Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9582
Views
15
Helpful
9
Replies

Cisco 4331 Denali or Everest IOX-XE

Go to solution
johnlloyd_13
Level 9
Level 9

‎01-14-2018 11:16 PM - edited ‎03-05-2019 09:46 AM

hi,

i ran an audit on our cisco 4k routers i'm suspecting it got hit by the recent CPU spectre/meltdown vulnerability.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvh32416

our 4331s has 16.5.1b installed. can someone confirm IT IS hit by the said bug?

sorry for a noob question, can someone explain the difference between the fuji, denali and everest?

which OS do i install to patch? Denali-16.3.5(MD) or Everest-16.6.2(ED)? any path upgrade to follow?

thanks in advance!

 

 
Downloads Home
Products
Routers
Branch Routers
4000 Series Integrated Services Routers
4431 Integrated Services Router
IOS XE Software-Everest-16.5.2(ED)
4431 Integrated Services Router
 
Expand All | Collapse All
 
 
Denali-16.3.5(MD) 
Everest-16.6.2(ED) 
Fuji-16.7.1(ED)
3.16.6bS(MD)
Everest-16.6.2(ED) 
Denali-16.3.5(MD) 
Fuji-16.7.1(ED)
Everest-16.6.2(ED) 
Everest-16.6.1(ED)
Everest-16.5.2(ED)
Everest-16.5.1b(E
2 people had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎01-14-2018 11:40 PM

Currently, it is too early to tell.  Investigation is still ongoing as to what firmwares are affected and what versions are not. 

Just put into consideration that the appliance is affected until the fix is announced or released. 

Currently, no one in the wild has yet to report that an exploit for this vulnerability has been used.

View solution in original post

Go to solution
j-marenda
Level 1
Level 1
In response to Leo Laohoo

‎01-17-2018 06:59 AM

Iff you are not running any virtual-maschines on those devices,

then your currently are fine, no need to panic.

Check it with 

#sh virtual-service global
Virtual Service Global State and Virtualization Limits:

Infrastructure version : 1.6
Total virtual services installed : 0
Total virtual services activated : 0
[...]

 

So you just must ensure no "containers" get installed with normal access-procedures.

Persons being able to do so normally have sufficient rights to read and modify the device's configuration etc. so normally do not need a crafted virtual maschine to do harm or spy^Wmontiroing work.

 

If you do not the have the  show virtual-service command, then your IOS is too old to run containers and you are fine until you update the IOS because of other problems.

 

 

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎01-14-2018 11:40 PM

Currently, it is too early to tell.  Investigation is still ongoing as to what firmwares are affected and what versions are not. 

Just put into consideration that the appliance is affected until the fix is announced or released. 

Currently, no one in the wild has yet to report that an exploit for this vulnerability has been used.

Go to solution
johnlloyd_13
Level 9
Level 9
In response to Leo Laohoo

‎01-14-2018 11:50 PM - edited ‎01-14-2018 11:55 PM

leo,

pre salamat!

i saw it's known fixed releases is still 0.

i thought the IOX-XE with gold star from the download area is THE patch.

will keep an eye on this instead.

BTW, can you give me a primer or link regarding Denali, Fuji and Everest OS releases?

0 Helpful

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame
In response to johnlloyd_13

‎01-15-2018 12:12 AM - edited ‎01-15-2018 12:15 AM

@johnlloyd_13 wrote:

can you give me a primer or link regarding Denali, Fuji and Everest OS releases?

The only thing I'm keeping an eye out about 16.X are the known bugs.  

@johnlloyd_13 wrote:

i saw it's known fixed releases is still 0. 

Information in Bug ID is a two-edged sword.  One, it is rarely updated.  Two, sometimes the information in the Bugs themselves are "lacking" of information.  Don't be surprised to find the Known Affected Release to mention specific versions but if you go to the Release Notes, the Bug IDs are not listed.  Apparently, it is now the new norm that only critical bugs are mentioned in the Release Notes.  

 

0 Helpful

Go to solution
rafafilho11
Level 1
Level 1
In response to Leo Laohoo

‎01-16-2018 02:02 PM

Hi,

What is the diference:

Cisco 4331 Denali or Everest IOX-XE ?

Release Everest-16.6.2 is better than Release Denali-16.3.5 because it's ED ???

Go to solution
j-marenda
Level 1
Level 1
In response to Leo Laohoo

‎01-17-2018 06:59 AM

Iff you are not running any virtual-maschines on those devices,

then your currently are fine, no need to panic.

Check it with 

#sh virtual-service global
Virtual Service Global State and Virtualization Limits:

Infrastructure version : 1.6
Total virtual services installed : 0
Total virtual services activated : 0
[...]

 

So you just must ensure no "containers" get installed with normal access-procedures.

Persons being able to do so normally have sufficient rights to read and modify the device's configuration etc. so normally do not need a crafted virtual maschine to do harm or spy^Wmontiroing work.

 

If you do not the have the  show virtual-service command, then your IOS is too old to run containers and you are fine until you update the IOS because of other problems.

 

 

0 Helpful

Go to solution
rafafilho11
Level 1
Level 1
In response to j-marenda

‎01-17-2018 07:25 AM

So, if I no have virtural machines running. Can I upgrade

from: isr4300-universalk9.03.16.04b.S.155-3.S4b-ext

to: isr4300-universalk9.16.06.02.SPA.bin

 

And What's the real difference:

Denali or Everest IOX-XE

 

This is just Ed after an MD version Stable?

0 Helpful

Go to solution
j-marenda
Level 1
Level 1
In response to rafafilho11

‎01-17-2018 08:25 AM

I think you should read the release notes for "Everest" to see what additional features it has, or try to use cisco's feature navigator.
If "Denali-MD" has all features you need then stay there.

BTW, some Cisco Switches got their MD Software years after they were EOL, all the normal product-lifetime they had only ED Software
0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9
In response to j-marenda

‎01-17-2018 05:16 PM - edited ‎01-17-2018 05:17 PM

hi,

i don't have VM or "containers" running on our devices.

thanks for this info!

 

#sh vir?
% Unrecognized command
#sh vi?
video  

0 Helpful

Go to solution
Yogesh Rajeshirke
Level 1
Level 1
In response to johnlloyd_13

‎02-15-2018 02:28 AM

hi I have ISR4321/K9 Router with latest Version 16.6.2 running "isr4300-universalk9.16.06.02.SPA.bin" 

R2#sh ver
Cisco IOS XE Software, Version 16.06.02
Cisco IOS Software [Everest], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.6.2, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2017 by Cisco Systems, Inc.

 

but still "sh virtual-service global" command does not work is it a right command

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card