Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.0064.14 CPU Side-Channel Information Disclosure Vulnerabilities 14 June 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco Products Publisher: Cisco Systems Operating System: Cisco Impact/Access: Access Privileged Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2017-5754 CVE-2017-5753 CVE-2017-5715 Reference: ASB-2018.0002.3 ESB-2018.0059 ESB-2018.0057 ESB-2018.0046 ESB-2018.0044 ESB-2018.0042 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180104-cpusidechannel Revision History: June 14 2018: Updated vulnerable products table from Cisco June 6 2018: Updated vulnerable products table from Cisco May 23 2018: Updated vulnerable products table from Cisco May 16 2018: Updated Vulnerable Products table. April 12 2018: Updated Vulnerable Products table. February 6 2018: Updated Vulnerable Products table. January 25 2018: Updated Products Under Investigation and Vulnerable Products sections. January 23 2018: Updated Products Under Investigation and Vulnerable Products sections. Removed UCS M5 server firmware release date. The UCS M5 BIOS updates have been removed from cisco.com at this time. Customers are advised to wait for the next revision of these updates before updating their devices. January 22 2018: Updated Products Under Investigation and Vulnerable Products. January 19 2018: Updated Summary section to provide guidance on updating underlying operating systems and hypervisors within virtual environments. Updated Affected Products sections and fixed release table. January 18 2018: Updated vulnerable products section with fixed release availability and estimates January 15 2018: Updated information about vulnerable products, products under investigation, and products confirmed not vulnerable. January 10 2018: Updated information about affected products January 5 2018: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- CPU Side-Channel Information Disclosure Vulnerabilities Medium Advisory ID: cisco-sa-20180104-cpusidechannel First Published: 2018 January 4 22:20 GMT Last Updated: 2018 June 13 18:39 GMT Version 1.28: Interim Workarounds: No workarounds available CVE-2017-5715 CVE-2017-5753 CVE-2017-5754 CWE-200 Summary o On January 3, 2018, researchers disclosed three vulnerabilities that take advantage of the implementation of speculative execution of instructions on many modern microprocessor architectures to perform side-channel information disclosure attacks. These vulnerabilities could allow an unprivileged local attacker, in specific circumstances, to read privileged memory belonging to other processes or memory allocated to the operating system kernel. The first two vulnerabilities, CVE-2017-5753 and CVE-2017-5715, are collectively known as Spectre. The third vulnerability, CVE-2017-5754, is known as Meltdown. The vulnerabilities are all variants of the same attack and differ in the way that speculative execution is exploited. To exploit any of these vulnerabilities, an attacker must be able to run crafted code on an affected device. Although the underlying CPU and operating system combination in a product or service may be affected by these vulnerabilities, the majority of Cisco products are closed systems that do not allow customers to run custom code and are, therefore, not vulnerable. There is no vector to exploit them. Cisco products are considered potentially vulnerable only if they allow customers to execute custom code side-by-side with Cisco code on the same microprocessor. A Cisco product that may be deployed as a virtual machine or a container, even while not directly affected by any of these vulnerabilities, could be targeted by such attacks if the hosting