So what you are saying is "this is fine" ? (insert "this is fine meme" here).

              - As far as can recall my mind I am 'just saying' : the opposite , 

 M.

the CVE basically says all IOS-XE products with the webservice enabled.

And there are no "fixes", so there is a very big possibility that all IOS-XE softwares are affected.

The only recommendation is also just to turn of http and https until a patch can be made available. 

   Ref :   https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
  >...If the ip http server command is present and the configuration also contains ip http active-session-modules none, the vulnerability is not exploitable over HTTP.
     If the ip http secure-server command is present and the configuration also contains ip http secure-active-session-modules none, the vulnerability is not exploitable over HTTPS.

 M.

Yes that makes perfect sense, that telling the config that you cannot have any sessions to the webservice makes the exploit not work.

I dont know what scenario you would configure this in. Enable the webservice, but not have it accept any sessions ?

But Im pretty certain (and I have not tested this) that this will also make CWA and LWA not work.

   - The workaround does not relate to  sessions  , it prevents the web server from loading additional modules ,

 M.

(this information is useless for WLC users, I apologize)

• but disabling the "session-modules" breaks the IOS-CA
  • no CRLs can be downloaded afterward
  • a "HTTP 502" is returned instead

Havent heard anything additional yet.

But this being a 10.0 ... I mean .. thats  bad ... 

And the silence from Cisco worries me.

So Im right now recommending my customers to not use LWA or CWA as a precaution.

Definitely no fixed versions - all are affected.