332 replies to this topic

[AplusWebMaster]

FYI...

- http://tools.cisco.c...cationListing.x

Cisco ASA Software - Multiple Vulns
- http://tools.cisco.c...sa-20150408-asa
2015 Apr 8 - "Summary: Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities:
    Cisco ASA Failover Command Injection Vulnerability
    Cisco ASA DNS Memory Exhaustion Vulnerability
    Cisco ASA VPN XML Parser Denial of Service Vulnerability
Successful exploitation of the Cisco ASA Failover Command Injection Vulnerability would allow an attacker to submit failover commands to the failover units,  which may result in an attacker taking full control of the systems. Successful exploitation of the Cisco ASA DNS Memory Exhaustion Vulnerability may result in system instability and dropped traffic.
Successful exploitation of the Cisco ASA VPN XML Parser Denial of Service Vulnerability may result in a crash of the WebVPN process, which may lead to the reset of all SSL VPN connections, system instability, and a reload of the affected system. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available... may require an upgrade of the Cisco ASA Software release..."
- http://www.securityt....com/id/1032045
CVE Reference: CVE-2015-0675, CVE-2015-0676, CVE-2015-0677
Apr 8 2015 - "... Solution:   The vendor has issued a fix (7.2(5.16), 8.2(5.57), 8.3(2.44), 8.4(7.28), 8.5(1.24), 8.6(1.17), 8.7(1.16), 9.0(4.33), 9.1(6.1), 9.2(3.4), and 9.3(3))..."


Cisco ASA FirePOWER Svcs / Cisco ASA CX Svcs Crafted Packets DoS Vuln
-  http://tools.cisco.c...a-20150408-cxfp
2015 Apr 8 - "Summary: A vulnerability in the virtualization layer of the Cisco ASA FirePOWER Services and Cisco ASA Context Aware (CX) Services could allow an unauthenticated, remote attacker to cause the a reload of the affected system. Cisco has released free software updates that address this vulnerability. The resolution includes upgrading the Cisco ASA FirePOWER Services Software or the Cisco ASA CX Services Software and the Cisco ASA Software. Workarounds that mitigate this vulnerability are not available..."
- http://www.securityt....com/id/1032046
CVE Reference: CVE-2015-0678
Apr 8 2015 - "... The vendor has issued a fix (ASA FirePOWER Software 5.3.1.2 and 5.4.0.1; ASA CX Software 9.3.2.1-9)..."

OpenSSL (January 2015) Affecting Cisco Products - Multiple Vulns
- http://tools.cisco.c...sa-20150310-ssl
Rev 1.7 - 2015-April-09 - Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections. Removed End of Life product - Cisco Small Business ISA500 Series Integrated Security Appliances.

ntpd (April 2015) Affecting Cisco Products - Multiple Vulns
- http://tools.cisco.c...a-20150408-ntpd
Rev 1.1 - 2015-April-09 - Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections.
 

[AplusWebMaster]

FYI...

- http://tools.cisco.c...cationListing.x

Cisco IOS XR Software BVI Routed Packet DoS Vuln
- http://tools.cisco.c...-20150415-iosxr
Rev 1.0 - 2015 April 15 - Summary: A vulnerability in the packet-processing code of Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers (ASR) could allow an unauthenticated, remote attacker to cause a lockup and eventual reload of a network processor chip and the line card that is processing traffic. Only Typhoon-based line cards on Cisco ASR 9000 Series Aggregation Services Routers are affected by this vulnerability. The vulnerability is due to improper processing of packets that are routed via the bridge-group virtual interface (BVI) when any of the following features are configured: Unicast Reverse Path Forwarding (uRPF), policy-based routing (PBR), quality of service (QoS), or access control lists (ACLs). An attacker could exploit this vulnerability by sending IPv4 packets through an affected device that is configured to route them via the BVI interface. A successful exploit could allow the attacker to cause a lockup and eventual reload of a network processor chip and the line card that is processing traffic, leading to a denial of service (DoS) condition. Cisco has released free software updates that address this vulnerability. There are no workarounds to address this vulnerability...
- http://www.securityt....com/id/1032139
CVE Reference: CVE-2015-0695
Apr 15 2015
Solution: The vendor has issued a fix:
For 4.3.4: asr9k-px-4.3.4.CSCur62957.pie
For 5.1.2: asr9k-px-5.1.2.CSCur62957.pie
For 5.1.3: asr9k-px-5.1.3.CSCur62957.pie
For 5.2.2: asr9k-px-5.2.2.CSCur62957.pie
For 5.3.0: asr9k-px-5.3.0.CSCur62957.pie ...