environment is vulnerable. Cisco recommends that customers harden their virtual environments, tightly control user access, and ensure that all security updates are installed. Customers who are deploying products as a virtual device in multi-tenant hosting environments should ensure that the underlying hardware, as well as operating system or hypervisor, is patched against the vulnerabilities in question. Although Cisco cloud services are not directly affected by these vulnerabilities, the infrastructure on which they run may be impacted. Refer to the "Affected Products" section of this advisory for information about the impact of these vulnerabilities on Cisco cloud services. Cisco will release software updates that address these vulnerabilities. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180104-cpusidechannel Affected Products o Cisco is investigating its product line to determine which products and cloud services may be affected by these vulnerabilities. As the investigation progresses, Cisco will update this advisory with information about affected products and services, including the Cisco bug ID for each affected product or service. Any product or service not listed in the "Products Under Investigation" or "Vulnerable Products" section of this advisory is to be considered not vulnerable. The criteria for considering whether a product is vulnerable is explained in the "Summary" section of this advisory. Because this is an ongoing investigation, please be aware that products and services currently considered not vulnerable may subsequently be considered vulnerable as additional information becomes available. Products Under Investigation No products are currently under active investigation to determine whether they are affected by the vulnerability that is described in this advisory. Vulnerable Products The following table lists Cisco products and cloud services that are affected by the vulnerabilities described in this advisory: Product Cisco Bug Fixed Release ID Availability Network Application, Service, and Acceleration Cisco Cloud Services Platform 2100 CSCvh32644 A fix is pending on upstream vendors. Cisco Network Functions Virtualization CSCvh49919 A fix is pending on Infrastructure Software upstream vendors. Cisco Nexus 3000 Series Switches CSCvh32392 A fix is pending on upstream vendors. Cisco Nexus 9000 Series Switches - CSCvh32392 A fix is pending on Standalone, NX-OS mode upstream vendors. Cisco Wide Area Application Services CSCvh49646 Update to v6.x (Available (WAAS) now) Cisco vBond Orchestrator -- 18.2 (Available Now) Cisco vEdge 5000 -- 18.2 (Available Now) Cisco vEdge Cloud -- 18.2 (Available Now) Cisco vManage NMS -- A fix is pending on upstream vendors. Cisco vSmart Controller -- 18.2 (Available Now) Network Management and Provisioning Cisco Application Policy CSCvh58549 3.2(1l) (Available Now) Infrastructure Controller (APIC) Cisco Evolved Programmable Network CSCvh64005 A fix is pending on Manager upstream vendors. Cisco Virtual Application Policy CSCvh58549 3.2(1l) (Available Now) Infrastructure Controller (APIC) Routing and Switching - Enterprise and Service Provider Cisco 4000 Series Integrated Services Routers (IOS XE Open Service CSCvh32416 16.3.7 (June-2018) Containers) Cisco 800 Industrial Integrated CSCvh31418 A fix is pending on Services Routers (IOx feature) upstream vendors. Cisco ASR 1000 Series Aggregation Services Router with RP2 or RP3 (IOS CSCvh32416 16.3.7 (June-2018) XE Open Service Containers) Cisco ASR 1001-HX Series Aggregation Services Routers (IOS XE Open Service CSCvh32416 16.3.7 (June-2018) Containers) Cisco ASR 1001-X Series Aggregation Services Routers (IOS XE Open Service CSCvh32416 16.3.7 (June-2018) Containers) Cisco ASR 1002-HX Series Aggregation Services Routers (IOS XE Open Service CSCvh32416 16.3.7 (June-2018) Containers) Cisco ASR 1002-X Series Aggregation Services Routers (IOS XE Open Service CSCvh32416 16.3.7 (June-2018) Containers) Cisco ASR 9000 XR 64-bit Series CSCvh32429 A fix is pending on Routers upstream vendors. Cisco CGR 1000 Compute Module (IOx CSCvh32516 A fix is pending on feature) upstream vendors. 