Is there way to determine nginx version used with which APIC release?

tuanquangnguyen · ‎12-08-2021

Hi folks,

Recenly got a pentest team coming in with a few nginx vulnerabilities found on Cisco APIC.

I would like to ask:

If there are any way to determine the running nginx version on the Cisco APIC?
If upgrading Cisco APIC (and in turn the fabric switches because recomendations) would guarantee to fix the nginx vulnerabilities?

For point 2, since there are no such mapping documents, I cannot ensure if upgrading the APIC is the best way to go.

Sergiu.Daniluk · ‎12-09-2021

Can you share the CVEs and the running version you have?

You might search them on Bug Search Tool and see if there are any related bugs linked to them. You will see there if any upgrades will resolve the problem.

Cheers,

Sergiu

tuanquangnguyen · ‎12-09-2021

Hi Sergiu,

The running code is 4.2(4i). CVE ID is CVE-2021-23017. I managed to find a result on Bug Search Tool but it doesn't show mitigation steps directly on APIC.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvy99896

Robert Burns · ‎12-10-2021

Last I checked we were using nginx 1.17.3 on ACI. I've opened a discussion with Engineering to see if/when our next update for this service is scheduled. This would require a software upgrade/patch but I'm looking into this.

Stay tuned.

Robert

tuanquangnguyen · ‎12-12-2021

Thanks Robert for the info.