Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
720
Views
5
Helpful
2
Replies

Cisco Security Advisory Versions

Go to solution
platypodes
Level 1
Level 1

‎10-07-2014 10:56 AM - edited ‎03-10-2019 12:18 AM

Hi,

 

I have a few questions regarding the versions released in the Cisco security advisories.

I'm looking over the affected products here: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash

The affected/fix releases for Nexus 7000 switches are here: https://tools.cisco.com/bugsearch/bug/CSCuq98748

My questions are outlined below:

  1. The whitepaper here: http://www.cisco.com/web/about/security/intelligence/ios-ref.html, specifies that NX-OS versions on Nexus 7000 switches are in the format X.Y(Z). The last 2 affected releases are not in this format. Is there somewhere that more accurately outlines the version scheme for NX-OS?
  2. The platform dependent maintenance release number is shown as an integer in the white paper above. What is the significance of the decimal in the advisory releases?
  3. There are many more fix releases than affected releases. Why is this?
  4. If a fix release is listed, does that mean that platform stream has affected releases? If so, how do you determine which releases are affected?

 

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
fmenezes
Level 1
Level 1

‎10-08-2014 12:39 AM

Hi

unfortunately I have just one answer and some new questions...

The answer regards question #2, about the decimal.

The decimal is given to "interim" releases. These releases are internal on Cisco and are not usually published on CCO (unless they are requested via a Service Request or special file access). For the "official" fix one should always look for the release with the first integer that follows the interim number.

Now for my question.

On the Bug Notes I read "All current versions of NX-OS on this platform are affected unless otherwise stated". Then on the "Known Affected Releases" only 8 are shown. I see two options to decode this two pieces of info:

A. ALL releases older that the 8 listed are vulnerable

B. Only the 8 listed are vulnerable

C. Only the 15 "Known fixed" or others more recent than those 15 are non vulnerable.

 

By just reading the case notes I cannot conclude for sure if a given release (as 6.2(2) for example) is vulnerable or not. Can someone from Cisco clear this?

Thanks and Regards

 

View solution in original post

2 Replies 2

Go to solution
fmenezes
Level 1
Level 1

‎10-08-2014 12:39 AM

Hi

unfortunately I have just one answer and some new questions...

The answer regards question #2, about the decimal.

The decimal is given to "interim" releases. These releases are internal on Cisco and are not usually published on CCO (unless they are requested via a Service Request or special file access). For the "official" fix one should always look for the release with the first integer that follows the interim number.

Now for my question.

On the Bug Notes I read "All current versions of NX-OS on this platform are affected unless otherwise stated". Then on the "Known Affected Releases" only 8 are shown. I see two options to decode this two pieces of info:

A. ALL releases older that the 8 listed are vulnerable

B. Only the 8 listed are vulnerable

C. Only the 15 "Known fixed" or others more recent than those 15 are non vulnerable.

 

By just reading the case notes I cannot conclude for sure if a given release (as 6.2(2) for example) is vulnerable or not. Can someone from Cisco clear this?

Thanks and Regards

 

Go to solution
glen.grant
VIP Alumni
VIP Alumni
In response to fmenezes

‎10-08-2014 08:24 AM

   I have those same questions.  Also the "fixed" releases are not in the general download section for the Nexus so how do you download those versions? we are running 6.2.2 also for the 7000's.   Do you have to open a TAC case just to get the "fixed" releases ?  Also for Nexus 5000 there is  "0" fixed versions as of right now , when will those be available ?

0 Helpful
Customers Also Viewed These Support Documents