cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2505
Views
5
Helpful
4
Replies

Heartbleed upgrade to ASA 9.1(3.4)?

nmfoxton
Level 1
Level 1

Ok, this has probably been asked before but I can't for the life of me find an answer.

 

We are actually running v9.1(3) on our ASA5500's so "maybe" we are clear of the weakness.

However Cisco recommend upgrade to 9.1(3.4) to ensure clearance.

 

When you look on the ASA and on the download site there is no mention of any (3.x) ... so are we safe or not?

It's kind of daft to show these sub-versions without actually making mention of them on the hardware or site?

4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

The official Cisco Security Advisory (link) states the "Cisco Adaptive Security appliance (ASA) Software" is among the products confirmed not vulnerable.

ASA 9.1(3.4) is an interim build. Interim builds are generally only recommended by the TAC to address specific bugs whose fix hasn't been incorporated into minor releases. If they recommend it to a customer and it's not a published build, they should provide an FTP link for download.

Thanks, although we aren't using the features affected by Heartbleed it looks like I'm going to have to raise a case to access the maintenance release.

Are ALL versions of ASA not vulnerable?  We are on version 8.2(5).  We are also using VPN Client 5.x, which is not mentioned in the list.  Is it vulnerable? 

The Heartbleed bug is an example of where "older is better". Products incorporating OpenSSL versions prior to 1.01 are generally not affected. Thus all ASA (and ASDM) versions are unaffected as their SSL uses an older distribution.

Note that the separate ASA CX software DOES have the vulnerability. Reference.

The VPN Client 5.x is IPsec-only - i.e., not SSL-based - and should thus be unaffected.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: