topic Re: PSIRT OpenVuln API: Versions not found in CSAF in Services Discussions

PSIRT OpenVuln API: Versions not found in CSAF

emanuele-disalvia — Tue, 28 May 2024 09:35:37 GMT

Hi,

I am using the PSIRT APIs to fetch data from IOS, IOS XE, IOS XR, and NX OS. Through the API, I retrieve the CSAF URL and download the associated JSON. However, there is some missing information regarding which versions are vulnerable to the relevant advisories.

Here are some examples:

This image represents the CSAF JSON file of cisco-sa-snmp-uwBXfqww. As you can see, the information about product versions is displayed. However, in some cases, the versions are not specified in the CSAF. Specifically, for IOS XR, none of the versions are displayed. Here’s an example of a CSAF JSON file for cisco-sa-iosxr-ipxe-sigbypass-pymfyqgB:

To achieve what I want, I actually need those versions. So my question is: If I encounter cases where these versions are missing, how should I handle them? Should it be interpreted as "All versions of this family are affected"?

Thank you

Emanuele Di Salvia

Re: PSIRT OpenVuln API: Versions not found in CSAF

Torbjørn — Tue, 28 May 2024 11:08:01 GMT

Hi @emanuele-disalvia,

The "versions affected" data seems to be provided by Cisco Software Checker, which currently only supports checking versions of the following OSes: ASA, FMC, FTD, FXOS, IOS, IOS XE, NX-OS. AFAIK there is no other API that will give you the same information for IOS XR.

How to handle this comes down to your specific application/program. I believe you will either have to interpret it as "all versions are affected", or you will have to either display/parse the "Fixed releases" potion of each IOS XR advisory.

Re: PSIRT OpenVuln API: Versions not found in CSAF

PR Oxman — Tue, 28 May 2024 21:50:53 GMT

Hello,

Today it is fair to say that Cisco only populates the affected version information in CSAF for products that are supported by Software Checker - IOS, IOS-XE, Cisco ASA, FMC, FTD, FXOS, IOS, IOS XE, NX-OS and NX-OS in ACI Mode.

For all other products the CSAF product tree only indicates the affected product. The affected and fixed releases are typically presented in a table in the Fixed Software portion of the advisory. So if you have a product family with no product versions you need to flag for manual inspection of the advisory/CSAF.

Cisco are considering opening this up for all products (no timeframe), but for all other products it would be a snapshot only at the time of publication, rather than a dynamically updated CSAF.

Thanks.

Re: PSIRT OpenVuln API: Versions not found in CSAF

louis-yu — Mon, 06 Jan 2025 10:01:38 GMT

Hi @Torbjørn

This image represents the CSAF JSON file of cisco-sa-20180620-n3k-n9k-clisnmp.

As you mentioned that NX-OS is supported by software checker but there's no version displayed in the CSAF file.

Should this be parsed as "all versions of NX-OS are affected"?

Regards,

Louis

Re: PSIRT OpenVuln API: Versions not found in CSAF

Torbjørn — Mon, 06 Jan 2025 12:49:45 GMT

Hi @louis-yu,

As far as I can see the software versions should've been filled out for this advisory. I am not sure why it isn't, is this something you have any insight into @PR Oxman?

Depending on the nature your application you either need to interpret this as "all releases", display the fixed releases portion of the advisory or parse this data from the notes section somehow.

Re: PSIRT OpenVuln API: Versions not found in CSAF

louis-yu — Tue, 07 Jan 2025 03:20:00 GMT

Hi @PR Oxman

As you mentioned that only OS that supported in softeware checker(e.g. IOS, IOS-XE, Cisco ASA, FMC, FTD, FXOS, IOS, IOS XE, NX-OS and NX-OS in ACI Mode) will display affected version number in csaf json file.

I notice that there are some do support in checker but didn't display version number as it should be.

Ex:

cisco-sa-http2-reset-d8Kf32vZ

No 'NX-OS' version number displayed

cisco-sa-20190513-secureboot

No 'aci' version number displayed

We currently working on a project that can automatically fectch fix patch versions based on affected os name and versions in the advisory.

Any suggestions will be welcome.

Regards,

Louis

Re: PSIRT OpenVuln API: Versions not found in CSAF

PR Oxman — Sun, 12 Jan 2025 23:07:05 GMT

Posting Michaels response for the wider audience:

Hi Louis,

Thanks for contacting the Cisco PSIRT.

The first advisory you are referencing below (cisco-sa-http2-reset-d8Kf32vZ) is an advisory for a security vulnerability in a third-party software (TPS) component used by multiple Cisco products. For this type of advisories the first fixed releases information is available only in the table of the textual (HTML) version of the advisory and the per-product bug IDs that are referenced both in the HTML version and also the CSAF (JSON) version.

The second advisory you referenced below (cisco-sa-ios-nxos-xr-udld-dos-W5hGHgtQ) is from 2021. At that time, the Cisco Software Checker did not yet support FXOS (which is why the HTML version of the advisory contains a table for FXOS first fixed releases rather than a pointer to the Cisco Software Checker tool). Cisco Software Checker Support for FXOS was only added late August 2022.

One of the first advisories that used Cisco Software Checker for FXOS was cisco-sa-nxos-cdp-dos-ce-wWvPucC9. In its CSAF/JSON version you will find FXOS version information.

I hope this helps. Let me know if you have further questions.

Thanks,

Michael