[Cisco PSIRT openVuln API] Filtering version per product

psourdea · ‎08-17-2023

Hi team,

I am building a Python script to get PSIRT vulnerabilities.

Using the "product" Endpoint (https://apix.cisco.com/security/advisories/v2/product), I got all vulnerabilities (for "Cisco Jabber" product for example), but I can't filter using version information.

How can I filter product vulnerabilities by version?

Thank you for your help.

Pierre

OpenVulnAlert · ‎08-17-2023

Hello Pierre,
Today you cannot.

The only products that support version information are those that are supported in Cisco Software Checker.

Regards
Paul Oxman.

psourdea · ‎08-17-2023

Hi Paul,

Thank you for your reply!

This is the behavior I saw, only the "Software" Endpoint can be filtered by version.

Do you know if the feature is also planned for the "product" endpoint?

And, do you know if we can use another query to get the affected and fixed versions for a specific CVE?

For example, CVE-2000-1234 matches the "Cisco Jabber" product (using the "product" endpoint API).

Could we use another API method to check which version of Jabber is affected by CVE-2000-1234(BugId API, ...) ?

appAdministrator · ‎09-14-2023

Hello Pierre,
Today this is the current situation.

IOS and IOS-XE Software
Both Cisco IOS and Cisco IOS-XE Software have their productName as either Cisco IOS Software or Cisco IOS XE Software and the Software versions as either Cisco IOS <version> or Cisco IOS XE Software <version>; we do not include product Ids for either of these operating systems. So you would do your audit based on IOS/IOS-XE version and then configuration. IF the advisory happens to only impact say IR800 and CGR1200 routers which run IOS Software; then that will not be picked up by the automation. You would have a list of devices running affected version. You could then run the configuration check; and that would narrow it down further. But today for the PID you would need to scan the affected products section of the advisory to see if it affected just a few hardware platforms.

Cisco ASA, FMC, FTD, FXOS, NX-OS and NX-OS in ACI Mode
These also include the family of platforms. (/security/advisories/platforms) as well as the version being represented as: Cisco NX-OS Software <version>.

Third Party Software
These have to be manually examined by a human. At this stage we have no easy method to populate the data in these with any reliability. An example: cisco-sa-java-spring-rce-Zx9GUc67. Most of the TPS is being moved over to CVR (https://sec.cloudapps.cisco.com/security/center/cvr). Please take a look at https://community.cisco.com/t5/security-knowledge-base/the-cisco-vulnerability-repository-cvr-and-csaf-vex/ta-p/4922501

All Others
Again these would be challenging to fully automate at this stage The API will reliable return the affected product or network operating system, but not the affected versions. Cisco is working on exposing more data for key platforms such as ASA/FP/XR etc. But we don’t have timeframes for this.

As the evolution of VEX and our integration, things in this area will hopefully expand and what you wish to achieve today will become possible. Given you are Cisco Employee lets sync; whilst there is the BUG API this also has limitations regarding affected and fixed versions.

Thanks.

Siew Key · ‎02-17-2025

In this case, if those IOS-XE software are related only to switches meaning there is no tracking for device type like "Switch" or "Router" where that particular affected IOS-XE will be also presented when API call done?

Example, if we query API via "cisco-sa-vlan-dos-27Pur5RT" for IOS-XE 17.9.5 and the software version is applicable to both C8000 & C9000 router/switch, instead of scanning this advisory ID by software version, how can we identify if this vulnerability is only applicable to "Switch" instead of "Router"?

Meanwhile, if this is not available for OpenVulnAPI at this moment. Is there any plan to enhanced the device type or model in future?