Missing <firstFixed> value IOS Checker (openVulnAPI)

jennifer.hakel · ‎02-07-2017

Hi everyone,

First of all, thanks for integrating the IOS Checker and the possibility to obtain adivsories by product Makes everything so much easier to handle.

I'am working on integrating the IOSChecker into some scripts.

While running some tests I noticed that the <firstFixed> value is missing for all 12.2(33) IOS Versions.

Subversions of 12.2(14) and 12.2(118) had the firstFixed value.

I checked some of the subversions of the 12.2(33) IOS Version with the IOS Checker website and the results there showed

the FirstFixed value.

Any ideas why this happens?

Thanks

Jennifer

Omar Santos · ‎02-09-2017

Hi Jennifer,

It looks like IOS release 12.2(33) was never released and/or it was deferred. We are looking into this, but we checked and no advisories do affect that "release".

Regards,

Omar

jennifer.hakel · ‎02-09-2017

Hi ,

I think my wording was a little confusing (Sorry for that). I wasn't looking for a 12.2(33) version/release.

I first noticed the missing value while running some tests with the 12.2(33)SXI9 release. After that I checked all trains(I think thats the right term) that start with 12.2(33).

Jennifer

Omar Santos · ‎02-11-2017

Thank you for the clarification and additional details Jennifer!

The reason that you are seeing this is because there is no first fixed release/recommended release for some of the advisories that affect that release. In the IOS Software checker you will also see the following:

"Contact your support organization for upgrade instructions that address vulnerabilities in all specified advisories."

jennifer.hakel · ‎02-12-2017

Hi Omar,

Thanks for your quick response I'm still a little confused about the results I'm getting back from the API and the IOS Checker. Because the results are different.

<advisory>

<advisoryId>cisco-sa-20150722-tftp</advisoryId><advisoryTitle>Cisco IOS Software TFTP Server Denial of Service Vulnerability
</advisoryTitle>
<bugIDs><bugID>CSCts66733</bugID>
</bugIDs>
<cves><cve>CVE-2015-0681</cve>
</cves>
<cvrfUrl>https://tools.cisco.com/security/center/contentxml/CiscoSecurityAdvisory/cisco-sa-20150722-tftp/cvrf/cisco-sa-20150722-tftp_cvrf.xml
</cvrfUrl>
<cvssBaseScore>7.1</cvssBaseScore>
<cwes><cwe>CWE-399</cwe>
</cwes>
<firstFixed/>
<firstPublished>2015-07-22T16:00:00-0500</firstPublished>
<iosRelease>12.2(33)SXJ2</iosRelease>
<lastUpdated>2015-07-22T16:00:00-0500</lastUpdated>
<ovalUrl>NA</ovalUrl>

This is a part of the xml file I get from the API when looking for the 12.2(33)SXI9. It's the third advisory from the picture of the IOS Software Checker you posted. 
Correct me if I'm wrong, but shouldn't the first fixed value here be 12.2(33)SXJ2? 
Jennifer

juagonza · ‎02-09-2017

Hi Jennifer,

First, thank you for your interest in Cisco tools,

I did some digging. I went all the way to information from 2004, and I did not find traces of a 12.2(33) release,

that is, in the old-style 12.2 mainline train (back when mainline trains had no "M"). Anyway I will remove that release.

Now, overall 12.2 is pretty old. There was a numeric 33 on other trains, for example 12.2(33)SRE12, that release was published two years ago and has a number of vulnerabilities and their first fixed releases.

We regularly do a number of manual verifications on the data that is provided, but the assumption is that customers need to know information about trains that have not reached the end-of-support milestone. For 12.2 that milestone was reached some time ago.

Going back to your testing, I think it would be best to focus on 15.0 and up.

Hope this helps!

Reference:

http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-software-release-12-2/prod_end-of-life_notice0900aecd80330813.html

Juan-Manuel