Python on Secure Email Vulnerability Concerns [July 2021]

Robert Sherwin · ‎07-14-2021

Python 3 Migration[Update Dec 2021]
Python on Cisco Secure Email
Python 2.6.4 Vulnerability CVEs
Filed Defects
Customer Concerns
PSIRT
Other Helpful Resources

Python 3 Migration [Update Dec 2021]

Python 3.0 migration will be available starting w/ AsyncOS 14.2. 14.2 is expected Spring 2022. Please stay tuned for more information!

Python on Cisco Secure Email

The Python package used in our appliances is not a standard deployment --- just like AsyncOS is not your typical FreeBSD (a free and open-source Unix-like operating system descended from the Berkeley Software Distribution, which was based on Research Unix).

Want to know more? https://pypi.org/project/coro/
Want to know more about the Open Source Software used in Cisco Secure Email (AsyncOS)? See: Open Source Software Licensing Information

Python 2.6.4 Vulnerability CVEs

The following is a list of CVEs related to Python 2.6.4. Most of them already fixed since 13.5.x and 14.x while some are irrelevant to ESA:

CVE-2019-9948 – This vulnerability is not affecting ESA
CVE-2019-9947 – Not affected because Urllib.request.urlopen() is not a supported method
CVE-2019-9740 – CSCvr07670 - Fixed in 14.x
CVE-2018-20852 – Cookie Disclosure Issue - Bug CSCvq59799 (Fixed)
CVE-2018-1061 – Fixed in version 14.x
CVE-2018-1060 – This vulnerability is not affecting ESA
CVE-2016-5636 – Fixed in version 10.0.2 and above
CVE-2014-9365 – This vulnerability is not affecting ESA
CVE-2014-1912 – ESA is not impacted as ESA already replaced Splunk with Lucene since 12.0
CVE-2013-4238 – The SSL libraries ESA/SMA are using do handle the \0 character correctly hence not vulnerable to this defect
CVE-2012-1150 – The vulnerability is only affecting releases prior to versions 10
CVE-2012-0845 – AsyncOS does not use SimpleXMLRPCServer as part of our web server implementation, so it is not affected by this exploit
CVE-2011-4944 – Affected Python module is not used on ESA and users are not allowed file system access
CVE-2011-4940 – CSCum47220 - Terminated
CVE-2011-1521 – Fixed in version 13.5.x
CVE-2010-3492 – CSCuy13292 (enhancement)
CVE-2018-1061 – This vulnerability is not affecting ESA

Filed Defects

Be sure to check out the following filed defects as well:

CSCum44746 - to hide the Python version on HTTP banner, but no impact for ESA service / operations.
CSCvx65163 - a general request for Python version 3 upgrade so there is no need to fix CVE relating to 2.4.6 in the future, completion timeline is 1.5 years from now.

Customer Concerns

How to address, when customer concerned, outside of the list above:

Cisco continues to fix CVE that are reported to PSIRT until Python is upgraded to v3.0
Python v3.0 on AsyncOS is planned as part of AsyncOS 15.0 release (CY2022)

PSIRT

We encourage customers to send any/all vulnerability concerns to PSIRT: Security Vulnerability Policy (PSIRT)

PSIRT will work directly with the affected products and Engineering to assure that concerns are reviewed and addressed.

Other Helpful Resources

Cisco Security > Cisco Security Advisories

Product Support > Security Advisories, Responses and Notices (ESA specific)

Jean-Francois Lavigueur · ‎07-14-2022

Hi, I would like to know when the migration of Python will be available since the version 14.2 is still not released.

Thanks

ScottWojo · ‎08-02-2022

@Robert Sherwin We recently just upgraded to 14.2.0-620 on our ESA. The Python 2.6 vulnerability is still showing on our scans and nothing in the release notes mentions a Python version upgrade. Can you please update this blog post?

Lunaro · ‎09-27-2022

It is now nearly the 4th quarter of 2022 and Cisco is still using an unsupported version of Python, after saying that this would be released earlier this year. Can we please be provided some communication as to the state of when this patch will be released and when Cisco will stop using EoL Python?