Catalyst IOS-XE Versions for the 3850 Regarding Vulnerabilities

zachartl · ‎10-04-2022

Hello,

We've been tasked to remediate Cat IOS-XE Vulnerabilities throughout our Network. We're working to get our Catalyst 3850s upgraded. I came across a model of our 3850 - Catalyst 3850-12XS-S Switch. I went to download the latest software revision for this model, currently 3.7.5E upon checking the Vulnerabilities affecting this revision, I found these (Please seen enclosed). I'm writing to ask if anyone knows if this is a sort of "end-of-the-line" for the 3850 software train for this model. Am I to tell my IS Team and My Manager that we will need to be looking to replace this particular model of switch given the Vulnerabilities contained in the lastest Release? Please let me know. Thank you.

https://tools.cisco.com/security/center/softwarechecker.x?productSelected=ios_xe&selectedMethod=A&captchaPage=true&platformCode=NA&versionNamesSelected=3.7.5E&allAdvisoriesSelectedByTree=N&advisoryType=0&iosBundleId=cisco-sa-20220928-bundle&impact=Cr...

Leo Laohoo · ‎10-04-2022

The newly-released IOS-XE version 16.12.8 is a PSIRT-only release.

IMPORTANT:

I do not recommend anyone upgrade to 16.X.X due to stability reasons. If there is no other choice but to upgrade to 16.X.X, make sure to perform regular proactive reboot of the stack.

zachartl · ‎10-05-2022

Hello,

I haven't had any luck converting the 3850 3.x Train Code to 16.x Code. The 3850 Switch I used to test this with rejected the 16.x Code. So I've been loading the Latest 3.x Train Code on all 3850 Switches we have per Model Number via the Support Page. I noticed the code I was going to obtain 3.7.5E for that Model of 3850 contained, Critical Vulnerabilities we need to remediate. And thus my query. Is there a way / procedure to convert the 3850 to the 16.x train? If that would get us clear of the Critical Vulnerabilities of course. Thank you.