Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
409
Views
5
Helpful
3
Replies

CVE-2023-20076 and AireOS APs

Go to solution
Noora
Beginner
Beginner

‎02-03-2023 11:52 AM

I got an e-mail Thursday that my 2800 APs are affected by CVE-2023-20076. They are all LAPs, managed by a 9800 WLC. I contacted Cisco TAC and the technician confirmed that despite my APs being behind a WLC, they are still vulnerable to this CVE. My questions is:

Is it the OS version of the WLC I have to look at in this case, or the OS that the APs are running? I was asked by the Cisco TAC to get the information from the AP and not the WLC, which leads me to believe that is the AP version that matters. But that version isn't listed on the vulnerable OS list.

Thanks!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rich R
VIP Advisor VIP Advisor
VIP Advisor

‎02-04-2023 09:08 AM

Lightweight APs always get their software from the WLC so the answer is always the WLC software, SMUs and APSPs.

You didn't bother to mention what version of software your WLC is running but the fix is in the below releases (and later):
17.6.5
17.9.2
17.10.1
So upgrade to whichever version is appropriate for your environment.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
Field Notice: FN-72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Recommended
WARNING - see CSCwd37092 Throughput degraded after upgrading to code 8.10.181.0/17.3.6 - 2800/3800/4800 series
- The fix for CSCwd37092 is now released in 8.10.183.0 and
- For IOS-XE 17.3.6 select controller model, go to IOS XE Software AP Service Pack, select CSCwd40096 17.3.6 APSP2
Field Notice: FN-63942 Lightweight APs and WLCs Fail to Create CAPWAP Connections Due to Certificate
      Expiration - Software Upgrade Recommended
Field Notice: FN-72524 - During Software Upgrade/Downgrade IOS APs Might Remain in Downloading State
     After 4 Dec 2022 Due to Certificate Expiration - Fixed in 8.10.183.0 and 17.3.6 APSP5 (APSP_CSCwd83653)
     Also fixed in 8.5.182.7 (8.5 mainline) and 8.5.182.105 (8.5 IRCM) if you can't upgrade to 8.10
     TAC confirmed that subordinate Mobility Express APs downloading by TFTP are not affected so ME 8.5.182.0 still works
     Note that 8.10.181.0 and 8.10.182.0 have been deferred (withdrawn) and are effectively unsupported by Cisco
Leo Laohoo's list of bugs affecting 2800/3800/4800/1560 APs
___________________________________________
Richard R

View solution in original post

3 Replies 3

Go to solution
Leo Laohoo
VIP Community Legend VIP Community Legend
VIP Community Legend

‎02-03-2023 02:39 PM

@Noora wrote:
Is it the OS version of the WLC I have to look at in this case, or the OS that the APs are running? 

Read Cisco IOx Application Hosting Environment Command Injection Vulnerability & scroll down to Fixed Releases section of the bulletin.

0 Helpful

Go to solution
Rich R
VIP Advisor VIP Advisor
VIP Advisor

‎02-04-2023 09:08 AM

Lightweight APs always get their software from the WLC so the answer is always the WLC software, SMUs and APSPs.

You didn't bother to mention what version of software your WLC is running but the fix is in the below releases (and later):
17.6.5
17.9.2
17.10.1
So upgrade to whichever version is appropriate for your environment.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
Field Notice: FN-72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Recommended
WARNING - see CSCwd37092 Throughput degraded after upgrading to code 8.10.181.0/17.3.6 - 2800/3800/4800 series
- The fix for CSCwd37092 is now released in 8.10.183.0 and
- For IOS-XE 17.3.6 select controller model, go to IOS XE Software AP Service Pack, select CSCwd40096 17.3.6 APSP2
Field Notice: FN-63942 Lightweight APs and WLCs Fail to Create CAPWAP Connections Due to Certificate
      Expiration - Software Upgrade Recommended
Field Notice: FN-72524 - During Software Upgrade/Downgrade IOS APs Might Remain in Downloading State
     After 4 Dec 2022 Due to Certificate Expiration - Fixed in 8.10.183.0 and 17.3.6 APSP5 (APSP_CSCwd83653)
     Also fixed in 8.5.182.7 (8.5 mainline) and 8.5.182.105 (8.5 IRCM) if you can't upgrade to 8.10
     TAC confirmed that subordinate Mobility Express APs downloading by TFTP are not affected so ME 8.5.182.0 still works
     Note that 8.10.181.0 and 8.10.182.0 have been deferred (withdrawn) and are effectively unsupported by Cisco
Leo Laohoo's list of bugs affecting 2800/3800/4800/1560 APs
___________________________________________
Richard R

Go to solution
Noora
Beginner
Beginner
In response to Rich R

‎02-06-2023 05:21 AM

Thank you Rich!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents