Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1639
Views
10
Helpful
10
Replies

Cisco Security Manager is vulnerable to CVE-2014-0160 - aka Heartbleed

Go to solution
ahmed.gadi
Level 1
Level 1

‎04-14-2014 02:57 AM - edited ‎02-21-2020 05:09 AM

Dear All,

              We have CSM 4.4.0 SP2 patch 1 installed with no default configuration.

According to cisco, CSM is under Vulnerable Products list with cisco bug ID CSCuo19265. 

Do I need to take any action for my CSM ?

Thanks & Regards

Ahmed...

1 person had this problem
Preview file
34 KB
Preview file
39 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
patoberli
VIP Alumni
VIP Alumni

‎04-15-2014 12:45 AM

I recommend that you restrict HTTPS access to the CSM server to the few clients that actually need access to it, until a fix has been released. That way you can at least restrict the amount of clients that could utilize this leak.

View solution in original post

Go to solution
kshiva
Level 1
Level 1

‎04-15-2014 09:37 PM

Hi Ahmed,

CSM 4.4.0 SP2 patch 1 is not vulnerable to heartbleed. No action required for this specific version of CSM.

 

Given below is list of CSM versions that are vulnerable:

CSM 4.5
CSM 4.5 SP0 PP1
CSM 4.5 SP0 PP2

View solution in original post

10 Replies 10

Go to solution
patoberli
VIP Alumni
VIP Alumni

‎04-15-2014 12:45 AM

I recommend that you restrict HTTPS access to the CSM server to the few clients that actually need access to it, until a fix has been released. That way you can at least restrict the amount of clients that could utilize this leak.

Go to solution
kshiva
Level 1
Level 1

‎04-15-2014 09:37 PM

Hi Ahmed,

CSM 4.4.0 SP2 patch 1 is not vulnerable to heartbleed. No action required for this specific version of CSM.

 

Given below is list of CSM versions that are vulnerable:

CSM 4.5
CSM 4.5 SP0 PP1
CSM 4.5 SP0 PP2

Go to solution
ahmed.gadi
Level 1
Level 1
In response to kshiva

‎04-16-2014 02:27 AM

Many thanks 

0 Helpful

Go to solution
Network Operation
Level 1
Level 1

‎04-15-2014 09:43 PM

I am running 4.5.0, it is vulnerable because I have scanned it and tested it. I see version 4.6.0 has just popped up on cisco.com. Anyone confirm if that fixes the bug?

0 Helpful

Go to solution
kshiva
Level 1
Level 1
In response to Network Operation

‎04-15-2014 09:56 PM

CSM 4.6 has the fix and not vulnerable.

0 Helpful

Go to solution
ryancisco01
Level 1
Level 1
In response to kshiva

‎04-15-2014 10:00 PM

Im not sure if that's true. the release notes don't state anything about fixing that big. and also looking at the opensource licenses PDF for 4.6.0 it states OpenSSL version: 1.0.1e (which is the same version as 4.5.0 and all versions 1a through 1f are vulnerable).

 

I would find it very odd they didn't fix it considering it was released just yesterday.

 

 

0 Helpful

Go to solution
kshiva
Level 1
Level 1
In response to ryancisco01

‎04-15-2014 10:08 PM

Will follow up and update the documentation with correct OpenSSL Version 1.0.1g. Heartbleed vulnerability is addressed in CSM 4.6

0 Helpful

Go to solution
ryancisco01
Level 1
Level 1
In response to kshiva

‎04-15-2014 10:40 PM

Great thanks for confirmation.

0 Helpful

Go to solution
Tan Stanley
Level 1
Level 1
In response to kshiva

‎04-16-2014 06:51 AM

When will the patch to resolve heartbleed issue in csm 4.5 be out??

0 Helpful

Go to solution
dbrockus
Level 1
Level 1
In response to Tan Stanley

‎04-20-2014 08:56 PM

CSM 4.5 CP3 is out and it fixes the heartbleed vulnerability.

Request CSM450_SP0_CP3_bundle.zip from TAC

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card