cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1254
Views
5
Helpful
1
Replies
3alee
Beginner

CSCvd48893 - Cisco IOS and IOS XE Software CMP Remote Code Execution Vulnerability - CSCvd48893

Hello all, refer to captioned bug note, it shows the known affected release is 15.0(2)SE10 only.

However, according to the advisory,

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp

when I use the IOS checker to check other release (e.g.15.0(2)SE8, 15.0(2)SE4, etc), it says the release I entered is also affected by the captioned vulnerability. 

So, which one is true?  Thanks!

1 REPLY 1
FNet
Beginner

Hi,

 

I was told by Cisco TAC that the software checker is "the law" and the bug check articles are the initial findings based on opened cases.  

 

The security advisory you linked shows a revision history (towards the bottom) that seems is kept up to date long after the bug is discovered and that references the software checker.  The software checker is updated by PSIRT is what I was told and not the bug articles or advisories (other than the revision history).

 

Hope this helps.