16.6.3 Cisco Catalyst 9300 Series Switches 16.7.2 (Open Service Container or IOx CSCvh44164 16.8.1 feature) 16.9.1 (June - 2018) 16.6.3 Cisco Catalyst 9400 Series Switches 16.7.2 (Open Service Container or IOx CSCvh44165 16.8.1 feature) 16.9.1 (June - 2018) 16.6.3 Cisco Catalyst 9500 Series Switches 16.7.2 (Open Service Container or IOx CSCvh44166 16.8.1 feature) 16.9.1 (June -2018) Cisco Cloud Services Router 1000V Series (IOS XE Open Service CSCvh32416 16.3.7 (June-2018) Containers) Cisco NCS 1000 Series Routers CSCvh32429 A fix is pending on upstream vendors. Cisco NCS 5000 Series Routers CSCvh32429 A fix is pending on upstream vendors. Cisco NCS 5500 Series Routers CSCvh32429 A fix is pending on upstream vendors. Cisco Nexus 3500 Series Switches CSCvh32393 No fix expected. Cisco Nexus 5000 Series Switches (OAC CSCvh32394 A fix is pending on feature) upstream vendors. Cisco Nexus 6000 Series Switches (OAC CSCvh32390 A fix is pending on feature) upstream vendors. Cisco Nexus 7000 Series Switches (OAC CSCvh32390 A fix is pending on feature, Feature Bash) upstream vendors. Cisco XRv 9000 Series Routers CSCvh32429 A fix is pending on upstream vendors. Cisco c800 Series Integrated Services CSCvh51582 A fix is pending on Routers (IOx feature) upstream vendors. Unified Computing Cisco C880 M4 Server CSCvh66783 A fix is pending on upstream vendors. Cisco C880 M5 Server CSCvh66783 A fix is pending on upstream vendors. Cisco Enterprise Network Compute CSCvh48274 A fix is pending on System 5100 Series Servers upstream vendors. Cisco Enterprise Network Compute CSCvh48274 A fix is pending on System 5400 Series Servers upstream vendors. HX 2.5.1d Cisco HyperFlex with VMWare Hypervisor CSCvh68612 HX 2.6.1d HX 3.0.1a (Available Now) UCS B-Series M2 Blade Servers - UCS Manager 2.2 (8j) (April 2018) UCS Manager 3.1(3h) (May 2018) UCS Manager 3.2(3b) (May Cisco UCS B-Series M2 Blade Servers CSCvh31576 2018) UCS C-Series M2 Rack Servers -UCS Manager 2.2 (8j) (April 2018) IMC 1.4(3z08) (April 2018) / 1.5(9e) (April 2018) UCS B-Series M3 Blade Servers 3.2(3a)(Mar 2018) 3.2(2f) (Mar 2018) 3.1(3f) (Mar 2018) 2.2(8j) (April 2018) UCS C-Series M3 Rack Cisco UCS B-Series M3 Blade Servers CSCvg97965 Servers 3.2(3a) (Mar 2018) 3.2(2f) (Mar 2018) 3.1(3f) (Mar 2018) UCS Manager 2.2(8j) (April 2018) IMC 3.0(4a) (Mar 2018) IMC 2.0(9n) (April 2018) UCS B-Series M4 Blade Servers (except B260 B460) 3.2(3a) (Mar 2018) 3.2(2f) (Mar 2018) 3.1(3f) (Mar 2018) 2.2(8j) (April 2018) UCS C-Series M4 Rack Servers (except C460) Cisco UCS B-Series M4 Blade Servers 3.2(3a) (Mar 2018) (except B260, B460) CSCvg97979 3.2(2f) (Mar 2018) 3.1(3f) (Mar 2018) 2.2(8j) (April 2018) IMC 3.0(4a) (Mar 2018) IMC 2.0(10i) (April 2018) UCS S3260 M4 Storage Servers 3.2(3a) (Mar 2018) 3.2(2f) (Mar 2018) 3.1(3f) (Mar 2018) IMC 3.0(4a) (Mar 2018) UCS B-Series M5 Blade Servers 3.2(3a) (Mar 2018) 3.2(2f) (Mar 2018) Cisco UCS B-Series M5 Blade Servers CSCvh31577 UCS C-Series M5 Rack Servers 3.2(3a) (Mar 2018) 3.2(2f) (Mar 2018) IMC 3.1(3a) (Mar 2018) UCS B260 M4 Blade Servers 3.2(3a) (Mar 2018) 3.2(2f) (Mar 2018) 3.1(3f) (Mar 2018) 2.2(8j) (April 2018) UCS B460 M4 Blade Servers 3.2(3a) (Mar 2018) Cisco UCS B260 M4 Blade Server CSCvg98015 3.2(2f) (Mar 2018) 3.1(3f) (Mar 2018) 