Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.4004.8
Multiple Vulnerabilities in Apache HTTP Server Affecting
Cisco Products: November 2021
28 January 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco products
Publisher: Cisco Systems
Operating System: Cisco
Impact/Access: Denial of Service -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-40438 CVE-2021-39275 CVE-2021-36160
CVE-2021-34798 CVE-2021-33193
Reference: ESB-2021.3591
ESB-2021.3341
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-2.4.49-VWL69sWQ
Revision History: January 28 2022: Significant update of vendor advisory
December 21 2021: Update on vulnerable products
December 9 2021: Update on vulnerable products
December 3 2021: Updated the lists of products under investigation, vulnerable products, and products confirmed not vulnerable.
December 2 2021: Updated the lists of products under investigation, vulnerable products, and products confirmed not vulnerable.
November 29 2021: Added the list of products confirmed not vulnerable. Updated the lists of vulnerable products and products under investigation.
November 26 2021: Added the lists of products under investigation. Updated the list of vulnerable products.
November 25 2021: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Multiple Vulnerabilities in Apache HTTP Server Affecting Cisco Products:
November 2021
Priority: High
Advisory ID: cisco-sa-apache-httpd-2.4.49-VWL69sWQ
First Published: 2021 November 24 16:00 GMT
Last Updated: 2022 January 20 22:52 GMT
Version 1.8: Interim
Workarounds: Yes
CVE Names: CVE-2021-33193 CVE-2021-34798 CVE-2021-36160 CVE-2021-39275
CVE-2021-40438
CWEs: CWE-120 CWE-125 CWE-476 More...
Summary
o On September 16, 2021, the Apache Software Foundation disclosed five
vulnerabilities affecting the Apache HTTP Server (httpd) 2.4.48 and earlier
releases.
For a description of these vulnerabilities, see the Apache HTTP Server
2.4.49 section of the Apache HTTP Server 2.4 vulnerabilities webpage.
This advisory will be updated as additional information becomes available.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-2.4.49-VWL69sWQ
Affected Products
o Cisco is investigating its product line to determine which products may be
affected by these vulnerabilities. As the investigation progresses, Cisco
will update this advisory with information about affected products.
The Vulnerable Products section includes Cisco bug IDs for each product.
The bugs will be accessible through the Cisco Bug Search Tool and will
contain additional platform-specific information, including workarounds (if
available) and fixed software releases.
Products Under Investigation
At this time, there are no products under active investigation. Cisco
continues to monitor this situation and will update this document as
information becomes available.
Vulnerable Products
The following table lists Cisco products that are affected by one or more
of the vulnerabilities that are described in this advisory. If a future
release date is indicated for software, the date provided represents an
estimate based on all information known to Cisco as of the Last Updated
date at the top of the advisory. Availability dates are subject to change
based on a number of factors, including satisfactory testing results and
delivery of other priority features and fixes. If no version or date is
listed for an affected component (indicated by a blank field and/or an
advisory designation of Interim), Cisco is continuing to evaluate the fix
and will update the advisory as additional information becomes available.
After the advisory is marked Final, customers should refer to the
associated Cisco bug(s) for further details.
Product Cisco Bug Fixed Release
ID Availability
Network Application, Service, and Acceleration
Cisco Cloud Services Platform 2100 CSCwa33065 2.8.2 (Apr 2022)
Cisco Wide Area Application Services (WAAS) CSCwa33076 6.4.5d (Apr 2022)
Network and Content Security Devices
2.9.1 (available)
Cisco FXOS Software for Firepower 4100/9300 CSCvz91266 2.10.1 (available)
Series Appliances 2.11.1 (available)
2.12.1 (Apr 2022)
Cisco Firepower Management Center ^1 CSCvz91270 7.0.2 (May 2022)
7.1.0.1 (May 2022)
Cisco Firepower Next-Generation Intrusion CSCwa15291 6.4.0.14 (May 2022)
Prevention System (NGIPS) ^1 6.6.7 (Mar 2022)
Cisco Firepower Threat Defense (FTD) managed CSCwa15291 6.4.0.14 (May 2022)
by Cisco Firepower Management Center ^1 6.6.7 (Mar 2022)
Network Management and Provisioning
Cisco Policy Suite ^1 CSCwa33078 22.1 (Mar 2022)
Cisco Prime Collaboration Provisioning CSCwa33069 None planned
Cisco Prime Infrastructure CSCvz83342 3.10 (available)
Cisco Prime Optical for Service Providers CSCwa33067 Contact Cisco TAC
for upgrade options
Cisco Security Manager CSCwa33073 4.25 (Jun 2022)
Routing and Switching - Enterprise and Service Provider
Cisco Network Assurance Engine ^1 CSCwa16137 6.0.1 (available)
Unified Computing
Cisco UCS Central Software CSCwa33066
Cisco UCS Director Bare Metal Agent ^1 CSCwa33064 6.8.1.1 (Feb 2022)
Cisco UCS Manager CSCwa33718
Video, Streaming, TelePresence, and Transcoding Devices
14.0.4 (available)
Cisco Expressway Series CSCwa01545 14.1 (future
release)
3.5 (May 2022)
Cisco Meeting Server CSCwa58708 3.4 (Feb 2022)
3.3 (Mar 2022)
3.2 (Mar 2022)
Cisco TelePresence Video Communication 14.0.4 (available)
Server (VCS) CSCwa01545 14.1 (future
release)
Wireless
Cisco Wireless Gateway for LoRaWAN CSCwa33724 2.3.1 (Mar 2022)
Cisco Cloud Hosted Services
Cisco Smart Net Total Care - On-Premises CSCwa33060 2.2.1 (Mar 2022)
1. This product is vulnerable to CVE-2021-40438.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by these vulnerabilities.
Cisco has confirmed that these vulnerabilities do not affect the following
products:
Network Application, Service, and Acceleration
Cisco Nexus 1000VE Series Virtual Switch
Network and Content Security Devices
Cisco Secure Network Analytics, formerly Stealthwatch
Network Management and Provisioning
Cisco Prime Collaboration Assurance
Cisco Prime Network Services Controller
Cisco Virtual Topology System
Routing and Switching - Enterprise and Service Provider
Cisco DNA Center
Unified Computing
Cisco Virtual Security Gateway
Voice and Unified Communications Devices
Cisco Hosted Collaboration Mediation Fulfillment
Cisco SocialMiner
Cisco Unified Communications Domain Manager
Cisco Unified Communications Manager and Cisco Unified Communications
Manager Session Management Edition
Cisco Unified Communications Manager IM & Presence Service
Cisco Unified Contact Center Express
Video, Streaming, TelePresence, and Transcoding Devices
Cisco Video Surveillance Media Server
Cisco Cloud Hosted Services
Cisco Smart Software Manager On-Prem
Workarounds
o Any workarounds will be documented in the product-specific Cisco bugs,
which are identified in the Vulnerable Products section of this advisory.
Fixed Software
o For information about fixed software releases , consult the Cisco bugs
identified in the Vulnerable Products section of this advisory.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
The Cisco Product Security Incident Response Team (PSIRT) validates only
the fixed release information that is documented in this advisory.
Exploitation and Public Announcements
o In November 2021, the Cisco PSIRT became aware of exploitation attempts of
the vulnerability identified by CVE ID CVE-2021-40438.
