cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
933
Views
0
Helpful
6
Replies

CVE-2015-4289 AnyConnect version fix

Martin Smid
Level 1
Level 1

Hello,

I have a quick question about the versions of AnyConnect that should be deployed in order to fix bug CSCut93920. The bug notes state that the fix is available in version 3.1(10010) and 4.1(4011). I was able to find version 3.1(10010), however, there is no version 4.1(4011). The one that's available for download is 4.1(04011). Is that just a typo on the Cisco Download site? The reason I ask is because the bug notes as well as the CVE-2015-4289 state that all version 4.1(0) are vulnerable.

 

Thank you,

Martin

1 Accepted Solution

Accepted Solutions

Martin, 

C'mon! We're fighting over 0? Literally "nothing" ?! :-)

Well the problem comes from how we're numbering releases internally. 

(Take this with a grain of salt) 4011 equals 4011th internal rebuild, problem is that quite often we'll go to 5 digit numbers, I think we've been there with AC 3.1. So some tools will display 04011 and some the same rebuilt as 4011.

Inconsistent, yes, but mostly cosmetic.

M.

View solution in original post

6 Replies 6

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Martin, 

 

The release is available on CCO.

 

M. 

 

 

In case you need software under PSIRT advisory - you can also contact TAC - most of the time :-)

Hi Marcin,

Thanks for the info. That's the version I am guessing is the correct one. But the CVE and bug notes state that all versions which have "0" as a third number in their version are affected (see below). So what I am trying to say is that someone should either correct the typo in the download section or update the bug/CVE notes :)

3.0(0)

3.1(0)
4.0(0)
4.1(0)

Martin, 

C'mon! We're fighting over 0? Literally "nothing" ?! :-)

Well the problem comes from how we're numbering releases internally. 

(Take this with a grain of salt) 4011 equals 4011th internal rebuild, problem is that quite often we'll go to 5 digit numbers, I think we've been there with AC 3.1. So some tools will display 04011 and some the same rebuilt as 4011.

Inconsistent, yes, but mostly cosmetic.

M.

Thanks for the confirmation. Please try to look at it from customer's perspective. Customer downloads version 4.1.04011 assuming there is just an extra 0 and patches several thousand laptops. Then the vulnerability gets exploited, a case is raised with TAC to get an explanation and the reply the would be along the lines "as per the Cisco PSIRT the versions starting 4.1.0 are vulnerable". The case gets closed and the customer needs to go through a fresh patching project.

Hopefully that explains why I am being cautious :)

Martin, 

 

I wasn't trying to be dismissive, by any means. 

What I think is that bug toolkit etc guys have made great strides to improve situation - vide reading bug notes for IOS/IOS-XE around 2 years back and compare it now.  

Are we better, yes, are we good, no. That's probably as much as I can say in a public forum without getting in trouble internally. 

There's a width and breadth of products all with different numbering and specifics and tools are supposed to handle all of them. :/

M.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: