Solved: Martin, I wasn't trying to

Martin Smid · ‎08-13-2015

Hello,

I have a quick question about the versions of AnyConnect that should be deployed in order to fix bug CSCut93920. The bug notes state that the fix is available in version 3.1(10010) and 4.1(4011). I was able to find version 3.1(10010), however, there is no version 4.1(4011). The one that's available for download is 4.1(04011). Is that just a typo on the Cisco Download site? The reason I ask is because the bug notes as well as the CVE-2015-4289 state that all version 4.1(0) are vulnerable.

Thank you,

Martin

Marcin Latosiewicz · ‎08-13-2015

Martin,

C'mon! We're fighting over 0? Literally "nothing" ?! :-)

Well the problem comes from how we're numbering releases internally.

(Take this with a grain of salt) 4011 equals 4011th internal rebuild, problem is that quite often we'll go to 5 digit numbers, I think we've been there with AC 3.1. So some tools will display 04011 and some the same rebuilt as 4011.

Inconsistent, yes, but mostly cosmetic.

M.

View solution in original post

Marcin Latosiewicz · ‎08-13-2015

Martin,

The release is available on CCO.

M.

Marcin Latosiewicz · ‎08-13-2015

In case you need software under PSIRT advisory - you can also contact TAC - most of the time :-)

Martin Smid · ‎08-13-2015

Hi Marcin,

Thanks for the info. That's the version I am guessing is the correct one. But the CVE and bug notes state that all versions which have "0" as a third number in their version are affected (see below). So what I am trying to say is that someone should either correct the typo in the download section or update the bug/CVE notes :)

3.0(0)

3.1(0)

4.0(0)

4.1(0)

Marcin Latosiewicz · ‎08-13-2015

Martin,

C'mon! We're fighting over 0? Literally "nothing" ?! :-)

Well the problem comes from how we're numbering releases internally.

(Take this with a grain of salt) 4011 equals 4011th internal rebuild, problem is that quite often we'll go to 5 digit numbers, I think we've been there with AC 3.1. So some tools will display 04011 and some the same rebuilt as 4011.

Inconsistent, yes, but mostly cosmetic.

M.

Martin Smid · ‎08-13-2015

Thanks for the confirmation. Please try to look at it from customer's perspective. Customer downloads version 4.1.04011 assuming there is just an extra 0 and patches several thousand laptops. Then the vulnerability gets exploited, a case is raised with TAC to get an explanation and the reply the would be along the lines "as per the Cisco PSIRT the versions starting 4.1.0 are vulnerable". The case gets closed and the customer needs to go through a fresh patching project.

Hopefully that explains why I am being cautious :)

Marcin Latosiewicz · ‎08-13-2015

Martin,

I wasn't trying to be dismissive, by any means.

What I think is that bug toolkit etc guys have made great strides to improve situation - vide reading bug notes for IOS/IOS-XE around 2 years back and compare it now.

Are we better, yes, are we good, no. That's probably as much as I can say in a public forum without getting in trouble internally.

There's a width and breadth of products all with different numbering and specifics and tools are supposed to handle all of them. :/

M.

CVE-2015-4289 AnyConnect version fix