Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1068
Views
5
Helpful
3
Replies

CVE-2023-20076 and AireOS APs

Go to solution
Noora
Level 1
Level 1

‎02-03-2023 11:52 AM

I got an e-mail Thursday that my 2800 APs are affected by CVE-2023-20076. They are all LAPs, managed by a 9800 WLC. I contacted Cisco TAC and the technician confirmed that despite my APs being behind a WLC, they are still vulnerable to this CVE. My questions is:

Is it the OS version of the WLC I have to look at in this case, or the OS that the APs are running? I was asked by the Cisco TAC to get the information from the AP and not the WLC, which leads me to believe that is the AP version that matters. But that version isn't listed on the vulnerable OS list.

Thanks!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rich R
VIP
VIP

‎02-04-2023 09:08 AM

Lightweight APs always get their software from the WLC so the answer is always the WLC software, SMUs and APSPs.

You didn't bother to mention what version of software your WLC is running but the fix is in the below releases (and later):
17.6.5
17.9.2
17.10.1
So upgrade to whichever version is appropriate for your environment.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

View solution in original post

3 Replies 3

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎02-03-2023 02:39 PM

@Noora wrote:
Is it the OS version of the WLC I have to look at in this case, or the OS that the APs are running? 

Read Cisco IOx Application Hosting Environment Command Injection Vulnerability & scroll down to Fixed Releases section of the bulletin.

0 Helpful

Go to solution
Rich R
VIP
VIP

‎02-04-2023 09:08 AM

Lightweight APs always get their software from the WLC so the answer is always the WLC software, SMUs and APSPs.

You didn't bother to mention what version of software your WLC is running but the fix is in the below releases (and later):
17.6.5
17.9.2
17.10.1
So upgrade to whichever version is appropriate for your environment.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Go to solution
Noora
Level 1
Level 1
In response to Rich R

‎02-06-2023 05:21 AM

Thank you Rich!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card