2.2(8j) (April 2018) UCS C460 M4 Rack Servers 3.2(3a) (Mar 2018) 3.2(2f) (Mar 2018) 3.1(3f) (Mar 2018) 2.2(8j) (April 2018) UCS B260 M4 Blade Servers 3.2(3a) (Mar 2018) 3.2(2f) (Mar 2018) 3.1(3f) (Mar 2018) 2.2(8j) (April 2018) UCS B460 M4 Blade Servers 3.2(3a) (Mar 2018) Cisco UCS B460 M4 Blade Server CSCvg98015 3.2(2f) (Mar 2018) 3.1(3f) (Mar 2018) 2.2(8j) (April 2018) UCS C460 M4 Rack Servers 3.2(3a) (Mar 2018) 3.2(2f) (Mar 2018) 3.1(3f) (Mar 2018) 2.2(8j) (April 2018) UCS B-Series M2 Blade Servers - UCS Manager 2.2 (8j) (April 2018) UCS Manager 3.1(3h) (May 2018) UCS Manager 3.2(3b) (May Cisco UCS C-Series M2 Rack Servers CSCvh31576 2018) UCS C-Series M2 Rack Servers -UCS Manager 2.2 (8j) (April 2018) IMC 1.4(3z08) (April 2018) / 1.5(9e) (April 2018) UCS B-Series M3 Blade Servers 3.2(3a)(Mar 2018) 3.2(2f) (Mar 2018) 3.1(3f) (Mar 2018) 2.2(8j) (April 2018) UCS C-Series M3 Rack Cisco UCS C-Series M3 Rack Servers CSCvg97965 Servers 3.2(3a) (Mar 2018) 3.2(2f) (Mar 2018) 3.1(3f) (Mar 2018) UCS Manager 2.2(8j) (April 2018) IMC 3.0(4a) (Mar 2018) IMC 2.0(9n) (April 2018) UCS B-Series M4 Blade Servers (except B260 B460) 3.2(3a) (Mar 2018) 3.2(2f) (Mar 2018) 3.1(3f) (Mar 2018) 2.2(8j) (April 2018) UCS C-Series M4 Rack Servers (except C460) Cisco UCS C-Series M4 Rack Servers 3.2(3a) (Mar 2018) (except C460) ^1 CSCvg97979 3.2(2f) (Mar 2018) 3.1(3f) (Mar 2018) 2.2(8j) (April 2018) IMC 3.0(4a) (Mar 2018) IMC 2.0(10i) (April 2018) UCS S3260 M4 Storage Servers 3.2(3a) (Mar 2018) 3.2(2f) (Mar 2018) 3.1(3f) (Mar 2018) IMC 3.0(4a) (Mar 2018) UCS B-Series M5 Blade Servers 3.2(3a) (Mar 2018) 3.2(2f) (Mar 2018) Cisco UCS C-Series M5 Rack Servers ^1 CSCvh31577 UCS C-Series M5 Rack Servers 3.2(3a) (Mar 2018) 3.2(2f) (Mar 2018) IMC 3.1(3a) (Mar 2018) UCS B260 M4 Blade Servers 3.2(3a) (Mar 2018) 3.2(2f) (Mar 2018) 3.1(3f) (Mar 2018) 2.2(8j) (April 2018) UCS B460 M4 Blade Servers 3.2(3a) (Mar 2018) Cisco UCS C460 M4 Rack Server CSCvg98015 3.2(2f) (Mar 2018) 3.1(3f) (Mar 2018) 2.2(8j) (April 2018) UCS C460 M4 Rack Servers 3.2(3a) (Mar 2018) 3.2(2f) (Mar 2018) 3.1(3f) (Mar 2018) 2.2(8j) (April 2018) Cisco UCS E-Series M2 Servers CSCvh48274 A fix is pending on upstream vendors. Cisco UCS E-Series M3 Servers CSCvh48274 A fix is pending on upstream vendors. Cisco UCS M-Series Modular Servers CSCvh55760 No fix expected. UCS B-Series M4 Blade Servers (except B260 B460) 3.2(3a) (Mar 2018) 3.2(2f) (Mar 2018) 3.1(3f) (Mar 2018) 2.2(8j) (April 2018) UCS C-Series M4 Rack Servers (except C460) 3.2(3a) (Mar 2018) Cisco UCS S3260 M4 Storage Server CSCvg97979 3.2(2f) (Mar 2018) 3.1(3f) (Mar 2018) 2.2(8j) (April 2018) IMC 3.0(4a) (Mar 2018) IMC 2.0(10i) (April 2018) UCS S3260 M4 Storage Servers 3.2(3a) (Mar 2018) 3.2(2f) (Mar 2018) 3.1(3f) (Mar 2018) IMC 3.0(4a) (Mar 2018) Voice and Unified Communications Devices Cisco Remote Expert Mobile CSCvh58132 11.6(1)ES3 11.5(1)ES8 (Available Now) Wireless Cisco Wireless Gateway for LoRaWAN CSCvh58504 A fix is pending on upstream vendors. Cisco Cloud Hosted Services Meltdown and Spectre variant 1 (v4.7) (Feb Cisco Metacloud CSCvh53992 2018) Spectre variant 2 (Apr 2018) Cisco Threat Grid -- (Feb-2018) ^1 Cisco UCS M4 and M5 Rack Servers are used as part of the Cisco HyperFlex Solution. Products Confirmed Not Vulnerable No other Cisco products or cloud services are currently known to be affected by these vulnerabilities. Cisco has confirmed that these vulnerabilities do not affect the following products or cloud services: Collaboration and Social Media o Cisco Meeting Server Network Application, Service, and Acceleration o Cisco vEdge 1000 o Cisco vEdge 100 o Cisco vEdge 2000 Routing and Switching - Enterprise and Service Provider o Cisco 1000 Series Connected Grid Routers o Cisco 500 Series WPAN Industrial Routers (IOx feature) o Cisco ASR 1001 Fixed Configuration Aggregation Services Router o Cisco ASR 1002 Fixed Configuration Aggregation Services Router o Cisco ASR 1002-F Fixed Configuration Aggregation Services Router o Cisco Catalyst 3650 Series Switches o Cisco Catalyst 3850 Series Switches o Cisco Industrial Ethernet 4000 Series Switches (IOx feature) o Cisco Nexus 4000 Series Blade Switches o Cisco Nexus 9000 Series Fabric Switches - ACI mode Cisco Cloud Hosted Services o Cisco Cloudlock o Cisco Managed Services o Cisco Meraki o Cisco Spark o Cisco Umbrella o Cisco WebEx Centers - Meeting Center, Training Center, Event Center, Support Center Details o Details about the vulnerabilities are as follows. Modern CPU Process Prediction Information Disclosure Vulnerability A vulnerability due to the design of most modern CPUs could allow a local attacker to access sensitive information on a targeted system. The vulnerability is due to improper implementation of the speculative execution of instructions by the affected software. This vulnerability can by triggered by utilizing branch target injection. An attacker could exploit this vulnerability by executing arbitrary code and performing a side-channel attack on a targeted system. A successful exploit could allow the attacker to read sensitive memory information. This vulnerability has been assigned the following CVE ID: CVE-2017-5715 Modern CPU Process Branch Prediction Information Disclosure Vulnerability A vulnerability due to the design of most modern CPUs could allow a local attacker to access sensitive information on a targeted system. The vulnerability is due to improper implementation of the speculative execution of instructions by the affected software. This vulnerability can by triggered by performing a bounds check bypass. An attacker could exploit this vulnerability by executing arbitrary code and performing a side-channel attack on a targeted system. A successful exploit could allow the attacker to read sensitive memory information. This vulnerability has been assigned the following CVE ID: CVE-2017-5753 Intel CPU Indirect Branch Prediction Information Disclosure Vulnerability A vulnerability in Intel CPU hardware could allow a local attacker to gain access to sensitive information on a targeted system. The vulnerability is due to side-channel attacks, which are also referred to as Meltdown attacks. A local attacker could exploit this vulnerability by executing arbitrary code on the affected system. A successful exploit could allow the attacker to gain access to sensitive information on the targeted system, including accessing memory from the CPU cache. This vulnerability has been assigned the following CVE ID: CVE-2017-5754 Workarounds o Any workarounds will be documented in the product-specific Cisco bugs, which are accessible through the Cisco Bug Search Tool. Fixed Software o For information about fixed software releases, consult the Cisco bugs identified in the "Vulnerable Products" section of this advisory. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Exploitation and Public Announcements o The vulnerabilities described in this advisory were discussed in several articles and discussion forums as of January 3, 2018. The Cisco Product Security Incident Response Team (PSIRT) is not aware of any malicious use of the vulnerabilities that are described in this advisory. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Subscribe to Cisco Security Notifications o Subscribe Action Links for This Advisory o Snort Rule 45357 Snort Rule 45358 Snort Rule 45359 Snort Rule 45360 Snort Rule 45361 Snort Rule 45362 Snort Rule 45363 Snort Rule 45364 Snort Rule 45365 Snort Rule 45366 Snort Rule 45367 Snort Rule 45368 Snort Rule 45443 Snort Rule 45444 Related to This Advisory o CPU Side-Channel Information Disclosure Vulnerabilities Intel CPU Process Prediction Information Disclosure Vulnerability Intel CPU Indirect Branch Prediction Information Disclosure Vulnerability URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180104-cpusidechannel Revision History o +---------+---------------------+------------+---------+------------------+ | Version | Description | Section | Status | Date | +---------+---------------------+------------+---------+------------------+ | | Updated Vulnerable | | | | | | Products table with | Vulnerable | | | | 1.28 | fixed version | Products | Interim | 2018-June-13 | | | information for | | | | | | multiple products. | | | | +---------+---------------------+------------+---------+------------------+ | | Updated Vulnerable | | | | | | Products table with | Vulnerable | | | | 1.27 | fixed version | Products | Interim | 2018-June-08 | | | information for | | | | | | multiple products. | | | | +---------+---------------------+------------+---------+------------------+ | | Updated Vulnerable | | | | | | Products table with | Vulnerable | | | | 1.26 | fixed version | Products | Interim | 2018-June-04 | | | information for | | | | | | multiple products. | | | | +---------+---------------------+------------+---------+------------------+ | | Updated Vulnerable | | | | | | Products table with | Vulnerable | | | | 1.25 | fixed version | Products | Interim | 2018-May-22 | | | information for | | | | | | multiple products. | | | | +---------+---------------------+------------+---------+------------------+ | | Updated Vulnerable | | | | | | Products table with | Vulnerable | | | | 1.24 | fixed version | Products | Interim | 2018-May-14 | | | information for | | | | | | multiple products. | | | | +---------+---------------------+------------+---------+------------------+ | | Updated Vulnerable | | | | | | Products table with | | | | | | fixed version | Vulnerable | | | | 1.23 | information for UCS | Products | Interim | 2018-April-09 | | | M2, M3, and | | | | | | additional M4 | | | | | | models. | | | | +---------+---------------------+------------+---------+------------------+ | | Updated Vulnerable | | | | | | Products table with | | | | | | version information | | | | | 1.22 | and estimated | Vulnerable | Interim | 2018-March-20 | | | availability dates | Products | | | | | for the delivery of | | | | | | fixed software for | | | | | | Cisco UCS Servers. | | | | +---------+---------------------+------------+---------+------------------+ | | Updated Vulnerable | | | | | | Products table with | | | | | | estimated | Vulnerable | | | | 1.21 | availability dates | Products | Interim | 2018-March-07 | | | for the delivery of | | | | | | fixed software for | | | | | | Cisco UCS Servers. | | | | +---------+---------------------+------------+---------+------------------+ | | Updated Vulnerable | | | | | | Products table with | | | | | | estimated | Vulnerable | | | | 1.20 | availability dates | Products | Interim | 2018-March-01 | | | for the delivery of | | | | | | fixed software for | | | | | | multiple products. | | | | +---------+---------------------+------------+---------+------------------+ | | Updated Vulnerable | | | | | 1.19 | Products Table Fix | Vulnerable | Interim | 2018-February-07 | | | information for | Products | | | | | E-Series servers. | | | | +---------+---------------------+------------+---------+------------------+ | | Updated Vulnerable | | | | | 1.18 | Products Table with | Vulnerable | Interim | 2018-February-07 | | | fix/timelines on