cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10049
Views
15
Helpful
9
Replies

Cisco 4331 Denali or Everest IOX-XE

johnlloyd_13
Level 9
Level 9

hi,

i ran an audit on our cisco 4k routers i'm suspecting it got hit by the recent CPU spectre/meltdown vulnerability.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvh32416

our 4331s has 16.5.1b installed. can someone confirm IT IS hit by the said bug?

sorry for a noob question, can someone explain the difference between the fuji, denali and everest?

which OS do i install to patch? Denali-16.3.5(MD) or Everest-16.6.2(ED)? any path upgrade to follow?

thanks in advance!

 

 
IOS XE Software-Everest-16.5.2(ED)
4431 Integrated Services Router
 
 
 
Denali-16.3.5(MD) 
Everest-16.6.2(ED) 
Fuji-16.7.1(ED)
3.16.6bS(MD)
Everest-16.6.2(ED) 
Denali-16.3.5(MD) 
Fuji-16.7.1(ED)
Everest-16.6.2(ED) 
Everest-16.6.1(ED)
Everest-16.5.2(ED)
Everest-16.5.1b(E
2 Accepted Solutions

Accepted Solutions

Leo Laohoo
Hall of Fame
Hall of Fame

Currently, it is too early to tell.  Investigation is still ongoing as to what firmwares are affected and what versions are not. 

Just put into consideration that the appliance is affected until the fix is announced or released. 

Currently, no one in the wild has yet to report that an exploit for this vulnerability has been used.

View solution in original post

Iff you are not running any virtual-maschines on those devices,

then your currently are fine, no need to panic.

Check it with 

#sh virtual-service global
Virtual Service Global State and Virtualization Limits:

Infrastructure version : 1.6
Total virtual services installed : 0
Total virtual services activated : 0
[...]

 

So you just must ensure no "containers" get installed with normal access-procedures.

Persons being able to do so normally have sufficient rights to read and modify the device's configuration etc. so normally do not need a crafted virtual maschine to do harm or spy^Wmontiroing work.

 

If you do not the have the  show virtual-service command, then your IOS is too old to run containers and you are fine until you update the IOS because of other problems.

 

 

View solution in original post

9 Replies 9

Leo Laohoo
Hall of Fame
Hall of Fame

Currently, it is too early to tell.  Investigation is still ongoing as to what firmwares are affected and what versions are not. 

Just put into consideration that the appliance is affected until the fix is announced or released. 

Currently, no one in the wild has yet to report that an exploit for this vulnerability has been used.

leo,

pre salamat!

i saw it's known fixed releases is still 0.

i thought the IOX-XE with gold star from the download area is THE patch.

will keep an eye on this instead.

BTW, can you give me a primer or link regarding Denali, Fuji and Everest OS releases?


@johnlloyd_13 wrote:

can you give me a primer or link regarding Denali, Fuji and Everest OS releases?


The only thing I'm keeping an eye out about 16.X are the known bugs.  


@johnlloyd_13 wrote:

i saw it's known fixed releases is still 0. 


Information in Bug ID is a two-edged sword.  One, it is rarely updated.  Two, sometimes the information in the Bugs themselves are "lacking" of information.  Don't be surprised to find the Known Affected Release to mention specific versions but if you go to the Release Notes, the Bug IDs are not listed.  Apparently, it is now the new norm that only critical bugs are mentioned in the Release Notes.  

 

Hi,

What is the diference:

Cisco 4331 Denali or Everest IOX-XE ?

Release Everest-16.6.2 is better than Release Denali-16.3.5 because it's ED ???

Iff you are not running any virtual-maschines on those devices,

then your currently are fine, no need to panic.

Check it with 

#sh virtual-service global
Virtual Service Global State and Virtualization Limits:

Infrastructure version : 1.6
Total virtual services installed : 0
Total virtual services activated : 0
[...]

 

So you just must ensure no "containers" get installed with normal access-procedures.

Persons being able to do so normally have sufficient rights to read and modify the device's configuration etc. so normally do not need a crafted virtual maschine to do harm or spy^Wmontiroing work.

 

If you do not the have the  show virtual-service command, then your IOS is too old to run containers and you are fine until you update the IOS because of other problems.

 

 

So, if I no have virtural machines running. Can I upgrade

from: isr4300-universalk9.03.16.04b.S.155-3.S4b-ext

to: isr4300-universalk9.16.06.02.SPA.bin

 

And What's the real difference:

Denali or Everest IOX-XE

 

This is just Ed after an MD version Stable?

I think you should read the release notes for "Everest" to see what additional features it has, or try to use cisco's feature navigator.
If "Denali-MD" has all features you need then stay there.

BTW, some Cisco Switches got their MD Software years after they were EOL, all the normal product-lifetime they had only ED Software

hi,

i don't have VM or "containers" running on our devices.

thanks for this info!

 

#sh vir?
% Unrecognized command
#sh vi?
video  

hi I have ISR4321/K9 Router with latest Version 16.6.2 running "isr4300-universalk9.16.06.02.SPA.bin" 

R2#sh ver
Cisco IOS XE Software, Version 16.06.02
Cisco IOS Software [Everest], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.6.2, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2017 by Cisco Systems, Inc.

 

but still "sh virtual-service global" command does not work is it a right command

Review Cisco Networking for a $25 gift card