cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1669
Views
10
Helpful
10
Replies

Cisco Security Manager is vulnerable to CVE-2014-0160 - aka Heartbleed

ahmed.gadi
Level 1
Level 1

Dear All,

              We have CSM 4.4.0 SP2 patch 1 installed with no default configuration.

According to cisco, CSM is under Vulnerable Products list with cisco bug ID CSCuo19265. 

Do I need to take any action for my CSM ?

Thanks & Regards

Ahmed...

2 Accepted Solutions

Accepted Solutions

patoberli
VIP Alumni
VIP Alumni

I recommend that you restrict HTTPS access to the CSM server to the few clients that actually need access to it, until a fix has been released. That way you can at least restrict the amount of clients that could utilize this leak.

View solution in original post

kshiva
Level 1
Level 1

Hi Ahmed,

CSM 4.4.0 SP2 patch 1 is not vulnerable to heartbleed. No action required for this specific version of CSM.

 

Given below is list of CSM versions that are vulnerable:

CSM 4.5
CSM 4.5 SP0 PP1
CSM 4.5 SP0 PP2

View solution in original post

10 Replies 10

patoberli
VIP Alumni
VIP Alumni

I recommend that you restrict HTTPS access to the CSM server to the few clients that actually need access to it, until a fix has been released. That way you can at least restrict the amount of clients that could utilize this leak.

kshiva
Level 1
Level 1

Hi Ahmed,

CSM 4.4.0 SP2 patch 1 is not vulnerable to heartbleed. No action required for this specific version of CSM.

 

Given below is list of CSM versions that are vulnerable:

CSM 4.5
CSM 4.5 SP0 PP1
CSM 4.5 SP0 PP2

Many thanks 

I am running 4.5.0, it is vulnerable because I have scanned it and tested it. I see version 4.6.0 has just popped up on cisco.com. Anyone confirm if that fixes the bug?

CSM 4.6 has the fix and not vulnerable.

Im not sure if that's true. the release notes don't state anything about fixing that big. and also looking at the opensource licenses PDF for 4.6.0 it states OpenSSL version: 1.0.1e (which is the same version as 4.5.0 and all versions 1a through 1f are vulnerable).

 

I would find it very odd they didn't fix it considering it was released just yesterday.

 

 

Will follow up and update the documentation with correct OpenSSL Version 1.0.1g. Heartbleed vulnerability is addressed in CSM 4.6

Great thanks for confirmation.

When will the patch to resolve heartbleed issue in csm 4.5 be out??

CSM 4.5 CP3 is out and it fixes the heartbleed vulnerability.

Request CSM450_SP0_CP3_bundle.zip from TAC

Review Cisco Networking for a $25 gift card