Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1309
Views
1
Helpful
6
Replies

PSIRT OpenVuln API: Versions not found in CSAF

emanuele-disalvia
Level 1
Level 1

‎05-28-2024 02:35 AM

Hi,

I am using the PSIRT APIs to fetch data from IOS, IOS XE, IOS XR, and NX OS. Through the API, I retrieve the CSAF URL and download the associated JSON. However, there is some missing information regarding which versions are vulnerable to the relevant advisories.

Here are some examples:

Screenshot from 2024-05-28 10-16-34.png

This image represents the CSAF JSON file of cisco-sa-snmp-uwBXfqww. As you can see, the information about product versions is displayed. However, in some cases, the versions are not specified in the CSAF. Specifically, for IOS XR, none of the versions are displayed. Here’s an example of a CSAF JSON file for cisco-sa-iosxr-ipxe-sigbypass-pymfyqgB:

emanueledisalvia_0-1716887674371.png

To achieve what I want, I actually need those versions. So my question is: If I encounter cases where these versions are missing, how should I handle them? Should it be interpreted as "All versions of this family are affected"?

Thank you

Emanuele Di Salvia

0 Helpful
6 Replies 6

Torbjørn
VIP
VIP

‎05-28-2024 04:08 AM

Hi @emanuele-disalvia,

The "versions affected" data seems to be provided by Cisco Software Checker, which currently only supports checking versions of the following OSes: ASA, FMC, FTD, FXOS, IOS, IOS XE, NX-OS. AFAIK there is no other API that will give you the same information for IOS XR.

How to handle this comes down to your specific application/program. I believe you will either have to interpret it as "all versions are affected", or you will have to either display/parse the "Fixed releases" potion of each IOS XR advisory.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev
0 Helpful

louis-yu
Level 1
Level 1
In response to Torbjørn

‎01-06-2025 02:01 AM

Hi @Torbjørn 

This image represents the CSAF JSON file of cisco-sa-20180620-n3k-n9k-clisnmp.

As you mentioned that NX-OS is supported by software checker but there's no version displayed in the CSAF file.

Should this be parsed as "all versions of NX-OS are affected"?

louisyu_1-1736157425828.png

Regards,

Louis

0 Helpful

Torbjørn
VIP
VIP
In response to louis-yu

‎01-06-2025 04:49 AM - edited ‎01-06-2025 04:49 AM

Hi @louis-yu

As far as I can see the software versions should've been filled out for this advisory. I am not sure why it isn't, is this something you have any insight into @PR Oxman

Depending on the nature your application you either need to interpret this as "all releases", display the fixed releases portion of the advisory or parse this data from the notes section somehow.  

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev
0 Helpful

PR Oxman
Cisco Employee
Cisco Employee

‎05-28-2024 02:50 PM

Hello,

   Today it is fair to say that Cisco only populates the affected version information in CSAF for products that are supported by Software Checker - IOS, IOS-XE, Cisco ASA, FMC, FTD, FXOS, IOS, IOS XE, NX-OS and NX-OS in ACI Mode.

   For all other products the CSAF product tree only indicates the affected product. The affected and fixed releases are typically presented in a table in the Fixed Software portion of the advisory. So if you have a product family with no product versions you need to flag for manual inspection of the advisory/CSAF.

   Cisco are considering opening this up for all products (no timeframe), but for all other products it would be a snapshot only at the time of publication, rather than a dynamically updated CSAF.

Thanks.

 

 

 

 

0 Helpful

louis-yu
Level 1
Level 1
In response to PR Oxman

‎01-06-2025 07:20 PM

Hi @PR Oxman 

As you mentioned that only OS that supported in softeware checker(e.g. IOS, IOS-XE, Cisco ASA, FMC, FTD, FXOS, IOS, IOS XE, NX-OS and NX-OS in ACI Mode) will display affected version number in csaf json file.

I notice that there are some do support in checker but didn't display version number as it should be.

 

Ex:

cisco-sa-http2-reset-d8Kf32vZ

No 'NX-OS' version number displayed

louisyu_0-1736219551722.png

 

cisco-sa-20190513-secureboot

No 'aci' version number displayed

louisyu_1-1736219679979.png

 

We currently working on a project that can automatically fectch fix patch versions based on affected os name and versions in the advisory.

Any suggestions will be welcome.

 

Regards,

Louis

 

0 Helpful

PR Oxman
Cisco Employee
Cisco Employee

‎01-12-2025 03:07 PM

Posting Michaels response for the wider audience:

Hi Louis,

 
Thanks for contacting the Cisco PSIRT.
 
The first advisory you are referencing below (cisco-sa-http2-reset-d8Kf32vZ) is an advisory for a security vulnerability in a third-party software (TPS) component used by multiple Cisco products. For this type of advisories the first fixed releases information is available only in the table of the textual (HTML) version of the advisory and the per-product bug IDs that are referenced both in the HTML version and also the CSAF (JSON) version.
 
The second advisory you referenced below (cisco-sa-ios-nxos-xr-udld-dos-W5hGHgtQ) is from 2021. At that time, the Cisco Software Checker did not yet support FXOS (which is why the HTML version of the advisory contains a table for FXOS first fixed releases rather than a pointer to the Cisco Software Checker tool). Cisco Software Checker Support for FXOS was only added late August 2022.
 
One of the first advisories that used Cisco Software Checker for FXOS was cisco-sa-nxos-cdp-dos-ce-wWvPucC9. In its CSAF/JSON version you will find FXOS version information.
 
I hope this helps. Let me know if you have further questions.
 
Thanks,
Michael
Customers Also Viewed These Support Documents