X7.2.3 VCS OpenSSL vulnerability
Hi all
CSCuo16472 (https://tools.cisco.com/bugsearch/bug/CSCuo16472), we see that the vulnerability is fixed in X7.2.3 and X8.1.1.
But in X7.2.3 covering memo, we cannot find any description about it. (In X8.1.1 we can find it).
It's really fixed in X7.2.3?
Best regards
Kotaro
Yes, it is set at X7.2.3 - it is mentioned very briefly buried on page 49 of the release notes where it says that it uses OpenSSL 1.0.1c patched for CVE-2014-0160.
Tags: Cisco Support
Similar Questions
-
MITM Dell idrac openssl vulnerability
Hello
Nessus allows us to analyze our network. My most recent scan reports several openssl vulnerabilitis with a cvss score of 9.3, (note: HIGH), see below for more details. Found products are affected:
Reference Dell idrac6 1.97
Dell idrac7 1.57.57
Nessus says that the possibility is confirmed, and the openssl version could also be vulnerable to the other openssl release questions the same day as the OpenSSL ' ChangeCipherSpec' MiTM vulnerability"released on June 5.
If this is confirmed by dell? patches will be released for this fault?
CVE-2010-5298, CVE-2014-0076, CVE-2014-0195, CVE-2014-0198, CVE-2014-0221, CVE-2014-0224, CVE-2014-3470
Here's what I received the answer from Dell to the Openssl vulnerability.
After a few calls to the help desk here is what I get for my iDRAC7 fighting flag of Foundstone security for vulnerability CVE-2014-0224scans:
"The package OPEN SSL used here contains several components, you do not use the component that is vulnerable and affected, other components in this package are used but are not vulnerable".
"Dell has determined that the products listed in the attached document are not affected by the problems. Some products generated a module OpenSSL older (but not vulnerable). This could be marked by a scanner. "Dell is currently working to update the modules on a version that will not be reported for these issues.
I also tried to download the document, I hope I can be read or downloaded.
If this post has helped you please note.
Thank you
2376.Dell - ResponseOpenSSLSecurityAdvisory_05_June_2014_final.pdf
-
Updated HP Device Manager 4.6 SP3 (OpenSSL vulnerability)
Hey!
I installed the HP Device Manager 4.6 SP3 Upgrade and our resident shows Vulnerability Scanner that uses the Version of OpenSSL is vulnerable.
Ssleay32.dll and libeay23.dll details yet also show they are version 0.9.8.24 and not 1.0.1i...
I did all this trouble during the upgrade?
I tried the process of installation/upgrade on 3 different machines now, and the version of the same thing on all the settings...
All boards
Thank you!
Georg
Hi, George,
There is nothing wrong with your update. Update libssl was not included in SP3. Please go with service pack4 released 27 October for this security update.
Concerning
-Chen
-
Fusion 5.0.4 and software/OpenSSL vulnerability - affected or not?
Hi all
My Parallels Desktop imploded, forcing me to start over, and I thought that now is the ideal time to move (back) to the merger, once and for all. A question for you guys (I hope a simple):
I see that Fusion 6.0.3 is out to protect themselves against the Heartbleed, but there is no corresponding to 5.0.4 patch.
This does mean that the vulnerability does not exist in earlier versions, or that there is and is simply not to be patched for older versions? Finances are tight, and I was hoping to just use my 5.0.4 existing license.
Can I do it safely?
Thank you!
Fusion 5 is not affected by the problem of software. See VMware KB: response to OpenSSL security issue CVE-2014-0160/CVE-2014-0346 a.k.a: 'Heartbleed'
See you soon,.
--
Darius
-
OpenSSL vulnerability software
I see a lot of news based on the alias of OpenSSL software vulnerability.
For more information:
http://www.ZDNet.com/heartbleed-serious-OpenSSL-zero-day-vulnerability-revealed-7000028166/
security - software: what is and what are the options to mitigate? -Server fault
https://blog.cloudflare.com/staying-ahead-of-OpenSSL-vulnerabilities
https://Web.NVD.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160
I did some searching but can't find any relationship with VMware/ESXi
My question is this also influences the environment vSphere somehow?
