Re: ASA-AWS: When will new versions be available?

SRNet · ‎05-13-2022

Hello,

According to Cisco, current ASA versions were affected by several vulnerabilities which have been patched for ASA running on cisco hardware. For the AWS-ASA it appears there are no updated releases. How do we find if the AWS-ASA versions are patched?

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Interface Privilege Escalation Vulnerability

High

CVE-2022-20759

2022 Apr 27

Vulnerable

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software IPsec IKEv2 VPN Information Disclosure Vulnerability

High

CVE-2022-20742

2022 Apr 27

Vulnerable

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software DNS Inspection Denial of Service Vulnerability

High

CVE-2022-20760

2022 Apr 27

Vulnerable

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Interface Denial of Service Vulnerability

High

CVE-2022-20745

2022 Apr 27

Vulnerable

Cisco Adaptive Security Appliance Software Clientless SSL VPN Heap Overflow Vulnerability

High

CVE-2022-20737

2022 Apr 27

Vulnerable

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Remote Access SSL VPN Denial of Service Vulnerability

High

CVE-2022-20715

2022 Apr 27

Vulnerable

Cisco Adaptive Security Appliance and Cisco Firepower Threat Defense Software AnyConnect SSL VPN Denial of Service Vulnerability

Medium

CVE-2022-20795

2022 Apr 20

Vulnerable

Thank you,

K

Sheraz.Salim · ‎05-13-2022

ASA 9.17.1.7 has most fix vulnerabilities. you can download the ASA9.17 for the AWS. however, the stable and Gold star is 9.16

please do not forget to rate.

SRNet · ‎05-13-2022

But the versions available in aws are older than that.

https://aws.amazon.com/marketplace/pp/prodview-k3dpkteh6bgzi?sr=0-3&ref_=beagle&applicationId=AWSMPContessa

Sheraz.Salim · ‎05-13-2022

yes I have check the link you have provided the 19.7.1 Which is available at AWS software you can download it and use it. Most of the vulnerability are fixed in 19.7.1.

please do not forget to rate.

SRNet · ‎05-13-2022

Thad doesn't sound quite right. Versions in AWS are older than 9.17.1.7. Also from advisory page you can see that first fixed release for 9.17 is 9.17.7

Cisco ASA Software Release	First Fixed Release for This Vulnerability	First Fixed Release for All Vulnerabilities Described in the Bundle of Advisories
9.7 and earlier1	Migrate to a fixed release.	Migrate to a fixed release.
9.8	9.8.4.43	Migrate to a fixed release.
9.91	Migrate to a fixed release.	Migrate to a fixed release.
9.101	Migrate to a fixed release.	Migrate to a fixed release.
9.12	9.12.4.38	9.12.4.38
9.131	Migrate to a fixed release.	Migrate to a fixed release.
9.14	9.14.4	9.14.4
9.15	9.15.1.21	9.15.1.21
9.16	9.16.2.13	9.16.2.14
9.17	9.17.1.7	9.17.7

Anyone from Cisco can advise when fixed versions will be available for ASA-AWS?

Sheraz.Salim · ‎05-13-2022

@SRNet unless you have a cisco TAC support available you can ask them. or AWS support to ask when they can publish the new ASA code sorry I missed it was 9.17.1.7.

please do not forget to rate.