Cisco Secure Desktop Cache Cleaner Command Execution Vuln
- http://tools.cisco.c...sa-20150415-csd
Rev 1.0 - 2015 April 15 - Summary: A vulnerability in a Cisco-signed Java Archive (JAR) executable Cache Cleaner component of Cisco Secure Desktop could allow an unauthenticated, remote attacker to execute arbitrary commands on the client host where the affected .jar file is executed. Command execution would occur with the privileges of the user. The Cache Cleaner feature has been deprecated since November 2012. There is no fixed software for this vulnerability. Cisco Secure Desktop packages that include the affected .jar files have been removed and are no longer available for download. Because Cisco does not control all existing Cisco Secure Desktop packages, customers are advised to ensure that their Java blacklist controls have been updated to avoid potential exploitation. Refer to the -Workarounds- section of this advisory for additional information on how to mitigate this vulnerability..."
- http://www.securityt....com/id/1032140
CVE Reference: CVE-2015-0691
Apr 15 2015
Solution: The vendor has described a configuration solution in their advisory...

Multiple Vulnerabilities in ntpd (April 2015) Affecting Cisco Products
- http://tools.cisco.c...a-20150408-ntpd
Rev 1.3 - 2015-April-15 - Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections.                
                  
GNU glibc gethostbyname Function Buffer Overflow Vulnerability
- http://tools.cisco.c...-20150128-ghost
Rev 1.30 - 2015-April-14 - Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections.

Multiple Vulnerabilities in OpenSSL (January 2015) Affecting Cisco Products
- http://tools.cisco.c...sa-20150310-ssl
Rev 1.8 - 2015-April-13- Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections.

Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products
- http://tools.cisco.c...0150320-openssl
Rev 1.4 - 2015-April-10 - Updated Affected Products section - Vulnerable/Not Vulnerable Products.
 

Edited by AplusWebMaster, 15 April 2015 - 04:01 PM.

[AplusWebMaster]

FYI...

- http://tools.cisco.c...cationListing.x

GNU glibc gethostbyname Function Buffer Overflow Vuln
- http://tools.cisco.c...-20150128-ghost
Rev 1.31 - 2015-April-28 - Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections.

Multiple Vulnerabilities in OpenSSL (January 2015) Affecting Cisco Products
- http://tools.cisco.c...sa-20150310-ssl
Rev 1.10 - 2015-April-27 - Updated the Vulnerable Products fixed column. Added Cisco IOS Access Points to under investigation.

Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products
- http://tools.cisco.c...0150320-openssl
Rev 1.6 - 2015-April-24 - Updated Affected Products section - Vulnerable Products.

Multiple Vulnerabilities in ntpd (April 2015) Affecting Cisco Products
- http://tools.cisco.c...a-20150408-ntpd
Rev 1.5 - 2015-April-24 - Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections.
                  
Cisco IOS XR Software BVI Routed Packet Denial of Service Vuln
- http://tools.cisco.c...-20150415-iosxr
Rev 1.1 - 2015-April-17 - Modified affected releases
 

Edited by AplusWebMaster, 29 April 2015 - 05:12 AM.

[AplusWebMaster]

FYI...

- http://tools.cisco.c...cationListing.x

Multiple Vulnerabilities in OpenSSL (January 2015) Affecting Cisco Products
- http://tools.cisco.c...sa-20150310-ssl
Rev 1.11 - 2015-April-30 - Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections.

Multiple Vulnerabilities in ntpd (April 2015) Affecting Cisco Products
- http://tools.cisco.c...a-20150408-ntpd
Rev 1.6 - 2015-April-30 - Moved Cisco WebEx Meetings Server versions 1.x and 2.x from vulnerable to not affected. Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections.
___

Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products
- http://tools.cisco.c...0150320-openssl
Rev 1.7 - 2015-May-01 - Updated Affected Products section - Vulnerable Products.
 

Edited by AplusWebMaster, 02 May 2015 - 03:54 PM.

[AplusWebMaster]

FYI...

- http://tools.cisco.c...cationListing.x

Cisco UCS Central Software Arbitrary Command Execution Vuln
- http://tools.cisco.c...a-20150506-ucsc
2015 May 6 - Rev 1.0 - "Summary: A vulnerability in the web framework of Cisco UCS Central Software could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device. The vulnerability is due to improper input validation. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. An exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of the root user. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available...
- http://www.securityt....com/id/1032267
CVE Reference: https://web.nvd.nist...d=CVE-2015-0701
May 6 2015
Impact: Execution of arbitrary code via network, Root access via network
Version(s): UCS Central 1.2 and prior ...
Solution: The vendor has issued a fix (1.3(1a)).

Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products
- http://tools.cisco.c...0150320-openssl
Rev 1.8 - 2015-May-08 - Updated Affected Products section - Vulnerable/Not Vulnerable Products.

SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vuln
- http://tools.cisco.c...20141015-poodle
Rev 1.19 - 2015-May-07 - Added Cisco Application and Content Networking System (ACNS) to the Vulnerable Products section. Updated fixed release information for several products.

Multiple Vulnerabilities in ntpd (April 2015) Affecting Cisco Products
- http://tools.cisco.c...a-20150408-ntpd
Rev 1.7 - 2015-May-06 - Finalized Affected Products section.

Multiple Vulnerabilities in OpenSSL (January 2015) Affecting Cisco Products
- http://tools.cisco.c...sa-20150310-ssl
Rev 1.12 - 2015-May-06 - Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections.
 

Edited by AplusWebMaster, 11 May 2015 - 05:03 AM.

[AplusWebMaster]

FYI...

- http://tools.cisco.c...cationListing.x

Command Injection Vuln in Multiple Cisco TelePresence Products
- http://tools.cisco.c...-sa-20150513-tp
2015 May 13 - Rev 1.0 - "Summary: A vulnerability in the web framework of multiple Cisco TelePresence products could allow an authenticated, remote attacker to inject arbitrary commands that are executed with the privileges of the root user. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by authenticating to the device and submitting crafted input to the affected parameter in a web page. Administrative privileges are required in order to access the affected parameter. A successful exploit could allow an attacker to execute system commands with the privileges of the root user. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available..."
- http://www.securityt....com/id/1032314
CVE Reference: CVE-2015-0713
May 13 2015
Impact: Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes...
Solution: The vendor has issued a fix. A patch matrix is available in the vendor's advisory.
___

Multiple Vulns in Cisco TelePresence TC and TE Software
- http://tools.cisco.c...-sa-20150513-tc
2015 May 13 - Rev 1.0 - "Summary: Cisco TelePresence TC and TE Software contains the following vulnerabilities:
    Cisco TelePresence TC and TE Software Authentication Bypass Vulnerability
    Cisco TelePresence TC and TE Software Crafted Packets Denial of Service Vulnerability
Successful exploitation of the Cisco TelePresence TC and TE Software Authentication Bypass Vulnerability could allow an attacker to bypass system authentication and access the device with the privileges of the root user. Successful exploitation of the Cisco TelePresence TC and TE Software Crafted Packets Denial of Service Vulnerability could allow an attacker to restart several processes and possibly trigger a reload of the affected system. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are not available..."
- http://www.securityt....com/id/1032315
CVE Reference: CVE-2014-2174, CVE-2015-0722
May 13 2015
Impact: Denial of service via network, Execution of arbitrary code via network, Root access via local system, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes...
Solution: The vendor has issued a fix (7.3.2).
 

