10-17-2023 07:53 AM
This seems bad. - "I'm fuzzy on the whole good/bad thing. What do you mean, "bad"? "........
LWA, and basically also CWA, uses the webservice of the 9800.
Should we all just shut down our guest networks until a workaround / patch can be found ?
Currently that is what Im thinking.
Can anyone shed some light on my concern ?
10-23-2023 09:55 AM - edited 10-23-2023 10:10 AM
So .. I actually CAN install it. I just loose the SMU and APSPs I had installed on 17.9.4 like you do when you install a brand new software. - I just think its weird the wording.
The question is then if you could actually install the APSP and SMU after on top of 17.9.4a (I think not, as far as I remember it cheks version) but it would be nice if you could.
Im now starting to feel that this is "kinda" a "fail". - Why a whole new software, and not just release a SMU first then ?
Answering my own question : "Thinking that it might be a "statement" that there is a "brand new" software and not just a SMU" patch" for a score 10 issue.
10-24-2023 12:11 AM
hi
we documented this here:
https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-xe-17/221107-filter-traffic-destined-to-cisco-ios-xe.html
Webauth does not expose any of the management UI, so it is not vulnerable to this issue. Using Access class for HTTP can be used as workaround, until fixes are posted across all releases
regards
10-24-2023 01:05 AM
Also wondering about the APSP and SMU, is it implemented in 17.9.4a?
10-24-2023 01:40 AM
@Rich R Replied earlier on that in this thread :
> (earlier poster) : So i cannot install the "a" version if I have a APSP/SMU installed on 17.9.4 ?
If you upgrade to 17.9.4a you will lose the 17.9.4 SMU and APSP fixes.
There will be a new 17.9.4 SMU with the fix which you can use if you already have SMU and/or APSP installed.
M.
10-24-2023 03:19 AM
hi Sondre
17.9.4a does not include APSP/SMU, as it is just CCO 17.9.4 plus webUI fix, we put a notice in the download page to clarify that
we will publish SMU for 17.9.4, with the webUI fix soon, so you can avoid full upgrade if APSPs are currently applied, this should be available very soon
regards
10-25-2023 12:20 AM
If a customer is coming from an older version and because of this security issue he wants to upgrade to 17.9.4.
Would the best approach then be to go 17.9.4a and install the current available APSPs from 17.9.4(non-a) (can you even do that ?)
Or if you cannot use the APSPs from 17.9.4 on 17.9.4.a , just install 17.9.4(non-a) - Install the, now available, security fix SMU, and then the APSPs for 17.9.4 ?
I guess the question is: Can you use the APSPs from 17.9.4 on 17.9.4a ?
10-25-2023 12:48 AM
hi @Thomas Obbekaer Thomsen
>Can you use the APSPs from 17.9.4 on 17.9.4a ?
Unfortunately, no, that is one of the reasons we posted the 17.9.4 SMU last night, so existing customers on 17.9.4 can get the security fix, without having to deal with APSP again
>Would the best approach then be to go 17.9.4a and install the current available APSPs from 17.9.4(non-a) (can you even do that ?)
it depends, if they need the fixes in the current APSPs, then they will need 17.9.4 + SMU + APSPs
if they do "not" need them, then they can go into 17.9.4a directly
we are working on sorting out future APSPs/17.9.4 status, as it is special situation for Wireless.
The new SMU allows to get fix now, until that is solved.
regards
10-24-2023 01:09 AM
Anyone used DNA center to upgrade the WLC with ? and used ISSU and found the the ISSU matrix ?
10-24-2023 07:40 AM - edited 10-24-2023 08:19 AM
Anyone know if there will be any issues in patching the WLC directly not using DNA Center ? its a classic deployment non SDA.
Only as no matrix files are put available on download page. So its not possible to do ISSU from DNA.
11-01-2023 06:04 PM - edited 01-11-2024 04:27 PM
Get a TAC Proactive Case and a TAC Engineer (not to be confused with a TAC Agent) is WebEx to the WLC before embarking a firmware upgrade using ISSU.
Please note CSCwh76420, CSCwe62246, CSCwh36951.
10-25-2023 06:57 PM - edited 01-11-2024 04:29 PM
WARNING: Do not make any attempt(s) to use Hitless Upgrade when upgrading from 17.9.4 to 17.9.4a.
We hit two bugs:
1. The Primary Controller moves the APs by rebooting all of the APs simultaneously.
2. The Secondary Controller refuses to return the APs back to the Primary Controller.
UPDATE (December 2023): TAC Sydney was able to successfully replicate, six times out of six attempts, this bug feature.
And for anyone planning to upgrade 9800 firmware using ISSU, please be aware of CSCwh76420, CSCwh36951.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide