Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.4004.8 Multiple Vulnerabilities in Apache HTTP Server Affecting Cisco Products: November 2021 28 January 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco products Publisher: Cisco Systems Operating System: Cisco Impact/Access: Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2021-40438 CVE-2021-39275 CVE-2021-36160 CVE-2021-34798 CVE-2021-33193 Reference: ESB-2021.3591 ESB-2021.3341 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-2.4.49-VWL69sWQ Revision History: January 28 2022: Significant update of vendor advisory December 21 2021: Update on vulnerable products December 9 2021: Update on vulnerable products December 3 2021: Updated the lists of products under investigation, vulnerable products, and products confirmed not vulnerable. December 2 2021: Updated the lists of products under investigation, vulnerable products, and products confirmed not vulnerable. November 29 2021: Added the list of products confirmed not vulnerable. Updated the lists of vulnerable products and products under investigation. November 26 2021: Added the lists of products under investigation. Updated the list of vulnerable products. November 25 2021: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Multiple Vulnerabilities in Apache HTTP Server Affecting Cisco Products: November 2021 Priority: High Advisory ID: cisco-sa-apache-httpd-2.4.49-VWL69sWQ First Published: 2021 November 24 16:00 GMT Last Updated: 2022 January 20 22:52 GMT Version 1.8: Interim Workarounds: Yes CVE Names: CVE-2021-33193 CVE-2021-34798 CVE-2021-36160 CVE-2021-39275 CVE-2021-40438 CWEs: CWE-120 CWE-125 CWE-476 More... Summary o On September 16, 2021, the Apache Software Foundation disclosed five vulnerabilities affecting the Apache HTTP Server (httpd) 2.4.48 and earlier releases. For a description of these vulnerabilities, see the Apache HTTP Server 2.4.49 section of the Apache HTTP Server 2.4 vulnerabilities webpage. This advisory will be updated as additional information becomes available. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-2.4.49-VWL69sWQ Affected Products o Cisco is investigating its product line to determine which products may be affected by these vulnerabilities. As the investigation progresses, Cisco will update this advisory with information about affected products. The Vulnerable Products section includes Cisco bug IDs for each product. The bugs will be accessible through the Cisco Bug Search Tool and will contain additional platform-specific information, including workarounds (if available) and fixed software releases. Products Under Investigation At this time, there are no products under active investigation. Cisco continues to monitor this situation and will update this document as information becomes available. Vulnerable Products The following table lists Cisco products that are affected by one or more of the vulnerabilities that are described in this advisory. If a future release date is indicated for software, the date provided represents an estimate based on all information known to Cisco as of the Last Updated date at the top of the advisory. Availability dates are subject to change based on a number of factors, including satisfactory testing results and delivery of other priority features and fixes. If no version or date is listed for an affected component (indicated by a blank field and/or an advisory designation of Interim), Cisco is continuing to evaluate the fix and will update the advisory as additional information becomes available. After the advisory is marked Final, customers should refer to the associated Cisco bug(s) for further details. Product Cisco Bug Fixed Release ID Availability Network Application, Service, and Acceleration Cisco Cloud Services Platform 2100 CSCwa33065 2.8.2 (Apr 2022) Cisco Wide Area Application Services (WAAS) CSCwa33076 6.4.5d (Apr 2022) Network and Content Security Devices 2.9.1 (available) Cisco FXOS Software for Firepower 4100/9300 CSCvz91266 2.10.1 (available) Series Appliances 2.11.1 (available) 2.12.1 (Apr 2022) Cisco Firepower Management Center ^1 CSCvz91270 7.0.2 (May 2022) 7.1.0.1 (May 2022) Cisco Firepower Next-Generation Intrusion CSCwa15291 6.4.0.14 (May 2022) Prevention System (NGIPS) ^1 6.6.7 (Mar 2022) Cisco Firepower Threat Defense (FTD) managed CSCwa15291 6.4.0.14 (May 2022) by Cisco Firepower Management Center ^1 6.6.7 (Mar 2022) Network Management and Provisioning Cisco Policy Suite ^1 CSCwa33078 22.1 (Mar 2022) Cisco Prime Collaboration Provisioning CSCwa33069 None planned Cisco Prime Infrastructure CSCvz83342 3.10 (available) Cisco Prime Optical for Service Providers CSCwa33067 Contact Cisco TAC for upgrade options Cisco Security Manager CSCwa33073 4.25 (Jun 2022) Routing and Switching - Enterprise and Service Provider Cisco Network Assurance Engine ^1 CSCwa16137 6.0.1 (available) Unified Computing Cisco UCS Central Software CSCwa33066 Cisco UCS Director Bare Metal Agent ^1 CSCwa33064 6.8.1.1 (Feb 2022) Cisco UCS Manager CSCwa33718 Video, Streaming, TelePresence, and Transcoding Devices 14.0.4 (available) Cisco Expressway Series CSCwa01545 14.1 (future release) 3.5 (May 2022) Cisco Meeting Server CSCwa58708 3.4 (Feb 2022) 3.3 (Mar 2022) 3.2 (Mar 2022) Cisco TelePresence Video Communication 14.0.4 (available) Server (VCS) CSCwa01545 14.1 (future release) Wireless Cisco Wireless Gateway for LoRaWAN CSCwa33724 2.3.1 (Mar 2022) Cisco Cloud Hosted Services Cisco Smart Net Total Care - On-Premises CSCwa33060 2.2.1 (Mar 2022) 1. This product is vulnerable to CVE-2021-40438. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by these vulnerabilities. Cisco has confirmed that these vulnerabilities do not affect the following products: Network Application, Service, and Acceleration Cisco Nexus 1000VE Series Virtual Switch Network and Content Security Devices Cisco Secure Network Analytics, formerly Stealthwatch Network Management and Provisioning Cisco Prime Collaboration Assurance Cisco Prime Network Services Controller Cisco Virtual Topology System Routing and Switching - Enterprise and Service Provider Cisco DNA Center Unified Computing Cisco Virtual Security Gateway Voice and Unified Communications Devices Cisco Hosted Collaboration Mediation Fulfillment Cisco SocialMiner Cisco Unified Communications Domain Manager Cisco Unified Communications Manager and Cisco Unified Communications Manager Session Management Edition Cisco Unified Communications Manager IM & Presence Service Cisco Unified Contact Center Express Video, Streaming, TelePresence, and Transcoding Devices Cisco Video Surveillance Media Server Cisco Cloud Hosted Services Cisco Smart Software Manager On-Prem Workarounds o Any workarounds will be documented in the product-specific Cisco bugs, which are identified in the Vulnerable Products section of this advisory. Fixed Software o For information about fixed software releases , consult the Cisco bugs identified in the Vulnerable Products section of this advisory. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. The Cisco Product Security Incident Response Team (PSIRT) validates only the fixed release information that is documented in this advisory. Exploitation and Public Announcements o In November 2021, the Cisco PSIRT became aware of exploitation attempts of the vulnerability identified by CVE ID CVE-2021-40438. Source o These vulnerabilities were publicly disclosed by the Apache Software Foundation on September 16, 2021. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-2.4.49-VWL69sWQ Revision History o +---------+-----------------------+---------------+---------+-------------+ | Version | Description | Section | Status | Date | +---------+-----------------------+---------------+---------+-------------+ | | Updated the summary. | Summary, | | | | | Updated the lists of | Affected | | | | | products under | Products, | | | | 1.8 | investigation, | Vulnerable | Interim | 2022-JAN-20 | | | vulnerable products, | Products, | | | | | and products | Products | | | | | confirmed not | Confirmed Not | | | | | vulnerable. | Vulnerable | | | +---------+-----------------------+---------------+---------+-------------+ | | Updated products | | | | | | under investigation, | | | | | | vulnerable products, | | | | | | and products | | | | | 1.7 | confirmed not | Affected | Interim | 2021-DEC-16 | | | vulnerable. Corrected | Products | | | | | fixed release | | | | | | availability date for | | | | | | Cisco Security | | | | | | Manager. | | | | +---------+-----------------------+---------------+---------+-------------+ | | Updated the lists of | Affected | | | | | products under | Products, | | | | | investigation, | Vulnerable | | | | 1.6 | vulnerable products, | Products, | Interim | 2021-DEC-08 | | | and products | Products | | | | | confirmed not | Confirmed Not | | | | | vulnerable. | Vulnerable | | | +---------+-----------------------+---------------+---------+-------------+ | | Updated the lists of | Affected | | | | 1.5 | products under | Products, | Interim | 2021-DEC-03 | | | investigation and | Vulnerable | | | | | vulnerable products. | Products | | | +---------+-----------------------+---------------+---------+-------------+ | | Updated the lists of | Affected | | | | | products under | Products, | | | | | investigation, | Vulnerable | | | | 1.4 | vulnerable products, | Products, | Interim | 2021-DEC-02 | | | and products | Products | | | | | confirmed not | Confirmed Not | | | | | vulnerable. | Vulnerable | | | +---------+-----------------------+---------------+---------+-------------+ | | Updated the lists of | Affected | | | | | products under | Products, | | | | | investigation, | Vulnerable | | | | 1.3 | vulnerable products, | Products, | Interim | 2021-DEC-01 | | | and products | Products | | | | | confirmed not | Confirmed Not | | | | | vulnerable. | Vulnerable | | | +---------+-----------------------+---------------+---------+-------------+ | | Added the list of | Affected | | | | | products confirmed | Products, | | | | | not vulnerable. | Vulnerable | | | | 1.2 | Updated the lists of | Products, | Interim | 2021-NOV-26 | | | vulnerable products | Products | | | | | and products under | Confirmed Not | | | | | investigation. | Vulnerable | | | +---------+-----------------------+---------------+---------+-------------+ | | Added the list of | Affected | | | | | products under | Products and | | | | 1.1 | investigation. | Vulnerable | Interim | 2021-NOV-25 | | | Updated the list of | Products | | | | | vulnerable products. | | | | +---------+-----------------------+---------------+---------+-------------+ | 1.0 | Initial public | - | Interim | 2021-NOV-24 | | | release. | | | | +---------+-----------------------+---------------+---------+-------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYfNj8eNLKJtyKPYoAQg5wg//Saxoq2HqDvP9QWgVZDjF48A5n8Iq9+jw njp4/OGdNaqRDRLJyhS5dB08/O94StDXxMkcO94gPBrO2tYQuSYsoEyyto3AsNvv 9IkXB8uyc03n8ffUi5k0lfYG7TQoq8U0Ze8jKg6sPs3xTgW1Hhkwgqvxa86azCGs 8B1Pcn+4Xr7ZwTCjmjBHO/U7l14i5nuncRPXRM5DpJzb5nJ/3OSdsvCrJrqa2pRN owH2rrrRy1O0mhmfnejerfZ7gEpHRGXvhyZ42ScmLSR+l8/Id74W6wa9THbuz80t ZWp8QMFY/FdNPx1ucOhJgzsycHS/AKpfnTp7u1auOBRw4BJ5FUkbldZFz3jxSjL3 x8I58FQoo1RiMcpbnZZ5nGPtZszsGl61TWAG5je8zEyjGfWCquoaXQVkYhbs+xHf VYaD68e3fuOZkB55E3CkaxfEKrrlDdLmCngtE/80D730oDCuLCdiXK7065wqodam GCA8/qfY9SMI9rdKrJNCN345z0x38qYWzTZHNbfQgBfue6cv22dhr6J6svE8Vm7V OqudHzYyno1Y0H3wlggCe10pgr0QYJcBQuPdOOWcXoNcuBdtzp2r5uYnDsvROgXP uxnXZAFsfe6i3iqUwddrlmDSub3WTXCq5YlADCSOoTWyEDQViEmE2PqqJRCW6Hrr adBLoUt5RDE= =W2vM -----END PGP SIGNATURE-----