[AplusWebMaster]

FYI...

- http://tools.cisco.c...cationListing.x

Multiple Vulnerabilities in ntpd (April 2015) Affecting Cisco Products
- http://tools.cisco.c...a-20150408-ntpd
Rev 1.9 - 2015-May-28 - Updated Fixed releases availability column.

Multiple Vulnerabilities in OpenSSL (January 2015) Affecting Cisco Products
- http://tools.cisco.c...sa-20150310-ssl
Rev 1.14 - 2015-May-28 - Moved the Cisco Mobility Services Engine (MSE) to an affected product. Updated Fixed releases availability.
___

GNU glibc gethostbyname Function Buffer Overflow Vuln
- http://tools.cisco.c...-20150128-ghost
Rev 1.32 - 2015-May-22 - Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections.

Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products
- http://tools.cisco.c...0150320-openssl
Rev 1.9 - 2015-May-22 - Updated Affected Products section - Vulnerable/Not Vulnerable Products.
___

Multiple Vulnerabilities in OpenSSL (January 2015) Affecting Cisco Products
- http://tools.cisco.c...sa-20150310-ssl
Rev 1.13 - 2015-May-14 - Updated Vulnerable Products Fixed releases availability column.

Multiple Vulnerabilities in ntpd (April 2015) Affecting Cisco Products
- http://tools.cisco.c...a-20150408-ntpd
Rev 1.8 - 2015-May-14 - Updated Fixed releases availability column.
 

Edited by AplusWebMaster, 28 May 2015 - 12:59 PM.

[AplusWebMaster]

FYI...

- http://tools.cisco.c...cationListing.x

Multiple Vulns in OpenSSL (June 2015) Affecting Cisco Products - Logjam
- http://tools.cisco.c...0150612-openssl
2015 June 12 - "Summary: On June 11, 2015, the OpenSSL Project released a security advisory detailing six distinct vulnerabilities, and another fix that provides hardening protections against exploits as described in the Logjam research. Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or corrupt portions of OpenSSL process memory. This advisory will be updated as additional information becomes available. Cisco will release free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities may be available..."

Rev 1.4 - 2015-June-23 - Updated Affected Products section.
- http://www.securityt....com/id/1032564

CVE Reference: CVE-2014-8176, CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1792
Jun 11 2015

Cisco IOS XR Software Crafted IPv6 Packet DoS Vuln
- http://tools.cisco.c...-20150611-iosxr
2015 June 11 - "Summary: A vulnerability in the IP version 6 (IPv6) processing code of Cisco IOS XR Software for Cisco CRS-3 Carrier Routing System could allow an unauthenticated, remote attacker to trigger an ASIC scan of the Network Processor Unit (NPU) and a reload of the line card processing an IPv6 packet.
The vulnerability is due to incorrect processing of an IPv6 packet carrying IPv6 extension headers that are valid but unlikely to be seen during normal operation. An attacker could exploit this vulnerability by sending such an IPv6 packet to an affected device that is configured to process IPv6 traffic. An exploit could allow the attacker to cause a reload of the line card, resulting in a DoS condition.
Cisco has released free software updates that address this vulnerability. There is no workaround that mitigates this vulnerability..."
- http://www.securityt....com/id/1032563
CVE Reference: CVE-2015-0769
Jun 11 2015
Impact: Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.0, 4.1.1, 4.1.2, 4.2.0
Solution: The vendor has issued a fix (4.2.1). Software Maintenance Updates (SMUs) are available for versions 4.1.x and 4.2.0...
 

Edited by AplusWebMaster, 23 June 2015 - 10:22 AM.

[AplusWebMaster]

FYI...

