Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2616
Views
0
Helpful
7
Replies

ShellShock Vulnerable products

Go to solution
konstantin.fatkulin
Level 1
Level 1

‎10-06-2014 05:02 AM - edited ‎03-01-2019 11:52 AM

Hello

 

We have Cisci UCS blade servers B420 M3 serial : FCH1710J7JP

and the Fabric Interconnect : UCS-FI-6248UP

I need to know if those product are vulnerable for ShellShock 

If they are vulnerable witch patch I need to install ? 

 

1 person had this problem
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
djlundberg
Level 5
Level 5

‎10-06-2014 09:04 AM

Hi Konstantin-

Yep, your Fabric Interconnect is, and there is no patch released yet.

Here is the bug: https://tools.cisco.com/bugsearch/bug/CSCur01379

Workaround:
The access to the FI Management Address has to be in a protected domain to block potential exploitation of the vulnerability.

Here is a link to the Security Advisory: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash

DJ

View solution in original post

0 Helpful

Go to solution
Tom MacDonald
Level 1
Level 1
In response to Tom MacDonald

‎10-12-2014 03:27 PM

Just an FYI a fix has been released (2.2(3b))......
 
Fixes will be available in the following upcoming releases:
3.0(1d) ==> ETA week of 10/13
2.2(3b) ==> released 10/9
2.2(2e) ==> ETA week of 10/13
2.2(1f) ==> ETA week of 10/13
2.1(3f) ==> ETA will be announced shortly
2.0(5g) ==> ETA will be announced shortly

All six CVEs, CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187 CVE-2014-6278, and CVE-2014-6277 have been fixed.

The 2.2(3b) release was published to CCO on 10/9. The other 2.2 release trains will be updated in the week of 10/13. The release schedule for the 2.0 and 2.1 release trains will be announced soon - release candidates are currently still in QA.
 

View solution in original post

0 Helpful
7 Replies 7

Go to solution
djlundberg
Level 5
Level 5

‎10-06-2014 09:04 AM

Hi Konstantin-

Yep, your Fabric Interconnect is, and there is no patch released yet.

Here is the bug: https://tools.cisco.com/bugsearch/bug/CSCur01379

Workaround:
The access to the FI Management Address has to be in a protected domain to block potential exploitation of the vulnerability.

Here is a link to the Security Advisory: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash

DJ

0 Helpful

Go to solution
konstantin.fatkulin
Level 1
Level 1
In response to djlundberg

‎10-06-2014 11:57 PM

Do you know when the update suppose to release ? 

 

0 Helpful

Go to solution
djlundberg
Level 5
Level 5
In response to konstantin.fatkulin

‎10-07-2014 07:03 AM

Hi Konstantin-

 

I do not.  Keep an eye on the bug that I referenced and it should be updated.

 

DJ

0 Helpful

Go to solution
Tom MacDonald
Level 1
Level 1
In response to djlundberg

‎10-09-2014 06:56 AM

They expect to have an update in the week starting 10/13/14.

0 Helpful

Go to solution
Tom MacDonald
Level 1
Level 1
In response to Tom MacDonald

‎10-12-2014 03:27 PM

Just an FYI a fix has been released (2.2(3b))......
 
Fixes will be available in the following upcoming releases:
3.0(1d) ==> ETA week of 10/13
2.2(3b) ==> released 10/9
2.2(2e) ==> ETA week of 10/13
2.2(1f) ==> ETA week of 10/13
2.1(3f) ==> ETA will be announced shortly
2.0(5g) ==> ETA will be announced shortly

All six CVEs, CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187 CVE-2014-6278, and CVE-2014-6277 have been fixed.

The 2.2(3b) release was published to CCO on 10/9. The other 2.2 release trains will be updated in the week of 10/13. The release schedule for the 2.0 and 2.1 release trains will be announced soon - release candidates are currently still in QA.
 
0 Helpful

Go to solution
konstantin.fatkulin
Level 1
Level 1
In response to Tom MacDonald

‎10-18-2014 10:12 PM

I have 2.2(1d) 

I don't see that version on the list

does this version is fine - not need update  ? 

 

0 Helpful

Go to solution
Tom MacDonald
Level 1
Level 1
In response to konstantin.fatkulin

‎10-19-2014 05:30 AM

All releases starting with the the first release 1.0(1e) are vulnerable.

You have 2.2(1b) so you have to upgrade to 2.2(1f) or any other version above that such as 2.2(2e), 2.2(3b) or 3.0(1d).....
 

0 Helpful

Review Cisco Networking for a $25 gift card

Review Cisco Networking for a $25 gift card
Top