topic Re: Missing <firstFixed> value IOS Checker (openVulnAPI) in Services Discussions

Missing value IOS Checker (openVulnAPI)

jennifer.hakel — Tue, 07 Feb 2017 12:01:08 GMT

Hi everyone,

First of all, thanks for integrating the IOS Checker and the possibility to obtain adivsories by product Makes everything so much easier to handle.

I'am working on integrating the IOSChecker into some scripts.

While running some tests I noticed that the <firstFixed> value is missing for all 12.2(33) IOS Versions.

Subversions of 12.2(14) and 12.2(118) had the firstFixed value.

I checked some of the subversions of the 12.2(33) IOS Version with the IOS Checker website and the results there showed

the FirstFixed value.

Any ideas why this happens?

Thanks

Jennifer

Re: Missing value IOS Checker (openVulnAPI)

Omar Santos — Thu, 09 Feb 2017 21:10:55 GMT

Hi Jennifer,

It looks like IOS release 12.2(33) was never released and/or it was deferred. We are looking into this, but we checked and no advisories do affect that "release".

Regards,

Omar

Re: Missing value IOS Checker (openVulnAPI)

juagonza — Thu, 09 Feb 2017 23:48:53 GMT

Hi Jennifer,

First, thank you for your interest in Cisco tools,

I did some digging. I went all the way to information from 2004, and I did not find traces of a 12.2(33) release,

that is, in the old-style 12.2 mainline train (back when mainline trains had no "M"). Anyway I will remove that release.

Now, overall 12.2 is pretty old. There was a numeric 33 on other trains, for example 12.2(33)SRE12, that release was published two years ago and has a number of vulnerabilities and their first fixed releases.

We regularly do a number of manual verifications on the data that is provided, but the assumption is that customers need to know information about trains that have not reached the end-of-support milestone. For 12.2 that milestone was reached some time ago.

Going back to your testing, I think it would be best to focus on 15.0 and up.

Hope this helps!

Reference:

http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-software-release-12-2/prod_end-of-life_notice0900aecd80330813.html

Juan-Manuel

Re: Missing value IOS Checker (openVulnAPI)

jennifer.hakel — Fri, 10 Feb 2017 06:56:34 GMT

Hi ,

I think my wording was a little confusing (Sorry for that). I wasn't looking for a 12.2(33) version/release.

I first noticed the missing value while running some tests with the 12.2(33)SXI9 release. After that I checked all trains(I think thats the right term) that start with 12.2(33).

Jennifer

Re: Missing value IOS Checker (openVulnAPI)

Omar Santos — Sat, 11 Feb 2017 20:00:37 GMT

Thank you for the clarification and additional details Jennifer!

The reason that you are seeing this is because there is no first fixed release/recommended release for some of the advisories that affect that release. In the IOS Software checker you will also see the following:

"Contact your support organization for upgrade instructions that address vulnerabilities in all specified advisories."

Re: Missing value IOS Checker (openVulnAPI)

jennifer.hakel — Mon, 13 Feb 2017 07:13:22 GMT

Hi Omar,

Thanks for your quick response I'm still a little confused about the results I'm getting back from the API and the IOS Checker. Because the results are different.

<advisory>

<advisoryId>cisco-sa-20150722-tftp</advisoryId><advisoryTitle>Cisco IOS Software TFTP Server Denial of Service Vulnerability
</advisoryTitle>
<bugIDs><bugID>CSCts66733</bugID>
</bugIDs>
<cves><cve>CVE-2015-0681</cve>
</cves>
<cvrfUrl>https://tools.cisco.com/security/center/contentxml/CiscoSecurityAdvisory/cisco-sa-20150722-tftp/cvrf/cisco-sa-20150722-tftp_cvrf.xml
</cvrfUrl>
<cvssBaseScore>7.1</cvssBaseScore>
<cwes><cwe>CWE-399</cwe>
</cwes>
<firstFixed/>
<firstPublished>2015-07-22T16:00:00-0500</firstPublished>
<iosRelease>12.2(33)SXJ2</iosRelease>
<lastUpdated>2015-07-22T16:00:00-0500</lastUpdated>
<ovalUrl>NA</ovalUrl>

This is a part of the xml file I get from the API when looking for the 12.2(33)SXI9. It's the third advisory from the picture of the IOS Software Checker you posted. 
Correct me if I'm wrong, but shouldn't the first fixed value here be 12.2(33)SXJ2? 
Jennifer