- http://tools.cisco.c...cationListing.x

Cisco Virtual WSA, ESA, and SMA - Multiple Default SSH Keys Vulns
- http://tools.cisco.c...150625-ironport
2015 June 25 Rev 1.0 - "Summary: Cisco Web Security Virtual Appliance (WSAv), Cisco Email Security Virtual Appliance (ESAv), and Cisco Security Management Virtual Appliance (SMAv) are affected by the following vulnerabilities:
    Cisco Virtual WSA, ESA, and SMA Default Authorized SSH Key Vulnerability
    Cisco Virtual WSA, ESA, and SMA Default SSH Host Keys Vulnerability
Cisco has released free software updates that address these vulnerabilities. There are no workarounds for these vulnerabilities..."
- http://www.securityt....com/id/1032725
CVE Reference: CVE-2015-4216, CVE-2015-4217
Jun 25 2015
Impact: Disclosure of system information, Modification of system information, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): versions prior to June 25, 2015...
- http://www.securityt....com/id/1032726
___

SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vuln
- http://tools.cisco.c...20141015-poodle
Rev 1.20 - 2015-June-25 - Added Cisco ATA 187 Analog Telephone Adaptor to the Vulnerable Products section and Cisco TelePresence Management Suite (TMS) to the Products Not Vulnerable section. Updated fixed release information for several products.
 

Edited by AplusWebMaster, 25 June 2015 - 05:54 PM.

[AplusWebMaster]

FYI...

> http://tools.cisco.c...cationListing.x

Cisco Unified Communications Domain Manager Default Static Privileged Account Credentials
- http://tools.cisco.c...-20150701-cucdm
2015 July 1 - "Summary: A vulnerability in the Cisco Unified Communications Domain Manager Platform Software could allow an unauthenticated, remote attacker to login with the privileges of the root user and take full control of the affected system. The vulnerability occurs because a privileged account has a default and static password. This account is created at installation and cannot be changed or deleted without impacting the functionality of the system. An attacker could exploit this vulnerability by remotely connecting to the affected system via SSH using this account. An exploit could allow the attacker to take full control over the affected system. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available..."
- http://www.securityt....com/id/1032774
CVE Reference: https://web.nvd.nist...d=CVE-2015-4196
Jul 2 2015
Impact: Root access via network
Fix Available: Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): prior to 4.4.5 ...
Solution: The vendor has issued a fix (4.4.5).

OpenSSL (March 2015) Affecting Cisco Products - Multiple Vulnerabilities
- http://tools.cisco.c...0150320-openssl
Rev 1.11 - 2015-June-26 - Updated Affected Products section - Vulnerable/Not Vulnerable Products.

- https://www.us-cert....Security-Update
July 01, 2015
 

Edited by AplusWebMaster, 05 July 2015 - 03:55 AM.

[AplusWebMaster]

FYI...

> http://tools.cisco.c...cationListing.x

Cisco ASA Software - Multiple Vulns
- http://tools.cisco.c...sa-20141008-asa
Rev 3.0 - 2015-July-08 - Updated the “Summary” and “Exploitation and Public Announcements" sections of this advisory with additional information on CSCul36176 - Cisco ASA VPN Denial of Service Vulnerability.

- https://isc.sans.edu...l?storyid=19895
2015-07-09 - "Patch your firewalls!
'2015-July-08 UPDATE: Cisco PSIRT is aware of disruption to some Cisco customers with Cisco ASA devices affected by CVE-2014-3383*, the Cisco ASA VPN Denial of Service Vulnerability that was disclosed in this Security Advisory. Traffic causing the disruption was isolated to a specific source IPv4 address. Cisco has engaged the provider and owner of that device and determined that the traffic was sent with no malicious intent. Cisco strongly recommends that customers upgrade to a fixed Cisco ASA software release to remediate this issue. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available'..."
* https://web.nvd.nist...d=CVE-2014-3383/ 7.8 (HIGH)

OpenSSL (June 2015) Affecting Cisco Products - Multiple Vulns
- http://tools.cisco.c...0150612-openssl
Rev 1.7 - 2015-July-09 - Updated Affected Products section.
 

[AplusWebMaster]

FYI...

