Re: Failed upgrade CISCO IOS XE version 16.06.06 to 16.09.04 on #CISCO CSR 1000v

Benflo007 · ‎09-17-2019

We are leveraging 2 CISCO CSRs 1000V in a transit VPC setting to support our VPNs connection. Our Nessus scanner is reporting the following vulnerability: Cisco REST API Container for IOS XE Software Authentication Bypass Vulnerability , the suggested solution is to upgrade the CISCO IOS XE from our actual version 16.06.06 Everest to the version 16.09.04 Fuji and the API container to the version 16.09.03 which seems to be fixed version. We attempted the upgrade from version 16.06.06 Everest to the version 16.09.04 Fuji, and it failed; after multiple reload, our systems remained unreachable through the VPNs, and the REST API container package was not updated,so we rolled back the upgrade, and this restored VPNs activity.

1. What is the upgrade path from the CISCO IOS XE version 16.06.06 Everest to the version 16.09.04 Fuji ?

2. The vulnerability is still being reported, and after running the cmd # show virtual-interface detail ; the csr_mgmt state appears to be "Activate Failed" which lead us to believe that we might not actually need it. We would like to know what would be the impact if we decided to get rid of this vulnerable module ( .ova file located in the bootflash directory). Also what will be the impact if we upgraded only the csr_mgmt (.ova file) and did not upgrade the CISCO IOS software. Thanks.

Dennis Mink · ‎09-17-2019

For upgrade path its best to read the release notes of the version you want to go to. This will tell you if the upgrade is stepped or not

Please remember to rate useful posts, by clicking on the stars below.