Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
778
Views
0
Helpful
0
Comments

OpenSSL vulnerabilities in WLC 7.4.110.0

Vinay Sharma
Level 7
Level 7

‎12-09-2014 02:32 AM - edited ‎11-18-2020 03:08 AM

 

Introduction

Version 7.4.11.0 is vulnerable to the following CVE IDs:

CVE-2014-0224 CVE-2014-0221 CVE-2014-0195 CVE-2014-0198 CVE-2010-5298 CVE-2014-3470 CVE-2014-0076   Is there a patch, that could fix it?  

Solution

Symptom:
The following Cisco products:
Wireless Lan Controllers: 5500, 2500, Wism1, Wism2, 7500, 8500, 2100, NM-WLC, 4400
include a version of openssl that is affected by the vulnerabilities identified by the Common Vulnerability and Exposures (CVE) IDs:
CVE-2014-0224 - SSL/TLS MITM vulnerability
CVE-2014-0221 - DTLS recursion flaw
CVE-2014-3470 - Anonymous ECDH denial of service
CVE-2014-0221 - DTLS recursion flaw 
CVE-2014-0195 - DTLS invalid fragment vulnerability

This bug has been opened to address the potential impact on this product.

Conditions:
Devices with default configuration.

Affected Releases
All 4.x, 5.x, 6.x, 7.0.x, 7.2.x, 7.3.x, 7.4.x, 7.5.x, 7.6.x
Workaround:Not Available

More Info:
CVE-2014-3470: EDCH is not in use, but a patch for the issue will be included

Fixed Releases
Upcoming: 7.4.130.0, 7.0.x
Released: 7.6.130.0, 8.0.100.0
Will not be fixed: 4.x, 5.x, 6.x, 7.2.x, 7.3.x, 7.5.x (all end of engineering maintenance)

Fixed code will be posted in CCO soon. For beta access contact wnbu-mrbeta@external.cisco.com

PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/7.5: https://intellishield.cisco.com/security/alertmanager/cvss?target=new&version=2.0&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:U/RC:C

The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. 

Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html

 

Known Affected Releases

 
7.0(250.0)
7.3(112.0)
7.4(110.0)
7.4(120.0)
7.5(102.0)
7.6(120.0)

 

Known Fixed Releases

 
7.0(241.14)
7.0(250.1)
7.0(251.0)
7.4(121.24)
7.4(122.22)
7.4(122.24)
7.5(102.25)
7.6(101.216)
7.6(120.20)
 
 

7.6(122.2)
7.6(122.7)
7.6(130.0)
8.0(100.0)
8.0(72.210)
8.0(72.224)
8.0(75.4)
8.1(2.21)

Download software for  Cisco 5500 Series Wireless Controllers

Source

Multiple Vulnerabilities in OpenSSL - June 2014 - CSCup22587

Multiple Vulnerabilities in OpenSSL Affecting Cisco Products

This document is created from the following discussion:

OpenSSL vulnerabilities in WLC 7.4.110.0

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents