Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2226
Views
10
Helpful
6
Replies

ASA Firmwares explained

Go to solution
nxw1969
Level 1
Level 1

‎09-18-2020 12:53 PM - edited ‎09-18-2020 12:55 PM

Hi,


I have been trying to figure out if I need to upgrade my ASA firmware version, but the more I read the more confusing it starts to get.
I have two ASA active/standby firewall pairs - A pair of 5525-x and a pair of 5506-x 


The 5506x are running ASA ver 9.13.1
The 5525x are running ASA ver 9.10.1


Reading the advisory below, it suggests upgrading to 9.13.1.10 and 9.10.1.42 respectively

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86


Why doesnt it suggest I upgrade the 5525x from 9.10.1 to 9.13.1.42

Is upgrading from 9.10 to 9.11, 9.12, etc.... required for enhanced security, or are the interim releases functionality related releases, and the minor release to fix bugs and vulnerabilities?

Any help would be great so I can understand if staying with 9.10.1.42 leaves me more vulnerable.

Thanks
Nick

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-18-2020 09:28 PM - edited ‎09-18-2020 09:28 PM

Interim releases (e.g. from 9.10(1)x to 9.10(1)42) are bug fixes only.

Minor releases (e.g. 9.10(1) to 9.13(1)) add new features and hardware support.

Cisco will generally recommend the interim within the current release you are running (where such exists) as a fix as that is least disruptive to operations. It is also what they would provide a customer without support if they requested the fix specifically to address the security vulnerability and did not have entitlement to obtain a new release that also includes new features.

However, if you have support entitlement, you can run 9.13(1)10 (or better yet the even more recent 9.13(1)12) on your ASA 5525-X if you like. Some people prefer to do that to standardize on releases across all of their ASAs where possible.

 

View solution in original post

6 Replies 6

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎09-18-2020 05:22 PM

If you looking to upgrade from  5525X - 9.10.1 to 9.13 you need to refer below release notes :

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa913/release/notes/asarn913.html

 

that table right-hand side you were referring to was fixed versions vulnerable product.

 

Example: in your case, you can upgrade to 9.10.1.42 fix that vulnerability

 

is that make sense or i misunderstood your question?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
nxw1969
Level 1
Level 1
In response to balaji.bandi

‎09-19-2020 10:43 AM

Thank you for your reply

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-18-2020 09:28 PM - edited ‎09-18-2020 09:28 PM

Interim releases (e.g. from 9.10(1)x to 9.10(1)42) are bug fixes only.

Minor releases (e.g. 9.10(1) to 9.13(1)) add new features and hardware support.

Cisco will generally recommend the interim within the current release you are running (where such exists) as a fix as that is least disruptive to operations. It is also what they would provide a customer without support if they requested the fix specifically to address the security vulnerability and did not have entitlement to obtain a new release that also includes new features.

However, if you have support entitlement, you can run 9.13(1)10 (or better yet the even more recent 9.13(1)12) on your ASA 5525-X if you like. Some people prefer to do that to standardize on releases across all of their ASAs where possible.

 

Go to solution
nxw1969
Level 1
Level 1
In response to Marvin Rhoads

‎09-19-2020 12:04 AM

Thank you Marvin - I do have the entitlement to upgrade, but with the current Covid situation I am working remotely to upgrade the ASA's and need to ensure they are vulnerability free, but with the least possible risk. I work in an environment where downtime is virtually non existent.

 

I have had issues upgrading between minor releases in the past, which took one of my standby out of action (and while I think it was probably due to user error!!!) I now prefer to be in the office to perform an upgrade, unless a vulnerability forces my hand, as I have spare ASA's in the office to test releases, and give extra peace of mind!.

 

So just to be clear:

9.10(1)42 is no less vulnerable than 9.13(1)12, but best practise and cisco recommendation would be to 9.13(1)12 where possible.

Is that correct?

 

Many thanks again Marvin

 

 

 

 

 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-19-2020 07:12 AM

You asked "9.10(1)42 is no less vulnerable than 9.13(1)12" - correct. They are released around the same time and address the published vulnerabilities and corrected defects as of their release date.

As far as "Cisco recommendation would be to 9.13(1)12", that's not correct. Cisco's current recommendation for ASA 5525-X would be 9.12(3)12. This is as shown by the gold star in the downloads page:

https://software.cisco.com/download/home/284143129/type/280775065/release/9.12.3%20Interim

 

Go to solution
nxw1969
Level 1
Level 1
In response to Marvin Rhoads

‎09-19-2020 10:44 AM

Thanks again Marvin - that answers my question perfectly, and also the response I hoped for!!

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card