Upon research I found that all available versions <=9.1(7.11) are affected since the fix will be on 9.1(7.12) (to be released in December).

Can you document this? If not, I cannot present it to my boss as reasoning.

Bingo.. I have the same issue.. We run different versions of code and there is nothing stating if any of the 9.2 or .3 or .4 code is vulnerable.

I have to deal with this every month, I wish Cisco would make it easier for us to know what security vulnerabilities are discovered and what code is affected. 

Our rules state we have 35 days from the day the CVE is released to evaluate if we are affected.  Kind of hard to meet that expectation if you don't have the information.

The IOS Checker tool would be great if they would expand it to include all low vulnerabilities and to include the firewall code versions. 

Yup. We got the exactly the same notice from secure works.

Thanks Lewis, (lewislampkin)

That's great, but what about all of the other 9.x code versions for the ASA X model appliances?

Its EXTREMELY difficult to justify going to a zero day upgrade especially if its a more than a slight minor upgrade.  9.1(7)11 to 9.1(7)12 upgrade is easy...  9.2(4) to 9.5(3)6 is a pretty good jump in terms of the number of potential bugs introduced.  

Please elaborate on all of the currently recommended version levels of 9.x code for the X firewalls.

Thanks

Jeff

Jeff:

Good morning.

You are requesting more than I can deliver at this time.

I'm not a Cisco employee, contractor, or insider. I am just another member of these forums who is just as curious about this bug and curious about the proper bug fixes as you are. I am not privy to any additional information on this issue.

With regards to your recent request:

"That's great, but what about all of the other 9.x code versions for the ASA X model appliances? ...Please elaborate on all of the currently recommended version levels of 9.x code for the X firewalls."

Based on the fact that I am not a Cisco employee, contractor, or insider, I'm definitely not in a position to recommend any particular software version. I apologize, but I do not have the information that you are requesting, and I don't know anyone who might provide it. (It would be nice if a Cisco employee came into this thread and straightened out all the confusion.)

Unfortunately, as poster gduvall stated, this is a "bungled mess".

If I was in charge, I would include two things to make bug info great again:

(1) Complete list of affected code versions

(2) Release dates for all suggested upgrades. 

This way, customers like us could plan properly, as to whether they want to wait for that certain version, or go through the upgrade risk to an alternative image, or in more extreme cases, discontinue usage of said product. For example, if I'm running 9.2, but the upgrade for 9.2 won't be out until April of 2017, maybe I would consider doing the upgrade to 9.5.

Oh sorry, for some reason I thought you were a Cisco employee....  my apologies.

Anyone know how to tag Cisco to weigh in here?