Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8189
Views
0
Helpful
3
Replies

How to patch and/or upgrade IOS to fix vulnerabilities using Cisco IOS Software Checker

glabsanto
Level 1
Level 1

‎09-21-2017 01:09 PM - edited ‎03-08-2019 12:07 PM

Hello, everybody.  I'm new to the forum.  I have a question on how to patch and/or upgrade IOS to fix vulnerabilities. I have not patched neither upgrade an IOS before.  I have a 3750V2 switch with a software version 15.0(2)SE7 and a 2921 router with a software version of 15.1(4)M7.  For now, I'll start off asking a question for the switch.  And, depending on the discussion outcome, I might a question regading the router.

 

As for the, 3750V2 switch, I checked the software version using Cisco IOS Software Checker site and find out there are 21 vulnerabilities.  On the Cisco IOS Software Checker site, there is a column called "First Fixed" with a latest version of15.0(2)SE11.  On the bottom of the list, there is a box called "Combined First Fixed" with  3 versions: 15.2(2)E7, 15.2(5)E2c. and 15.2(6)E.

 

My question is:  Which fix version will I apply?  First Fixed version or Combined First Fix.

 

Thanks in advance...

Labels:
0 Helpful
3 Replies 3

RyanB
Level 1
Level 1

‎09-21-2017 01:40 PM

You would go with the combined.

 

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp

 

Cisco IOS and IOS XE Software

To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker, that identifies any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory (“First Fixed”). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified (“Combined First Fixed”).

0 Helpful

glabsanto
Level 1
Level 1

‎09-21-2017 03:31 PM

Thanks, RyanB for your reply.  

 
Your answer begs me to ask more questions :)
 
1) Why the Combined First Fixed?
2) There are three versions of the Combined First Fixed.  In what order do I have apply them?
3) Do I have to apply the First Fixed after the Combined First Fixed?  If Yes, in what order do I have to apply?  There are multiple IOS versions of the First Fixed.
 
Please advise.  
0 Helpful

RyanB
Level 1
Level 1
In response to glabsanto

‎09-21-2017 04:32 PM

1) Because these are the releases where the all listed vulnerabilities are fixed.
2) You would not apply them in any order, you would pick 1 of the 3 and run that.
3) Same as above, you only run 1 IOS as a time. It's not a patch, its a full IOS.

The reason (as I understand it) for 3 different IOS's being listed under combined, is because the "Cisco IOS and IOS XE Software EnergyWise Denial of Service Vulnerabilities" has experienced multiple vulnerabilities over time, and subsequent IOS releases have patched some but not others that were discovered later. I would imagine that the latest (15.2(6)E) would cover all these listed vulnerabilities.

Alternatively, you could upgrade to a version higher than 15.2, assuming the device supports it...but as with upgrading to any of the newest versions of software, you could be exposed to potentially undiscovered vulnerabilities, or ones that have not yet been fixed.

0 Helpful
Customers Also Viewed These Support Documents