- http://tools.cisco.c...cationListing.x

OpenSSL Alternative Chains Certificate Forgery Vulnerability (July 2015) Affecting Cisco Products
- http://tools.cisco.c...0150710-openssl
2015 July 10 - Rev 1.0 - "Summary: On July 9, 2015, the OpenSSL Project released a security advisory detailing a vulnerability affecting applications that verify certificates, including SSL/Transport Layer Security (TLS)/Datagram Transport Layer Security (DTLS) clients and SSL/TLS/DTLS servers using client authentication. Multiple Cisco products incorporate a version of the OpenSSL package affected by this vulnerability that could allow an unauthenticated, remote attacker to cause certain checks on untrusted certificates to be bypassed, enabling the attacker to forge "trusted" certificates that could be used to conduct man-in-the-middle attacks. This advisory will be updated as additional information becomes available. Cisco will release free software updates that address this vulnerability. Workarounds that mitigate this vulnerability may be available..."
Rev 1.2 - 2015-July-14 - Updated Affected Products section - Vulnerable/Not Vulnerable Products.
 

Edited by AplusWebMaster, 15 July 2015 - 06:22 AM.

[AplusWebMaster]

FYI...

- http://tools.cisco.c...cationListing.x

Cisco Videoscape Delivery System DoS Vuln
- http://tools.cisco.c...sa-20150715-vds
2015 July 15 - "Summary: A vulnerability in the HTTP processing module of the Cisco Videoscape Distribution Suite for Internet Streaming (VDS-IS) and Cisco Videoscape Distribution Suite Service Broker (VDS-SB) could allow an unauthenticated, remote attacker to cause a reload of the affected device. The vulnerability is due to improper input validation. An attacker could exploit this vulnerability by sending a crafted HTTP request to a vulnerable device. An exploit could allow the attacker to cause a denial of service (DoS) condition. There is no workaround that mitigates this vulnerability. Cisco has released software updates that address this vulnerability for Cisco VDS-IS..."

OpenSSL Alternative Chains Certificate Forgery Vulnerability (July 2015) Affecting Cisco Products
- http://tools.cisco.c...0150710-openssl
Rev 1.3 - 2015-July-15 - Updated Affected Products section - Vulnerable/Not Vulnerable Products.

OpenSSL (June 2015) Affecting Cisco Products - Multiple Vulns
- http://tools.cisco.c...0150612-openssl
Rev 1.9 - 2015-July-16 - Updated Affected Products section. Updated bug IDs for Nexus products.
 

[AplusWebMaster]

FYI...

- http://tools.cisco.c...cationListing.x

OpenSSL Alternative Chains Certificate Forgery Vulnerability (July 2015) Affecting Cisco Products
- http://tools.cisco.c...0150710-openssl
Rev 1.12 - 2015-July-28 - Updated Affected Products section - Vulnerable/Not Vulnerable Products.

OpenSSL Alternative Chains Certificate Forgery Vulnerability (July 2015) Affecting Cisco Products
- http://tools.cisco.c...0150710-openssl
Rev 1.10 - 2015-July-24 - Updated Affected Products section - Vulnerable/Not Vulnerable Products.

Multiple Vulnerabilities in OpenSSL (June 2015) Affecting Cisco Products
- http://tools.cisco.c...0150612-openssl
Rev 1.10 - 2015-July-24 - Updated Affected Products section.

GNU glibc gethostbyname Function Buffer Overflow Vuln
- http://tools.cisco.c...-20150128-ghost
Rev 1.33 - 2015 July 24 - Updated Fixed Releases availability data for some products.