a | Products | | | | | number of products. | | | | +---------+---------------------+------------+---------+------------------+ | 1.17 | Updated Vulnerable | Vulnerable | Interim | 2018-February-05 | | | Products table. | Products | | | +---------+---------------------+------------+---------+------------------+ | | Updated Vulnerable | | | | | | and Confirmed Not | Vulnerable | | | | | Vulnerable | Products, | | | | 1.16 | sections. Cisco | Confirmed | Interim | 2018-January-30 | | | Industrial Ethernet | Not | | | | | 4000 devices moved | Vulnerable | | | | | to Confirmed Not | | | | | | Vulnerable section. | | | | +---------+---------------------+------------+---------+------------------+ | 1.15 | Updated Vulnerable | Vulnerable | Interim | 2018-January-26 | | | Products section. | Products | | | +---------+---------------------+------------+---------+------------------+ | | Updated Products | Affected | | | | 1.14 | Under Investigation | Products, | Interim | 2018-January-24 | | | and Vulnerable | Vulnerable | | | | | Products sections. | Products | | | +---------+---------------------+------------+---------+------------------+ | | Updated Products | | | | | | Under Investigation | | | | | | and Vulnerable | | | | | | Products sections. | | | | | | Removed UCS M5 | | | | | | server firmware | | | | | | release date. The | Affected | | | | | UCS M5 BIOS updates | Products, | | | | 1.13 | have been removed | Vulnerable | Interim | 2018-January-22 | | | from cisco.com at | Products | | | | | this time. | | | | | | Customers are | | | | | | advised to wait for | | | | | | the next revision | | | | | | of these updates | | | | | | before updating | | | | | | their devices. | | | | +---------+---------------------+------------+---------+------------------+ | | Updated Products | Affected | | | | 1.12 | Under Investigation | Products, | Interim | 2018-January-19 | | | and Vulnerable | Vulnerable | | | | | Products. | Products | | | +---------+---------------------+------------+---------+------------------+ | | Updated Summary | | | | | | section to provide | | | | | | guidance on | | | | | | updating underlying | Summary, | | | | | operating systems | Affected | | | | 1.11 | and hypervisors | Products, | Interim | 2018-January-18 | | | within virtual | Vulnerable | | | | | environments. | Products | | | | | Updated Affected | | | | | | Products sections | | | | | | and fixed release | | | | | | table. | | | | +---------+---------------------+------------+---------+------------------+ | | Updated Vulnerable | | | | | | Products section | Vulnerable | | | | 1.10 | with fixed release | Products | Interim | 2018-January-17 | | | availability and | | | | | | estimates. | | | | +---------+---------------------+------------+---------+------------------+ | | Updated information | | | | | | about products | Affected | | | | | under investigation | Products | | | | 1.9 | and vulnerable | and | Interim | 2018-January-16 | | | products, including | Vulnerable | | | | | fixed release | Products | | | | | availability. | | | | +---------+---------------------+------------+---------+------------------+ | | Updated information | | | | | | about products | Affected | | | | | under investigation | Products | | | | 1.8 | and vulnerable | and | Interim | 2018-January-15 | | | products, including | Vulnerable | | | | | fixed release | Products | | | | | availability. | | | | +---------+---------------------+------------+---------+------------------+ | | Updated information | Affected | | | | | about vulnerable | Products, | | | | | products, products | Vulnerable | | | | 1.7 | under | Products, | Interim | 2018-January-12 | | | investigation, and | Products | | | | | products