Source
o These vulnerabilities were publicly disclosed by the Apache Software
Foundation on September 16, 2021.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-2.4.49-VWL69sWQ
Revision History
o +---------+-----------------------+---------------+---------+-------------+
| Version | Description | Section | Status | Date |
+---------+-----------------------+---------------+---------+-------------+
| | Updated the summary. | Summary, | | |
| | Updated the lists of | Affected | | |
| | products under | Products, | | |
| 1.8 | investigation, | Vulnerable | Interim | 2022-JAN-20 |
| | vulnerable products, | Products, | | |
| | and products | Products | | |
| | confirmed not | Confirmed Not | | |
| | vulnerable. | Vulnerable | | |
+---------+-----------------------+---------------+---------+-------------+
| | Updated products | | | |
| | under investigation, | | | |
| | vulnerable products, | | | |
| | and products | | | |
| 1.7 | confirmed not | Affected | Interim | 2021-DEC-16 |
| | vulnerable. Corrected | Products | | |
| | fixed release | | | |
| | availability date for | | | |
| | Cisco Security | | | |
| | Manager. | | | |
+---------+-----------------------+---------------+---------+-------------+
| | Updated the lists of | Affected | | |
| | products under | Products, | | |
| | investigation, | Vulnerable | | |
| 1.6 | vulnerable products, | Products, | Interim | 2021-DEC-08 |
| | and products | Products | | |
| | confirmed not | Confirmed Not | | |
| | vulnerable. | Vulnerable | | |
+---------+-----------------------+---------------+---------+-------------+
| | Updated the lists of | Affected | | |
| 1.5 | products under | Products, | Interim | 2021-DEC-03 |
| | investigation and | Vulnerable | | |
| | vulnerable products. | Products | | |
+---------+-----------------------+---------------+---------+-------------+
| | Updated the lists of | Affected | | |
| | products under | Products, | | |
| | investigation, | Vulnerable | | |
| 1.4 | vulnerable products, | Products, | Interim | 2021-DEC-02 |
| | and products | Products | | |
| | confirmed not | Confirmed Not | | |
| | vulnerable. | Vulnerable | | |
+---------+-----------------------+---------------+---------+-------------+
| | Updated the lists of | Affected | | |
| | products under | Products, | | |
| | investigation, | Vulnerable | | |
| 1.3 | vulnerable products, | Products, | Interim | 2021-DEC-01 |
| | and products | Products | | |
| | confirmed not | Confirmed Not | | |
| | vulnerable. | Vulnerable | | |
+---------+-----------------------+---------------+---------+-------------+
| | Added the list of | Affected | | |
| | products confirmed | Products, | | |
| | not vulnerable. | Vulnerable | | |
| 1.2 | Updated the lists of | Products, | Interim | 2021-NOV-26 |
| | vulnerable products | Products | | |
| | and products under | Confirmed Not | | |
| | investigation. | Vulnerable | | |
+---------+-----------------------+---------------+---------+-------------+
| | Added the list of | Affected | | |
| | products under | Products and | | |
| 1.1 | investigation. | Vulnerable | Interim | 2021-NOV-25 |
| | Updated the list of | Products | | |
| | vulnerable products. | | | |
+---------+-----------------------+---------------+---------+-------------+
| 1.0 | Initial public | - | Interim | 2021-NOV-24 |
| | release. | | | |
+---------+-----------------------+---------------+---------+-------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYfNj8eNLKJtyKPYoAQg5wg//Saxoq2HqDvP9QWgVZDjF48A5n8Iq9+jw
njp4/OGdNaqRDRLJyhS5dB08/O94StDXxMkcO94gPBrO2tYQuSYsoEyyto3AsNvv
9IkXB8uyc03n8ffUi5k0lfYG7TQoq8U0Ze8jKg6sPs3xTgW1Hhkwgqvxa86azCGs
8B1Pcn+4Xr7ZwTCjmjBHO/U7l14i5nuncRPXRM5DpJzb5nJ/3OSdsvCrJrqa2pRN
owH2rrrRy1O0mhmfnejerfZ7gEpHRGXvhyZ42ScmLSR+l8/Id74W6wa9THbuz80t
ZWp8QMFY/FdNPx1ucOhJgzsycHS/AKpfnTp7u1auOBRw4BJ5FUkbldZFz3jxSjL3
x8I58FQoo1RiMcpbnZZ5nGPtZszsGl61TWAG5je8zEyjGfWCquoaXQVkYhbs+xHf
VYaD68e3fuOZkB55E3CkaxfEKrrlDdLmCngtE/80D730oDCuLCdiXK7065wqodam
GCA8/qfY9SMI9rdKrJNCN345z0x38qYWzTZHNbfQgBfue6cv22dhr6J6svE8Vm7V
OqudHzYyno1Y0H3wlggCe10pgr0QYJcBQuPdOOWcXoNcuBdtzp2r5uYnDsvROgXP
uxnXZAFsfe6i3iqUwddrlmDSub3WTXCq5YlADCSOoTWyEDQViEmE2PqqJRCW6Hrr
adBLoUt5RDE=
=W2vM
-----END PGP SIGNATURE-----