I hope that VMware will soon release a notice of security clear things and providing updates to this horrible problem (which is not their fault).
The openssl software bug seems to affect ESXi as well. Virtual appliances based on recent Linux as the VCSA, vMA, etc. may be vulnerable too:
Which versions of OpenSSL are affected?
Status of different versions:
OpenSSL 1.0.1 through 1.0.1f (included) are vulnerable
1.0.1g OpenSSL is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable
Bug was introduced in OpenSSL in December 2011 and has been in the wild since OpenSSL version 1.0.1 March 14, 2012. Published April 7, 2014 1.0.1g OpenSSL fixes the bug
Let's take a look at a host of ESXi 5.5 GA (no U1):
# vmware - vl
VMware ESXi 5.5.0 build-1331820
VMware ESXi 5.5.0 GA
# OpenSSL version-
OpenSSL 1.0.1e February 11, 2013
built: kills Feb 26 16:34:26 PST 2013
Now, here's a 5.1 U2 to update ESXi host:
# vmware - vl
VMware ESXi 5.1.0 build-1612806
Updating VMware ESXi 5.1.0 2
~ # OpenSSL version -
OpenSSL 0.9.8y 5 February 2013
built: Fri Mar 20 20:44:08 CDT 2013
As you can see, ESXi 5.5 runs the branch vulnerable openssl 1.0.1. ESXi 5.1 U2 also uses the openssl 0.9.8 branch. So versions prior to ESXi 5.5 should be affected.
I have a virtual appliance of older vMA 5.1 which is unchanged, as well:
# cat/etc/vma-release
vMA 5.1.0 BUILD-1062361
# cat/etc/SuSE - release
SUSE Linux Enterprise Server 11 (x86_64)
VERSION = 11
PATCHLEVEL = 2
# OpenSSL version-
OpenSSL 1.0.0c December 2, 2010
At least the vCenter non Inventory Service seems to depend on the openssl library as well:
A 5.1 vCenter U2 seems of course:
"C:\Program Files\VMware\Infrastructure\Inventory Service\bin\openssl.exe" version - a
OpenSSL 0.9.8y 5 February 2013
built: Thu Feb 12 23:38:08 2013
There are two binary openssl on a test vCenter 5.5 GA of mine, one of them having a vulnerable version:
"C:\Program Files\VMware\CIS\openSSL\openssl.exe" version - a
OpenSSL 1.0.1e February 11, 2013
built: Thu Feb 12 19:37:08 2013
"C:\Program Files\VMware\Infrastructure\Inventory Service\bin\openssl.exe" version - a
OpenSSL 0.9.8y 5 February 2013
built: Thu Feb 12 23:38:08 2013
-
Question of vulnerability OpenSSL WALNUT
Microsoft releases any patches for OpenSSL WALNUT cause of vulnerability
Hello
I suggest you post your query in the following TechNet forums to improve assistance in this regard.
https://social.technet.Microsoft.com/forums/Windows/en-us/home
Thank you.
-
Linksys Smart Wi - Fi is vulnerable to the heart bleed OpenSSL
I'm curious to know if the Linksys Smart Wi - Fi site or routers are vulnerable to the exploit of heart bleed OpenSSL?
http://SiliconANGLE.com/blog/2014/04/08/OpenSSL-heartbleed-vulnerability-may-affect-millions/
BTW: Change your passwords...
FW_LICENSE_EA4500_v2.1.39.145204 - 3 - RainCAP_n.html construction
-
Release date for VCS x8.2.1 to fix several bugs of OpenSSL (CSCup25151)
Hi all
We are offshore on the endless power level and patch the path with the imminent release of the x8.2.1 to fix another bug in OpenSSL (among others) which are potentially more dangerous than the question of the HeartBleed of a few months back. Notice of Cisco was sent near earlier (18/07/2014), which suggests that CSCup25151 of bug will be fixed in x8.2.1. I just check the download site and it doesn't seem to be available yet. Any idea on when this might be?