confirmed | Confirmed | | | | | not vulnerable. | Not | | | | | | Vulnerable | | | +---------+---------------------+------------+---------+------------------+ | | Updated information | Affected | | | | | about vulnerable | Products, | | | | | products, products | Vulnerable | | | | 1.6 | under | Products, | Interim | 2018-January-11 | | | investigation, and | Products | | | | | products confirmed | Confirmed | | | | | not vulnerable. | Not | | | | | | Vulnerable | | | +---------+---------------------+------------+---------+------------------+ | | Updated the summary | | | | | | to indicate the | | | | | | status of Cisco | | | | | | cloud services and | Summary, | | | | | remind | Affected | | | | | administrators to | Products, | | | | | control user | Vulnerable | | | | 1.5 | access. Updated | Products, | Interim | 2018-January-10 | | | information about | Products | | | | | vulnerable | Confirmed | | | | | products, products | Not | | | | | under | Vulnerable | | | | | investigation, and | | | | | | products confirmed | | | | | | not vulnerable. | | | | +---------+---------------------+------------+---------+------------------+ | | Updated information | Affected | | | | | about products | Products, | | | | 1.4 | under investigation | Vulnerable | Interim | 2018-January-09 | | | and vulnerable | Products | | | | | products. | | | | +---------+---------------------+------------+---------+------------------+ | | Updated | | | | | | vulnerability | | | | | | details and | | | | | | information about | Affected | | | | | products under | Products, | | | | | investigation and | Vulnerable | | | | 1.3 | products confirmed | Products, | Interim | 2018-January-08 | | | not vulnerable. | Details, | | | | | Added the | Fixed | | | | | Vulnerable Products | Software | | | | | table, including | | | | | | information about | | | | | | fixed release | | | | | | availability. | | | | +---------+---------------------+------------+---------+------------------+ | | Updated Summary and | Summary, | | | | | Products Under | Affected | | | | | Investigation, | Products, | | | | 1.2 | added the | Vulnerable | Interim | 2018-January-05 | | | Vulnerable Products | Products, | | | | | table with | Fixed | | | | | information about | Software | | | | | fixes. | | | | +---------+---------------------+------------+---------+------------------+ | | Clarified the | Products | | | | 1.1 | non-vulnerable | Confirmed | Interim | 2018-January-04 | | | product section. | Not | | | | | | Vulnerable | | | +---------+---------------------+------------+---------+------------------+ | 1.0 | Initial public | - | Interim | 2018-January-04 | | | release. | | | | +---------+---------------------+------------+---------+------------------+ Legal Disclaimer o THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. CISCO EXPECTS TO UPDATE THIS DOCUMENT AS NEW INFORMATION BECOMES AVAILABLE. A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWyHpuWaOgq3Tt24GAQgUPA//ViKEQXT3R2YWXg10rShOaHisIjFt+Zav qKlXZUJluOhz7x7pvOfKBXNaJH9RKDhqqBaqQxHtGsVuQNXRfSADFUrsUqfQl9Xk Ob5uhXjn3Rvjs1NOb4aUuShhsXE579r52xAVMq+3HudB/X9ix6D+KwujL3ARGDIR EkvghlqOzYifgO6co851nFOeymqBN5BtJgo1TJGOUMxTPNwKTCQjRgf7dnzwHn2i 8CcavY+2mtEZKCQlWpYtYUHzhVK4+BVWqkaki/cORycRD/m/Nngph5DMNK2AMohV Lwo8NMaDuubCQTNHfpNkKM2w0miDB7+enJCFSs7MwhYs5EGArXmIj7Y6SQ5qrSxe m3HgL+LKubtbsWHYgH0URwBhW9flLHEZBWdvqIsx34ZnLmxbFC3bN+v6GbFoIUNi gz2EzelhgdD0T84jmU9xyoEfv8rAB/TMIDa9zWf0iOH2fMRHxMtMsCJmEFye/5qB 7LLiaEQ+CoiqVmVgE7ZuU3wG97DFf3PgxHsqpP00N9bU20E5+5l2E1VG0a4KHpaK tpGmHz8cihaqAjKY+8TLagfUcndPMLwvoI3Psh4K6Dnyyu46teomrlS+OAN0GynK YLdRLWMoyEJJMHrvtPLQu9idjIxnQSgv+yiX8IdvJ9SkUKiXgCmKphX9e0klT5CB AGxX6D+4elI= =gUM8 -----END PGP SIGNATURE-----