Cisco Unified MeetingPlace Unauthorized Password Change Vuln'
- http://tools.cisco.c...-sa-20150722-mp
2015 July 22 Rev 1.0 - "Summary: The password change functionality in the Cisco Unified MeetingPlace Web Conferencing application could allow an unauthenticated remote, attacker to change the passwords of arbitrary users. The vulnerability is due to the following:
> Users are not required to enter the previous password during a password change request.
> HTTP session functionality does not validate the session ID in the HTTP request for the password change request.
An attacker could exploit this vulnerability via a crafted HTTP request and change arbitrary user passwords to gain access to the application. A successful exploit could allow the attacker to use the reset credentials to gain full control of the application. Cisco has released software updates that address this vulnerability. There is no workaround that mitigates this vulnerability..."
- http://www.securityt....com/id/1033024
CVE Reference: CVE-2015-4262
Jul 22 2015
Impact: Modification of authentication information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 8.5, 8.6 ...
Solution: The vendor has issued a fix (8.5(5) MR3, 8.6(2))...

Cisco IOS Software TFTP Server DoS Vuln
- http://tools.cisco.c...a-20150722-tftp
2015 July 22 Rev 1.0 - "Summary: A vulnerability in the TFTP server feature of Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The TFTP server feature is not enabled by default. Cisco has released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available..."
- http://www.securityt....com/id/1033023
CVE Reference: CVE-2015-0681
Jul 22 2015
Impact: Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Cisco has assigned bug ID CSCts66733 to this vulnerability...
Solution: The vendor has issued a fix.
A patch matrix is available in the vendor's advisory...

Cisco Application Policy Infrastructure Controller Access Control Vuln
- http://tools.cisco.c...a-20150722-apic
2015 July 22 Rev 1.0 - "Summary: A vulnerability in the cluster management configuration of the Cisco Application Policy Infrastructure Controller (APIC) and the Cisco Nexus 9000 Series ACI Mode Switch could allow an authenticated, remote attacker to access the APIC as the root user. The vulnerability is due to improper implementation of access controls in the APIC filesystem. An attacker could exploit this vulnerability by accessing the cluster management configuration of the APIC. An exploit could allow the attacker to gain access to the APIC as the root user and perform root-level commands. Cisco has released software updates that address this vulnerability..."
- http://www.securityt....com/id/1033025
CVE Reference: CVE-2015-4235
Jul 22 2015
Impact: Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): APICs prior to 1.0(4o), 1.0(3o), 1.1(1j); Nexus 9000 Series ACI prior to 11.0(4o) and 11.1(1j)...
Solution: The vendor has issued a fix (1.0(4o), 1.0(3o), 1.1(1j))...
 

Edited by AplusWebMaster, 29 July 2015 - 07:02 AM.

[AplusWebMaster]

FYI...

- http://tools.cisco.c...cationListing.x

Cisco ASR 1000 Series Aggregation Services Routers Fragmented Packet DoS Vuln
- http://tools.cisco.c...-20150730-asr1k
2015 July 30 Rev 1.0 - "Summary: A vulnerability in the code handling the reassembly of fragmented IP version 4 (IPv4) or IP version 6 (IPv6) packets of Cisco IOS XE Software for Cisco ASR 1000 Series Aggregation Services Routers could allow an unauthenticated, remote attacker to cause a crash of the Embedded Services Processor (ESP) processing the packet. The vulnerability is due to improper processing of crafted, fragmented packets. An attacker could exploit this vulnerability by sending a crafted sequence of fragmented packets. An exploit could allow the attacker to cause a reload of the affected platform. Cisco has released software updates that address this vulnerability. There are no workarounds to mitigate this vulnerability..."
- http://www.securityt....com/id/1033131
CVE Reference: CVE-2015-4291
Jul 30 2015
Impact: Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.1.x - 2.5.x ...
Solution: The vendor has issued a fix (2.4.3, 2.5.1).

Multiple Vulnerabilities in OpenSSL (June 2015) Affecting Cisco Products
- http://tools.cisco.c...0150612-openssl
Rev 1.11 - 2015-July-30 - Updated Affected Products section.

OpenSSL Alternative Chains Certificate Forgery Vulnerability (July 2015) Affecting Cisco Products
- http://tools.cisco.c...0150710-openssl
Rev 1.14 - 2015-July-31 - Updated Affected Products section - Vulnerable/Not Vulnerable Products.
 

Edited by AplusWebMaster, 31 July 2015 - 08:43 AM.