01-24-2020 07:30 AM - edited 02-21-2020 09:51 AM
Hello,
Currently I am running FMC 4000 with 6.4.0.4 ( Build 34 ). Planning to Patch FMC so that I can remove below both Vulnerability
1. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191112-asa-ftd-lua-rce ----where fix is at Cisco_Firepower_Mgmt_Center_Hotfix_AA-6.4.0.7-3
2. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200122-fmc-auth ---- where fix is at Cisco_Firepower_Mgmt_Center_Hotfix_T-6.4.0.5-1.sh.REL.tar (for releases 6.4.0.4 and earlier)
If I patch into 6.4.0.7-3 does it resolve 2nd Vulnerability ( CVE-2019-16028 ) as well ?
01-24-2020 01:46 PM
I believe if you upgrade to 6.4.0.7 (build 53) and then apply hotfix AA it will address both vulnerabilities.
Build 53 incorporated the earlier 6.4.0.7 hotfix U (which addressed CVE-2019-16028). Then AA additionally covers the issue reported in CVE-2019-15992.
If you have doubt, you can confirm by opening a TAC case.
02-03-2020 10:56 AM
Hello Marvin,
As per attached image i do not see any Hotfix Numbered as 6.4.0.7-3 but I see 6.4.0.8 ( Cisco_Firepower_Mgmt_Center_Hotfix_AA-6.4.0.8-4.sh.REL.tar ) when I hit to Link for 6.4.0.7-3. Why is that can you advise ?
02-03-2020 10:58 AM
Reference Link for 6.4.0.7-3 Hotfix
https://software.cisco.com/download/home/286313415/type/286271056/release/6.4.0.7?catid=268438162
02-03-2020 07:42 PM
That's correct. Once Cisco published patch 6.4.0.7-53 it removed the earlier hotfix for the earlier 6.4.0.7 build.
So patching to 6.4.0.7-53 and then adding hotfix AA will bring your system to the latest (as of today) publicly available releases in the 6.4 release train. Doing that will address the vulnerabilities you cited in your original post.
02-04-2020 07:14 AM
Which means actually it will land on to 6.4.0.8 not stay at 6.4.0.7 right Marvin ?
I thought it will stay at 6.4.0.7 after hotfix but its not.
02-04-2020 06:41 PM
Even though they confusingly named the hotfix "Cisco_Firepower_Mgmt_Center_Hotfix_AA-6.4.0.8-4.sh.REL.tar", I believe the GUI will continue to say you are running 6.4.0.7.
Once it's applied, the cli should report the actual hotfix(es) applied. (From the FMC cli, switch to expert mode and then use the command "rpm -qa".)
02-05-2020 07:46 AM
Appreciate your rely here Marvin. Sorry for nagging questions.
So to see Vulnerabilities considering final version we will land on after patching with 6.4.0.8-4 which version I should verify with for the existing known issues ? is it 6.4.0.7 or 6.4.0.8 ?
02-05-2020 07:48 AM
Appreciate your reply here Marvin. Sorry for nagging questions.
So to see Vulnerabilities considering final version we will land on after patching with 6.4.0.8-4 which version I should verify with for the existing known issues ? is it 6.4.0.7 or 6.4.0.8 ?
02-05-2020 06:41 PM
The GUI will show 6.4.0.7 and the cli command I mentioned will show the hotfix ...AA_6.4.0.8 if you patch it to current levels in the 6.4 train.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide