Introduction
Version 7.4.11.0 is vulnerable to the following CVE IDs:
CVE-2014-0224 CVE-2014-0221 CVE-2014-0195 CVE-2014-0198 CVE-2010-5298 CVE-2014-3470 CVE-2014-0076 Is there a patch, that could fix it?
Solution
Symptom:
The following Cisco products:
Wireless Lan Controllers: 5500, 2500, Wism1, Wism2, 7500, 8500, 2100, NM-WLC, 4400
include a version of openssl that is affected by the vulnerabilities identified by the Common Vulnerability and Exposures (CVE) IDs:
CVE-2014-0224 - SSL/TLS MITM vulnerability
CVE-2014-0221 - DTLS recursion flaw
CVE-2014-3470 - Anonymous ECDH denial of service
CVE-2014-0221 - DTLS recursion flaw
CVE-2014-0195 - DTLS invalid fragment vulnerability
This bug has been opened to address the potential impact on this product.
Conditions:
Devices with default configuration.
Affected Releases
All 4.x, 5.x, 6.x, 7.0.x, 7.2.x, 7.3.x, 7.4.x, 7.5.x, 7.6.x
Workaround:Not Available
More Info:
CVE-2014-3470: EDCH is not in use, but a patch for the issue will be included
Fixed Releases
Upcoming: 7.4.130.0, 7.0.x
Released: 7.6.130.0, 8.0.100.0
Will not be fixed: 4.x, 5.x, 6.x, 7.2.x, 7.3.x, 7.5.x (all end of engineering maintenance)
Fixed code will be posted in CCO soon. For beta access contact wnbu-mrbeta@external.cisco.com
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/7.5: https://intellishield.cisco.com/security/alertmanager/cvss?target=new&version=2.0&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:U/RC:C
The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.
Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
7.0(250.0)
7.3(112.0)
7.4(110.0)
7.4(120.0)
7.5(102.0)
7.6(120.0)
7.6(122.2)
7.6(122.7)
7.6(130.0)
8.0(100.0)
8.0(72.210)
8.0(72.224)
8.0(75.4)
8.1(2.21)
Download software for Cisco 5500 Series Wireless Controllers
Source
Multiple Vulnerabilities in OpenSSL - June 2014 - CSCup22587
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products
This document is created from the following discussion:
OpenSSL vulnerabilities in WLC 7.4.110.0