I wonder also if additional fixes will be needed for the C/SX CODECs (and other), the line TC of the software running. As far as I can see, bug reference CSCup25163 covers some of these issues in the TC7.1.4 version (already out) but I'm assuming that another rejection would be next - or make any remaining issues of OpenSSL (listed for VCS above) does not affect the line of code TC?
See you soon
Chris
Published today. On 31 July.
-
OpenSSL with 'Cisco VCS Certificate Creation and use - deployment guide. "
Hi team,
To prevent users to log on with the VCS Highway, we want to use OpenSSL (version: 1.0.1p 9 julio 2015), but I am facing the following problem:
1 - I can't implement the command "touch index.txt".
2 - I can´t implement the command "openssl genrsa-aes256-out private/cakey.pem 4096"; and when I apply these commands I get "OpenSSL is not recognized.
I did all the steps that says "VCS certificate creation and use Cisco".
What could be the matter?
Thanks for your advice.
Kind regards
Bill
Already explained why touch does not, simply create the .txt through windows command file.
-
VCS - C and VCS-E switch to 7.2.2 8.1
Hello Experts,
We want to deploy Jabber via Expressway Edge (ARM) solution and we must improve our course VCS-C and E servers (7.2.2).
We have a few old polycoms I wonder if the upgrade of VCS may break legacy polycoms.
TMS units and MCU does not require the upgrade.
Recording methods recording of an endpoint of the VCS has not changed, so if your endpoints are now save correctly, they should continue to do the upgrade so.following.
Support for some of the older devices of Polycom fell in new versions of TMS, so if you are considering upgrading from TMS at any time, you may need to close look at the release notes.
Please note that it is changed a bit between X 7 and X 8 port, so make sure that before any upgrade, you had a good thorough read of version X8.1.1 and notes to any firewall for ports has changed.
PS - You should X8.1.1 on the VCSes, not only X8.1, as X8.1.1 the OpenSSL software vulnerability patches.
Wayne
--
Remember the frequency responses and mark your question as answered as appropriate. -
Excite Pro AT10LE-A108 - Android update for several issues of OpenSSL
Fortunately more Android version avoids the bug of software, but there is a new raft of bugs that Android is vulnerable to the:
http://www.eWEEK.com/security/OpenSSL-finds-and-fixes-7-new-security-flaws.html
Is there a plan to fix the latter with an update?
Of course, it would take some time, because I think that the latest version of Android 4.4.3 is still vulnerable.Clearly Toshiba will know a lot more about details.
> Is there any plan to fix the latter with an update?
Since this is a user to user community, I put t think someone will be able to provide more information on these updates or patches.> Of course it would take a long time, because I think that the latest version of Android 4.4.3 is still vulnerable.
From my point of view of a few such bugs should be fixed by google android developers...
Just Tablet manufacturers add some special software features and customize the Android system for hardware built into the smartphone and tablet devices. -
Dear community,
is there an OSX Server version using a version of openssl which is not vulnerable to attack DROWN (TLS 1.2)?
https://drownattack.com/#check
Thanks in advance!
For what its worth OS X Server uses Apache, if you follow the link to read the information about Apache and this number you will see Apache 2.4.x and later are supposed to be not affected.
OS X Yosemite and El Capitan using versions of Apache that are 2.4.x or later, so in theory are not affected. Mavericks uses Apache 2.2.x and likely to be affected.
Follow these steps in Terminal.app to know the version of Apache that you have.
httpd - v
-
OpenSSL needs the upgrade on the CV
Discovered today that the version of OpenSSL in firmware x 6 VCS is 1.0.0b. Had problems using OpenSSL to get the 3 parts of the certificate, he produced only the private key. The server ca using a newer version of the RSA/DH Microsoft Windows 2008 R2 OCS provider and found that OpenSSL 1.0.0b cannot read them. I have run the same commands on a separate Linux platform using OpenSSL 1.0.0d and this has generated the expected pem file.
