSCuo19265.&nbsp;</P><P>Do I need to take any action for my CSM ?</P><P>Thanks &amp; Regards</P><P>Ahmed...</P> Fri, 21 Feb 2020 13:09:38 GMT https://community.cisco.com/t5/network-security/cisco-security-manager-is-vulnerable-to-cve-2014-0160-aka/m-p/2474463#M921844 ahmed.gadi 2020-02-21T13:09:38Z https://community.cisco.com/t5/network-security/cisco-security-manager-is-vulnerable-to-cve-2014-0160-aka/m-p/2474464#M921846 <P>I recommend that you restrict HTTPS access to the CSM server to the few clients that actually need access to it, until a fix has been released. That way you can at least restrict the amount of clients that could utilize this leak.</P> Tue, 15 Apr 2014 07:45:38 GMT https://community.cisco.com/t5/network-security/cisco-security-manager-is-vulnerable-to-cve-2014-0160-aka/m-p/2474464#M921846 patoberli 2014-04-15T07:45:38Z https://community.cisco.com/t5/network-security/cisco-security-manager-is-vulnerable-to-cve-2014-0160-aka/m-p/2474465#M921847 <P>Hi Ahmed,</P><P>CSM 4.4.0 SP2 patch 1 is not vulnerable to heartbleed. No action required for this specific version of CSM.</P><P>&nbsp;</P><P>Given below is list of CSM versions that are vulnerable:</P><P>CSM 4.5<BR />CSM 4.5 SP0 PP1<BR />CSM 4.5 SP0 PP2</P> Wed, 16 Apr 2014 04:37:47 GMT https://community.cisco.com/t5/network-security/cisco-security-manager-is-vulnerable-to-cve-2014-0160-aka/m-p/2474465#M921847 kshiva 2014-04-16T04:37:47Z https://community.cisco.com/t5/network-security/cisco-security-manager-is-vulnerable-to-cve-2014-0160-aka/m-p/2474466#M921849 <P>I am running 4.5.0, it is vulnerable because I have scanned it and tested it. I see version 4.6.0 has just popped up on cisco.com. Anyone confirm if that fixes the bug?</P> Wed, 16 Apr 2014 04:43:29 GMT https://community.cisco.com/t5/network-security/cisco-security-manager-is-vulnerable-to-cve-2014-0160-aka/m-p/2474466#M921849 Network Operation 2014-04-16T04:43:29Z https://community.cisco.com/t5/network-security/cisco-security-manager-is-vulnerable-to-cve-2014-0160-aka/m-p/2474467#M921851 <P>CSM 4.6 has the fix and not vulnerable.</P> Wed, 16 Apr 2014 04:56:07 GMT https://community.cisco.com/t5/network-security/cisco-security-manager-is-vulnerable-to-cve-2014-0160-aka/m-p/2474467#M921851 kshiva 2014-04-16T04:56:07Z https://community.cisco.com/t5/network-security/cisco-security-manager-is-vulnerable-to-cve-2014-0160-aka/m-p/2474468#M921852 <P>Im not sure if that's true. the release notes don't state anything about fixing that big. and also looking at the opensource licenses PDF for 4.6.0 it states OpenSSL version: 1.0.1e (which is the same version as 4.5.0 and all versions 1a through 1f are vulnerable).</P><P>&nbsp;</P><P>I would find it very odd they didn't fix it considering it was released just yesterday.</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 16 Apr 2014 05:00:29 GMT https://community.cisco.com/t5/network-security/cisco-security-manager-is-vulnerable-to-cve-2014-0160-aka/m-p/2474468#M921852 ryancisco01 2014-04-16T05:00:29Z https://community.cisco.com/t5/network-security/cisco-security-manager-is-vulnerable-to-cve-2014-0160-aka/m-p/2474469#M921853 <P>Will follow up and update the documentation with correct OpenSSL Version 1.0.1g. Heartbleed vulnerability is addressed in CSM 4.6</P> Wed, 16 Apr 2014 05:08:00 GMT https://community.cisco.com/t5/network-security/cisco-security-manager-is-vulnerable-to-cve-2014-0160-aka/m-p/2474469#M921853 kshiva 2014-04-16T05:08:00Z https://community.cisco.com/t5/network-security/cisco-security-manager-is-vulnerable-to-cve-2014-0160-aka/m-p/2474470#M921854 <P>Great thanks for confirmation.</P> Wed, 16 Apr 2014 05:40:57 GMT https://community.cisco.com/t5/network-security/cisco-security-manager-is-vulnerable-to-cve-2014-0160-aka/m-p/2474470#M921854 ryancisco01 2014-04-16T05:40:57Z https://community.cisco.com/t5/network-security/cisco-security-manager-is-vulnerable-to-cve-2014-0160-aka/m-p/2474471#M921855 <P>Many thanks&nbsp;</P> Wed, 16 Apr 2014 09:27:56 GMT https://community.cisco.com/t5/network-security/cisco-security-manager-is-vulnerable-to-cve-2014-0160-aka/m-p/2474471#M921855 ahmed.gadi 2014-04-16T09:27:56Z https://community.cisco.com/t5/network-security/cisco-security-manager-is-vulnerable-to-cve-2014-0160-aka/m-p/2474472#M921856 <P>When will the patch to resolve heartbleed issue in csm 4.5 be out??</P> Wed, 16 Apr 2014 13:51:55 GMT https://community.cisco.com/t5/network-security/cisco-security-manager-is-vulnerable-to-cve-2014-0160-aka/m-p/2474472#M921856 Tan Stanley 2014-04-16T13:51:55Z https://community.cisco.com/t5/network-security/cisco-security-manager-is-vulnerable-to-cve-2014-0160-aka/m-p/2474473#M921857 <P>CSM 4.5 CP3 is out and it fixes the heartbleed vulnerability.</P><P>Request CSM450_SP0_CP3_bundle.zip from TAC</P> Mon, 21 Apr 2014 03:56:10 GMT https://community.cisco.com/t5/network-security/cisco-security-manager-is-vulnerable-to-cve-2014-0160-aka/m-p/2474473#M921857 dbrockus 2014-04-21T03:56:10Z