Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1303
Views
0
Helpful
5
Replies

CSCwk61938 - ISE Evaluate OpenSSH CVE-2024-6387 "regreSSHion" - 3.3p3

Go to solution
Chris_Schubert
Level 1
Level 1

‎08-22-2024 09:08 AM

Cisco ISE 3.3 Patch 3 still reports as vulnerable.  I even tried installing the 3.2 hotfix to get this remediated, but without success.

We need a fix as we need to close this vulnerability.

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
marce1000
Hall of Fame
Hall of Fame
In response to Chris_Schubert

‎08-22-2024 11:06 AM

 

  - If security requirements are high then only using SSH when needed is currently the only option , indeed

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

0 Helpful

Go to solution
Chris_Schubert
Level 1
Level 1

‎08-27-2024 10:22 AM

Answer from Cisco TAC for Cisco ISE 3.3 with Patch 3
"The vulnerability is fixed on 3.3 patch 3. So, you should be good on version 3.3 patch 3. if the vulnerability scanner still flags ISE on 3.3 patch 3 is because it is using a variation of OpenSSH 9.1. But this modified version addresses the vulnerability. So you can safely discard the vulnerability scan."

View solution in original post

0 Helpful
5 Replies 5

Go to solution
marce1000
Hall of Fame
Hall of Fame

‎08-22-2024 10:10 AM

 

                    >....We need a fix as we need to close this vulnerability.
               Your only 'talking point' for that is TAC  , this group more discusses overall issues with bugs
  

 M/



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
Chris_Schubert
Level 1
Level 1
In response to marce1000

‎08-22-2024 10:31 AM

Got the TAC case, but 2 days without any update.  I was wondering if anyone else is going through this.

I think my best option to meet my company deadlines if I don't hear back is to turn off ssh, which is not a great option, but I'm not in a rush to install 3.4 on production servers as it was just released.

0 Helpful

Go to solution
marce1000
Hall of Fame
Hall of Fame
In response to Chris_Schubert

‎08-22-2024 11:06 AM

 

  - If security requirements are high then only using SSH when needed is currently the only option , indeed

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
Chris_Schubert
Level 1
Level 1

‎08-27-2024 10:22 AM

Answer from Cisco TAC for Cisco ISE 3.3 with Patch 3
"The vulnerability is fixed on 3.3 patch 3. So, you should be good on version 3.3 patch 3. if the vulnerability scanner still flags ISE on 3.3 patch 3 is because it is using a variation of OpenSSH 9.1. But this modified version addresses the vulnerability. So you can safely discard the vulnerability scan."

0 Helpful

Go to solution
marce1000
Hall of Fame
Hall of Fame
In response to Chris_Schubert

‎08-27-2024 10:30 AM

 

  - I guess that's ok , but the last sentences are a bit strange 'in legal terms' ; I am not exactly sure what to make of that
    (but If they give  you guarantees I guess you should be in a 'greenfield' (smile)) 

 M



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful
Top