Difference between iosRelease and firstFixed using the iosversion call

Infosim — Thu, 09 Mar 2017 10:12:03 GMT

Hey,

I've tried the new API call which integrates the IOS software checker to get all adivsories for specific versions (using json as output format) and wondered what does the attribute 'iosRelease' contain? I thought 'firstFixed' contains the fixes, but this seems wrong - at least sometimes. Let's take IOS 12.2(14)S as an example and send the call. The result contains following advisory:

"advisoryId": "cisco-sa-20150325-tcpleak",

"sir": "High",

"firstPublished": "2015-03-25T16:00:00-0500",

"lastUpdated": "2016-01-14T17:24:39-0600",

"iosRelease": "12.2(33)SRE13",

"firstFixed": "12.2(33)SRE15",

"cves": [

"CVE-2015-0646"

"bugIDs": [

"CSCum94811"

"cvssBaseScore": "7.8",

"advisoryTitle": "Cisco IOS Software and IOS XE Software TCP Packet Memory Leak Vulnerability",

"publicationUrl": "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150325-tcpleak",

"cwe": [

"CWE-399"

]

If you use the web app version of IOS software checker it says that 12.2(33)SRE13 is the first fixed version, but this version is listed under 'iosRelease' in the json output.

Another example for the same version is following advisory:

"advisoryId": "cisco-sa-20070228-nam",

"sir": "Critical",

"firstPublished": "2007-02-28T16:00:00-0600",

"lastUpdated": "2007-02-28T16:00:00-0600",

"iosRelease": "12.2(14)S3,12.2(18)S13,12.2(20)S",

"firstFixed": "12.2(33)SRE15",

"cves": [

"CVE-2007-1257"

"bugIDs": [

"CSCsd75273",

"CSCse52951"

"cvssBaseScore": "10.0",

"advisoryTitle": "Cisco Catalyst 6000, 6500 Series and Cisco 7600 Series NAM (Network Analysis Module) Vulnerability",

"publicationUrl": "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070228-nam",

"cwe": [

"NA"

"productNames": [

"NA"

]

First fixed version should be 12.2(33)SRE15 but if you take a look at the web version of the software checker it says that the fixed versions are 12.2(14)S3,12.2(18)S13,12.2(20)S which are the same versions listed in 'iosRelease' of the json output.

So does 'iosRelease' always contain the fix versions or it is just a bug?

Re: Difference between iosRelease and firstFixed using the iosversion call

Omar Santos — Fri, 10 Mar 2017 01:33:23 GMT

Hi Stefan,

Thank you for bringing this into our attention. We are currently investigating this, it seems like a bug in the API, but I will confirm shortly.

Thanks!

Omar

Re: Difference between iosRelease and firstFixed using the iosversion call

Omar Santos — Mon, 13 Mar 2017 20:35:24 GMT

Hi Stefan,

This has been corrected. Please try again and let me know if you run into any problems.

Regards,

Omar

Re: Difference between iosRelease and firstFixed using the iosversion call

Infosim — Tue, 14 Mar 2017 06:56:14 GMT

Hi Omar,

thanks for that information. Can you tell if this problem was just solved for the particular version IOS 12.2(14)S or if it is an "overall API bugfix"?

Regards

Re: Difference between iosRelease and firstFixed using the iosversion call

Omar Santos — Tue, 14 Mar 2017 11:25:23 GMT

It was an API fix.

Regards,

Omar

topic Difference between iosRelease and firstFixed using the iosversion call in Services Discussions

Difference between iosRelease and firstFixed using the iosversion call

Re: Difference between iosRelease and firstFixed using the iosversion call

Re: Difference between iosRelease and firstFixed using the iosversion call

Re: Difference between iosRelease and firstFixed using the iosversion call

Re: Difference between iosRelease and firstFixed using the iosversion call