Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
485
Views
0
Helpful
1
Replies

CSCuu83280 - Evaluation of OpenSSL - ASA 9.4(4)18

Go to solution
Daprafue_79
Level 1
Level 1

‎10-18-2018 03:06 AM

We are using ASA 5585 with version 9.4(4)18 but this version doesn't appear neither affected or Fixed versions. Could anybody tell me if this version could be affected?

 

Thanks!!! 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎10-18-2018 03:32 AM - edited ‎10-18-2018 03:40 AM

HI there,

Sadly you have to do a bit of sleuthing to work this out. The CVE relating to your bug:

 https://nvd.nist.gov/vuln/detail/CVE-2015-1790

 

…mentions the openSSL versions vulnerable…

The opensource software for 9.4(1):

https://www.cisco.com/c/dam/en/us/td/docs/security/asa/asa94/license/open-source/Cisco_ASA_Series_941.pdf

 

…states that it uses 1.0.1l , so this version is vulnerable.

 

The patch notes for 9.4(4)18 do not mention the original CVE, but does mention for following CVE as being fixed in 9.4(4)17:

https://nvd.nist.gov/vuln/detail/CVE-2017-3737

 

..which mentions openSSL 1.0.2b

 

So…we can infer that the 9.4.(4)18 is running a newer version of openSSL 1.0.2b and therefore is not vulnerable to CSCuu83280.

 

:)

 

Cheers,

Seb.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎10-18-2018 03:32 AM - edited ‎10-18-2018 03:40 AM

HI there,

Sadly you have to do a bit of sleuthing to work this out. The CVE relating to your bug:

 https://nvd.nist.gov/vuln/detail/CVE-2015-1790

 

…mentions the openSSL versions vulnerable…

The opensource software for 9.4(1):

https://www.cisco.com/c/dam/en/us/td/docs/security/asa/asa94/license/open-source/Cisco_ASA_Series_941.pdf

 

…states that it uses 1.0.1l , so this version is vulnerable.

 

The patch notes for 9.4(4)18 do not mention the original CVE, but does mention for following CVE as being fixed in 9.4(4)17:

https://nvd.nist.gov/vuln/detail/CVE-2017-3737

 

..which mentions openSSL 1.0.2b

 

So…we can infer that the 9.4.(4)18 is running a newer version of openSSL 1.0.2b and therefore is not vulnerable to CSCuu83280.

 

:)

 

Cheers,

Seb.

0 Helpful
Customers Also Viewed These Support Documents