Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3130
Views
25
Helpful
18
Replies

FTD/ASA upgrade version to prevent Exploit 'Log4JShell'

eeebbunee
Level 1
Level 1

‎12-14-2021 09:52 AM

Hello All,

 

Have anyone known about Log4JShell exploit?

This exploit got effected the devices tomcat based as far as I know.

 

Our company has 3 FTDs and 1 ASA, and just knew that FTD 6.2.3 os is vulnerable.

We are trying to upgrade the version as soon as we can, but not sure which version is reliable for this exploit.

 

Can anyone tell me about this?

0 Helpful
18 Replies 18

amralrazzaz
Level 5
Level 5
In response to Marvin Rhoads

‎12-20-2021 08:43 AM

@Marvin Rhoads 

> show version
-------------------[ Firepower2 ]-------------------
Model : Cisco ASA5516-X Threat Defense (75) Version 6.2.3.3 (Build 76)
> show version
---------------[ Firepower1 ]----------------
Model : Cisco ASA5516-X Threat Defense (75) Version 6.6.1 (Build 91)

 

I have another question please regarding the OS that is running for both ASA device which mentioned on below
i can see one of them listed on cisco impacted list and one is not !
so according to below impacted list from cisco and  my device which running 6.6.1 which is not listed is safe
and nothing to do on it ? or 6.6.1 can be considered as 6.6.0?!
7.1.0
7.0.0
6.7.0
6.6.0
6.5.0
6.4.0
6.3.0
6.2.3

amr alrazzaz
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to amralrazzaz

‎12-20-2021 08:54 AM

As of this posting, all current 6.6.x releases without the hotfix are vulnerable.

Upgrade to 6.6.5 and then to 6.6.5.1 and then finally install the hotfix for 6.6.5.1 for the best coverage as of this posting.

amralrazzaz
Level 5
Level 5
In response to Marvin Rhoads

‎12-20-2021 09:03 AM - edited ‎12-20-2021 10:51 AM

@Marvin Rhoads sorry for asking again !

i just dont have time as im outside office for sometime & busy !so can i keep using the current os versions (6.2.3.3 & 6.6.1) for now and install the hotfixes for them once released next 23th of December ! at least to fix this vulnerable  issue and later on i ll update both os version ! is that okay ?

 

also is there simple steps to follow once this hotfix released ? how to import on ASA device ? 

 

as it seems for 6.6.1 that i have is not included on impacted list im not sure if they will release hotfix for it or not ! 

may i ask you if ill upgrade from 6.6.1 to 6.6.5 or 6.6.5.1 whats the steps to follow and without losing any setup or configurations !!?

is the update from version to version within same 6.6.x make different in the process comparing if i will jump from 6.6.1 to 7.0 for example?

 

and which one to choose from below :

ASA FirePOWER upgrade
Cisco_Network_Sensor_Upgrade-6.6.5-81.sh.REL.tar

ASA FirePOWER module install package
asasfr-sys-6.6.5-81.pkg

ASA FirePOWER module boot image
asasfr-5500x-boot-6.6.5-2.img

thanks a lot for help dear 

amr alrazzaz
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to amralrazzaz

‎12-20-2021 11:18 AM

Hotfix and upgrade instructions are the same and are linked in the earlier document I posted.

Neither one will cause the devices to lose any configuration. If you have an HA pair, you can do it with no downtime but should still work within an approved maintenance window if you are supporting production customers. If there is no HA pair, an upgrade will require an outage when the device enters maintenance mode to replace system files and run various scripts as part of the upgrade. The outage duration is typically 30-60 minutes per device.

To upgrade, use the file with the word upgrade in it.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card