https://community.cisco.com/t5/wireless/cisco-5508-controllers-vulnerabilities/m-p/3858961#M26660 <P>&nbsp;are there any extra commands needed to be done after the upgrade ?</P><P>&nbsp;</P><P>Thanks for your concern Haydn&nbsp;</P> Sun, 19 May 2019 14:29:43 GMT Amr_Elsherif 2019-05-19T14:29:43Z https://community.cisco.com/t5/wireless/cisco-5508-controllers-vulnerabilities/m-p/3858779#M26657 <P>wlc 5508 running version&nbsp;&nbsp;8.2.170.0 shows the below vulnerabilities, how can these be mitigated?&nbsp;</P><P>&nbsp;</P><P>SSL Certificate Signed Using Weak Hashing Algorithm<BR />SSH Weak Algorithms Supported<BR />SSH Server CBC Mode Ciphers Enabled<BR />SSH Weak MAC Algorithms Enabled<BR />SSL Certificate Chain Contains RSA Keys Less Than 2048 bits</P> Mon, 05 Jul 2021 17:25:49 GMT https://community.cisco.com/t5/wireless/cisco-5508-controllers-vulnerabilities/m-p/3858779#M26657 Amr_Elsherif 2021-07-05T17:25:49Z https://community.cisco.com/t5/wireless/cisco-5508-controllers-vulnerabilities/m-p/3858788#M26658 <P>How to mitigate them would be an upgrade.</P><P>The version to upgrade to would have been advised in the security advisory notice that the vulnerability was announced in or the release notes for the version you are upgrading to.</P><P>&nbsp;</P><P>As most of these are SSL and SSH vulnerabilities also recommend ACL/ FW rules to only allow these protocols from known sources.</P><P>&nbsp;</P><P>When considering an upgrade here are two good links to review:</P><P><A href="https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html</A></P><P><A href="https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html</A></P> Sat, 18 May 2019 16:26:52 GMT https://community.cisco.com/t5/wireless/cisco-5508-controllers-vulnerabilities/m-p/3858788#M26658 Haydn Andrews 2019-05-18T16:26:52Z https://community.cisco.com/t5/wireless/cisco-5508-controllers-vulnerabilities/m-p/3858960#M26659 <P>&nbsp;are there any extra commands needed to be done after the upgrade ?</P><P>&nbsp;</P><P>Thanks for your concern Haydn&nbsp;</P> Sun, 19 May 2019 14:29:00 GMT https://community.cisco.com/t5/wireless/cisco-5508-controllers-vulnerabilities/m-p/3858960#M26659 Amr_Elsherif 2019-05-19T14:29:00Z https://community.cisco.com/t5/wireless/cisco-5508-controllers-vulnerabilities/m-p/3858961#M26660 <P>&nbsp;are there any extra commands needed to be done after the upgrade ?</P><P>&nbsp;</P><P>Thanks for your concern Haydn&nbsp;</P> Sun, 19 May 2019 14:29:43 GMT https://community.cisco.com/t5/wireless/cisco-5508-controllers-vulnerabilities/m-p/3858961#M26660 Amr_Elsherif 2019-05-19T14:29:43Z https://community.cisco.com/t5/wireless/cisco-5508-controllers-vulnerabilities/m-p/3859059#M26661 <P>You can run one of the following commands should you want to verify security strength after the upgrade:</P><P>&nbsp;</P><P><FONT face="courier new,courier" size="2">(Cisco Controller) &gt;show certificate? </FONT><BR /><BR /><FONT face="courier new,courier" size="2">all Display all installed certificate details</FONT><BR /><FONT face="courier new,courier" size="2">compatibility Enable compatibility mode for inter-switch ipsec</FONT><BR /><FONT face="courier new,courier" size="2">eap Display EAP cert. details</FONT><BR /><FONT face="courier new,courier" size="2">ipsec Display IPSec cert. details</FONT><BR /><FONT face="courier new,courier" size="2">lsc Display Locally Significant Certificate (LSC)</FONT><BR /><FONT face="courier new,courier" size="2">ssc Display Self Signed Device Certificate (SSC)</FONT><BR /><FONT face="courier new,courier" size="2">summary Display SSL certificates</FONT><BR /><FONT face="courier new,courier" size="2">webadmin Display Web Administration cert. details</FONT><BR /><FONT face="courier new,courier" size="2">webauth Display Web Authentication cert. details</FONT></P><P>&nbsp;</P><P>&nbsp;</P><P><FONT face="courier new,courier" size="2">&lt;&lt;&lt; Please help the community by marking useful posts helpful, or accept as a solution if it resolved your issue &gt;&gt;&gt;</FONT></P> Mon, 20 May 2019 00:41:04 GMT https://community.cisco.com/t5/wireless/cisco-5508-controllers-vulnerabilities/m-p/3859059#M26661 Jurgens L 2019-05-20T00:41:04Z https://community.cisco.com/t5/wireless/cisco-5508-controllers-vulnerabilities/m-p/3859201#M26662 The option you want is named "Cipher-Option High", which would mitigate most of those points. Not sure which software release has added it though. <BR />For compatibility reasons some old variants will also stay enabled! So not all points will disappear in a scan. Mon, 20 May 2019 08:42:21 GMT https://community.cisco.com/t5/wireless/cisco-5508-controllers-vulnerabilities/m-p/3859201#M26662 patoberli 2019-05-20T08:42:21Z https://community.cisco.com/t5/wireless/cisco-5508-controllers-vulnerabilities/m-p/3859713#M26663 Upgrade the firmware of the controller. Mon, 20 May 2019 21:21:19 GMT https://community.cisco.com/t5/wireless/cisco-5508-controllers-vulnerabilities/m-p/3859713#M26663 Leo Laohoo 2019-05-20T21:21:19Z