I would recommend the look of Cisco OpenSSL upgraded in the next version of the firmware as I ran to my cock for hours on this one!
Sent by Cisco Support technique iPad App
Hi David,
This is a known issue (reference 86671 bug) and is dealt with in a later version of the VCS software. To my knowledge, the reason for the VCS do not convert the .pfx .pem file is the instance of OpenSSL on the VCS does not support the RC2 encryption using the .pfx file.
The workaround is to use an OpenSSL installation outside, as you did.
Kind regards
Andreas
-
SIP spam attack and MCU and vcs - e call
as far as I know sip call spam attacks is done against the videoconference, connected with a public ip address, I disabled the sip but im not sure if my mcu and vcs - e with sound are vulnerable to them? they pose no threat to security for them? and if so, how? and what can we do about it?
It is a well known problem and it affects H.323 and SIP, take a look at the below threads:
https://supportforums.Cisco.com/discussion/12340591/nuisance-h323-calls-SX20
https://supportforums.Cisco.com/discussion/12336591/sourceh323idcisco-incomingcalls
https://supportforums.Cisco.com/discussion/12508641/Cisco-source-spam-calls-stepped-complexity
https://supportforums.Cisco.com/discussion/12613681/attack-vcse
There are many more discussions on this issue, the above, this is just a small selection. :)
You do not need to disable SIP on the VCS-E, all you need to do is turn SIP UDP unless you need it for voice services.
You can protect yourself by using a CPL on the VCS-E who will avoid calls to go through your MCU, or anything else you have sitting behind the VCS-E. This is assuming that you are using a combo of VCS-C/VCS-E, with the VCS - C behind a firewall and the VCS-E outside the firewall, for example in the demilitarized zone.
Having just trouble ask points of termination or MCU sitting in nature with public IP addresses.
These scans, moreover, mainly looking for systems that will allow them to make free international calls.
/Jens
Please evaluate the answers and makr as 'answered' questions as appropriate.
-
I was occasionally see a large number of attempts to connect SSH on our VCS, suggestions to prevent this? It looks like a port-scanning and something is just try random attempts.
So talk to your network guys, its really not preferred having the unfirewalled vcs.
In addition to what I wrote, cutting the cable and ignoring the messages it does not so many things to do.
Although the ignorant is not the best method :-)
It's a typical thing to what you see, there are many scripts running on the internet, probably
not directly aimed at your organization, but at least open and vulnerable systems.
This is related to all systems connected to networks open, not only for VCS.
Another typical analysis is sip ports which can also hold attempts to carry the external ISDN calls.
Patrick: Please note my posted messages under the stars below and define the thread if it is a response.
Maybe you are looking for
-
X G1 2 210: HP X 2 210 G1 keyboard does not work
Hi, I have little difficult to pass on my tablet, and when it lights, physical keyboard does not work: someone has the same simptoms? What can I do? I opened an evaluating, but HP support does ' t answer, and I need it :-(
-
Re: Satellite A300-1LT - impossible to install the ATI catalyst control center
I can't install sound pretty boring - ATI catalyst control center. To be honest, everything works fine without it, but in a few days, I'll get HDTV, so I thought why not install now to check the options in it. I installed the latest versions of ATI d
-
Keyboard Compaq CQ57 has stopped working
I wonder if anyone can help. My 7 year old son was playing on the phone yesterday, came to use it today and the keyboard is not working / locked. I checked that the drivers are up to date etc. I'm guessing that he pressed a series of buttons to lock
-
HP 15-r018TU goes to the sleep/hibernate just after power on
When I turn on my HP 15-r018TU laptop it shows a message as - press "esc" to start menu, after that the screen goes black and laptop goes to sleep/hibernate (blinks HD). I use Windows 8.1. After pressing power button several times once it start norma