running image cat4500-ipbasek9-mz.150-2.SG11.bin 

can you suggest which version needs to upgrade? 

What supervisor engine are you using in the chassis. Some have been EOL'd and therefore there is no chance of new software being made available.

I did a quick check of some of those vulnerabilities, are you sure you are usig the specific features listed? If they are not in use, that is as good as having a workaround implemented! :)

cheers,

Seb.

Catalyst 4500E 7 slot chassis for 48Gbps/slot, 

could you explain what is specific features listed? 

What is the output of:

sh module

this is vulnerability issue. we need to upgrade or downgrade the image or need to restrict enabled commands. 

I'd like to know what supervisor you are running to determine if it has been EOL'd which will affect your chances of getting another software release ever being published for your switch.

If a newer software release is not an option then the only mitigation is to upgrade the platform, either the supervisor (or entire chassis), to one which has a software release which mitigates all of these vulnerabilities.

As I said in my first post, have you confirmed you have actually implemented the features which are susceptible to these CVEs?? There is no need to panic about them if you are not exposed.

Cheers,

Seb

sh module

Chassis Type : WS-C4507R+E

Power consumed by backplane : 40 Watts

Mod Ports Card Type Model Serial No.
---+-----+--------------------------------------+------------------+-----------
1 6 1000BaseX (GBIC) WS-X4306-GB JAE1002TE45
2 6 1000BaseX (GBIC) WS-X4306-GB JAE1002TE3S
3 6 Sup V-10GE 10GE (X2), 1000BaseX (SFP) WS-X4516-10GE JAE14200F16
4 6 Sup V-10GE 10GE (X2), 1000BaseX (SFP) WS-X4516-10GE JAE1016071D
5 48 10/100/1000BaseT (RJ45) WS-X4548-GB-RJ45 JAE0952SRVY
6 48 10/100/1000BaseT (RJ45) WS-X4548-GB-RJ45 JAE1001T4QU

M MAC addresses Hw Fw Sw Status
--+--------------------------------+---+------------+----------------+---------
1 000f.2494.ec04 to 000f.2494.ec09 4.1 Ok
2 000f.2494.ebe6 to 000f.2494.ebeb 4.1 Ok
3 d8b1.90b1.d280 to d8b1.90b1.d285 5.4 12.2(31r)SGA 15.0(2)SG11 Ok
4 d8b1.90b1.d286 to d8b1.90b1.d28b 3.6 12.2(31r)SGA 15.0(2)SG11 Ok
5 0016.9d13.6710 to 0016.9d13.673f 2.2 Ok
6 0016.9d13.bb40 to 0016.9d13.bb6f 2.2 Ok

Mod Redundancy role Operating mode Redundancy status
----+-------------------+-------------------+----------------------------------
3 Standby Supervisor SSO Standby hot
4 Active Supervisor SSO Active

Thanks. See:

https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-4500-series-switches/eol__C51-715812.html

...there will be no further software updates for this supervisor. It does give a replacement part number:WS-X45-SUP7-E which has software released as recently as September 2018.

It may be cheaper to evaluate your configuration and determine if you are actually vulnerable to the CVEs you listed above.

cheers,

Seb.

Thank you so much for timing reply. I have checked mentioned those vulnerabilities, no work around from Cisco. 

could you please help to fix these vulnerabilities.

Can you share the config of the switch so we can pick our way through it?

no cluster run command - if i configured any imapact shall be happen

I've never used clustering, so can't comment. I'd imagine if you remove that command any changes made to the cluster will ot be propagated to that switch.

You should be able to get the running config without removing it from the cluster.