cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Python on Secure Email Vulnerability Concerns [July 2021]

998
Views
0
Helpful
0
Comments
Robert Sherwin
Cisco Employee

Python on Cisco Secure Email

The Python package used in our appliances is not a standard deployment --- just like AsyncOS is not your typical FreeBSD (a free and open-source Unix-like operating system descended from the Berkeley Software Distribution, which was based on Research Unix).

 

Python 2.6.4 Vulnerability CVEs

The following is a list of CVEs related to Python 2.6.4.  Most of them already fixed since 13.5.x and 14.x while some are irrelevant to ESA: 

  • CVE-2019-9948 – This vulnerability is not affecting ESA
  • CVE-2019-9947 – Not affected because Urllib.request.urlopen() is not a supported method
  • CVE-2019-9740 – CSCvr07670  - Fixed in 14.x
  • CVE-2018-20852 – Cookie Disclosure Issue - Bug CSCvq59799 (Fixed)
  • CVE-2018-1061 – Fixed in version 14.x
  • CVE-2018-1060 – This vulnerability is not affecting ESA
  • CVE-2016-5636 – Fixed in version 10.0.2 and above
  • CVE-2014-9365 – This vulnerability is not affecting ESA
  • CVE-2014-1912 – ESA is not impacted as ESA already replaced Splunk with Lucene since 12.0
  • CVE-2013-4238 – The SSL libraries ESA/SMA are using do handle the \0 character correctly hence not vulnerable to this defect
  • CVE-2012-1150 – The vulnerability is only affecting releases prior to versions 10
  • CVE-2012-0845 – AsyncOS does not use SimpleXMLRPCServer as part of our web server implementation, so it is not affected by this exploit
  • CVE-2011-4944 – Affected Python module is not used on ESA and users are not allowed file system access
  • CVE-2011-4940 – CSCum47220 - Terminated
  • CVE-2011-1521 – Fixed in version 13.5.x
  • CVE-2010-3492 – CSCuy13292 (enhancement)
  • CVE-2018-1061 – This vulnerability is not affecting ESA

 

Filed Defects

Be sure to check out the following filed defects as well:

  • CSCum44746 - to hide the Python version on HTTP banner, but no impact for ESA service / operations.
  • CSCvx65163 - a general request for Python version 3 upgrade so there is no need to fix CVE relating to 2.4.6 in the future, completion timeline is 1.5 years from now.

 

Customer Concerns

How to address, when customer concerned, outside of the list above:

  1. Cisco continues to fix CVE that are reported to PSIRT until Python is upgraded to v3.0
  2. Python v3.0 on AsyncOS is planned as part of AsyncOS 15.0 release (CY2022)

 

PSIRT

We encourage customers to send any/all vulnerability concerns to PSIRT: Security Vulnerability Policy (PSIRT)

 

PSIRT will work directly with the affected products and Engineering to assure that concerns are reviewed and addressed.

 

Other Helpful Resources

Cisco Security > Cisco Security Advisories

Product Support > Security Advisories, Responses and Notices (ESA specific)