Solved: Re: Cisco 4331 Denali or Everest IOX-XE

johnlloyd_13 · ‎01-14-2018

hi,

i ran an audit on our cisco 4k routers i'm suspecting it got hit by the recent CPU spectre/meltdown vulnerability.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvh32416

our 4331s has 16.5.1b installed. can someone confirm IT IS hit by the said bug?

sorry for a noob question, can someone explain the difference between the fuji, denali and everest?

which OS do i install to patch? Denali-16.3.5(MD) or Everest-16.6.2(ED)? any path upgrade to follow?

thanks in advance!

4000 Series Integrated Services Routers

4431 Integrated Services Router

IOS XE Software-Everest-16.5.2(ED)

4431 Integrated Services Router

Suggested

Denali-16.3.5(MD)

Everest-16.6.2(ED)

Latest

Fuji-16.7.1(ED)

3.16.6bS(MD)

Everest-16.6.2(ED)

Denali-16.3.5(MD)

Fuji-16.7.1(ED)

Everest-16.6.2(ED)

Everest-16.6.1(ED)

Everest-16.5

Everest-16.5.2(ED)

Everest-16.5.1b(E

Leo Laohoo · ‎01-14-2018

Currently, it is too early to tell. Investigation is still ongoing as to what firmwares are affected and what versions are not.

Just put into consideration that the appliance is affected until the fix is announced or released.

Currently, no one in the wild has yet to report that an exploit for this vulnerability has been used.

View solution in original post

j-marenda · ‎01-17-2018

Iff you are not running any virtual-maschines on those devices,

then your currently are fine, no need to panic.

Check it with

#sh virtual-service global
Virtual Service Global State and Virtualization Limits:

Infrastructure version : 1.6
Total virtual services installed : 0
Total virtual services activated : 0
[...]

So you just must ensure no "containers" get installed with normal access-procedures.

Persons being able to do so normally have sufficient rights to read and modify the device's configuration etc. so normally do not need a crafted virtual maschine to do harm or spy^Wmontiroing work.

If you do not the have the show virtual-service command, then your IOS is too old to run containers and you are fine until you update the IOS because of other problems.

View solution in original post

Leo Laohoo · ‎01-14-2018

Currently, it is too early to tell. Investigation is still ongoing as to what firmwares are affected and what versions are not.

Just put into consideration that the appliance is affected until the fix is announced or released.

Currently, no one in the wild has yet to report that an exploit for this vulnerability has been used.

johnlloyd_13 · ‎01-14-2018

leo,

pre salamat!

i saw it's known fixed releases is still 0.

i thought the IOX-XE with gold star from the download area is THE patch.

will keep an eye on this instead.

BTW, can you give me a primer or link regarding Denali, Fuji and Everest OS releases?

Leo Laohoo · ‎01-15-2018

@johnlloyd_13 wrote:

can you give me a primer or link regarding Denali, Fuji and Everest OS releases?

The only thing I'm keeping an eye out about 16.X are the known bugs.

@johnlloyd_13 wrote:

i saw it's known fixed releases is still 0.

Information in Bug ID is a two-edged sword. One, it is rarely updated. Two, sometimes the information in the Bugs themselves are "lacking" of information. Don't be surprised to find the Known Affected Release to mention specific versions but if you go to the Release Notes, the Bug IDs are not listed. Apparently, it is now the new norm that only critical bugs are mentioned in the Release Notes.

rafafilho11 · ‎01-16-2018

Hi,

What is the diference:

Cisco 4331 Denali or Everest IOX-XE ?

Release Everest-16.6.2 is better than Release Denali-16.3.5 because it's ED ???

j-marenda · ‎01-17-2018

Iff you are not running any virtual-maschines on those devices,

then your currently are fine, no need to panic.

Check it with

#sh virtual-service global
Virtual Service Global State and Virtualization Limits:

Infrastructure version : 1.6
Total virtual services installed : 0
Total virtual services activated : 0
[...]

So you just must ensure no "containers" get installed with normal access-procedures.

Persons being able to do so normally have sufficient rights to read and modify the device's configuration etc. so normally do not need a crafted virtual maschine to do harm or spy^Wmontiroing work.

If you do not the have the show virtual-service command, then your IOS is too old to run containers and you are fine until you update the IOS because of other problems.

rafafilho11 · ‎01-17-2018

So, if I no have virtural machines running. Can I upgrade

from: isr4300-universalk9.03.16.04b.S.155-3.S4b-ext

to: isr4300-universalk9.16.06.02.SPA.bin

And What's the real difference:

Denali or Everest IOX-XE

This is just Ed after an MD version Stable?

j-marenda · ‎01-17-2018

I think you should read the release notes for "Everest" to see what additional features it has, or try to use cisco's feature navigator.
If "Denali-MD" has all features you need then stay there.

BTW, some Cisco Switches got their MD Software years after they were EOL, all the normal product-lifetime they had only ED Software

johnlloyd_13 · ‎01-17-2018

hi,

i don't have VM or "containers" running on our devices.

thanks for this info!

#sh vir?
% Unrecognized command
#sh vi?
video

Yogesh Rajeshirke · ‎02-15-2018

hi I have ISR4321/K9 Router with latest Version 16.6.2 running "isr4300-universalk9.16.06.02.SPA.bin"

R2#sh ver
Cisco IOS XE Software, Version 16.06.02
Cisco IOS Software [Everest], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.6.2, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2017 by Cisco Systems, Inc.

but still "sh virtual-service global" command does not work is it a right command