Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5478.8 OpenSSL Project Notification on Critical Vulnerability Fixed in Version 3.0.7 23 December 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco Products Publisher: Cisco Systems Operating System: Cisco Resolution: Patch/Upgrade CVE Names: CVE-2022-3786 CVE-2022-3602 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-W9sdCc2a Comment: CVSS (Max): 7.5 CVE-2022-3786 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Revision History: December 23 2022: Vendor updated bulletin November 25 2022: Updated the CVSS score November 24 2022: Vendor updated vulnerable products November 9 2022: Vendor updated bulletin November 7 2022: Vendor Updated bulletin November 3 2022: Vendor updated bulletin November 2 2022: Cisco updated advisory with CVE details and Products Under Investigation November 1 2022: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Vulnerabilities in OpenSSL Affecting Cisco Products: November 2022 Priority: High Advisory ID: cisco-sa-openssl-W9sdCc2a First Published: 2022 October 28 16:00 GMT Last Updated: 2022 November 23 20:23 GMT Version 1.6: Final Workarounds: No workarounds available CVE Names: CVE-2022-3602 CVE-2022-3786 Summary o On November 1, 2022, the OpenSSL Project announced the following vulnerabilities: CVE-2022-3602 - X.509 Email Address 4-byte Buffer Overflow CVE-2022-3786 - X.509 Email Address Variable Length Buffer Overflow For a description of these vulnerabilities, see OpenSSL Security Advisory [Nov 1 2022] . This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-W9sdCc2a Affected Products o Cisco investigated its product line to determine which products and cloud services may be affected by these vulnerabilities. OpenSSL 3.x is not widely used in Cisco products and cloud offers, and only products that may contain the affected software are listed in this advisory. If a product or cloud offer is not explicitly listed in this advisory, it is not vulnerable. Vulnerable Products The following table lists Cisco products that are affected by one or more of the vulnerabilities that are described in this advisory. If a future release date is indicated for software, the date provided represents an estimate based on all information known to Cisco as of the Last Updated date at the top of the advisory. Availability dates are subject to change based on a number of factors, including satisfactory testing results and delivery of other priority features and fixes. If no version or date is listed for an affected component (indicated by a blank field and/or an advisory designation of Interim), Cisco is continuing to evaluate the fix and will update the advisory as additional information becomes available. After the advisory is marked Final, customers should refer to the associated Cisco bug(s) for further details. Product Cisco Bug Fixed Release ID Availability Endpoint Clients and Client Software ScienceLogic Application Software 3.0.1 (Nov 2022) HPNA Application Software 2.0.1 (Nov 2022) Operational Insights Collector CSCwd44110 APIC Application Software 3.0.1 (Nov 2022) SolarWinds Application Software 3.0.1 (Nov 2022) Syslog Collector 2.0.1 (Nov 2022) Network Management and Provisioning IoT Field Network Director, formerly 4.8.1 (Available) Connected Grid Network Management CSCwd44112 4.9.0 (Available) System 5.0.0 (May 2023) Products Confirmed Not Vulnerable Only products that may contain the affected software are listed in this advisory. If a product or cloud offer is not explicitly listed in this advisory, it is not vulnerable. Cisco has confirmed that this vulnerability does not affect the following Cisco products: Network and Content Security Devices Identity Services Engine (ISE) Secure Network Analytics, formerly Stealthwatch Network Management and Provisioning Application Policy Infrastructure Controller (APIC) Cisco Container Platform Data Center Network Manager (DCNM) Elastic Services Controller (ESC) Evolved Programmable Network Manager Nexus Dashboard, formerly Application Services Engine Prime Infrastructure Routing and Switching - Enterprise and Service Provider SD-WAN vAnalytics SD-WAN vManage Ultra Cloud Core - Network Respository Function Ultra Cloud Core - Policy Control Function Ultra Cloud Core - Redundancy Configuration Manager Ultra Cloud Core - Subscriber Microservices Infrastructure Ultra Cloud Core - User Plane Function Unified Computing HyperFlex System UCS Blade Server - Integrated Management Controller UCS Manager Cisco Cloud Offerings Cisco investigated its cloud offers to determine which products may be affected by these vulnerabilities. The following table lists Cisco cloud offers that are under investigation. Only cloud offers known to possibly be affected are listed. If a cloud offer is not explicitly listed in this advisory, it is not vulnerable. Product Disposition AppDynamics Not affected CX Cloud Not affected Duo Not affected Intersight Not affected Meraki Not affected SD-WAN Not affected SecureX Not affected ThousandEyes Not affected Umbrella Not affected Unified Communications Manager Cloud Not affected Webex Calling Not affected Webex Cloud-Connected UC Not affected Webex Contact Center Not affected Webex Teams Not affected Workarounds o Any workarounds for a specific Cisco product or service will be documented in the relevant Cisco bugs, which are identified in the Vulnerable Products section of this advisory. Fixed Software o For information about fixed software releases , consult the Cisco bugs identified in the Vulnerable Products section of this advisory. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any malicious use of the vulnerabilities that are described in this advisory. Source o These vulnerabilities were publicly disclosed by the OpenSSL Software Foundation on November 1, 2022. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Subscribe to Cisco Security Notifications o Subscribe Action Links for This Advisory o Snort Rule 60790 Snort Rule 300307 Snort Rule 300306 Related to This Advisory o URL o https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-W9sdCc2a Revision History o +---------+-----------------------+---------------+---------+-------------+ | Version | Description | Section | Status | Date | +---------+-----------------------+---------------+---------+-------------+ | | Updated vulnerable | | | | | 1.6 | products and products | Affected | Final | 2022-NOV-23 | | | confirmed not | Products | | | | | vulnerable. | | | | +---------+-----------------------+---------------+---------+-------------+ | | Update summary, | Summary, | | | | 1.5 | affected products, | Affected | Final | 2022-NOV-08 | | | and disposition of | Products | | | | | cloud offers. | | | | +---------+-----------------------+---------------+---------+-------------+ | | Update affected | | | | | 1.4 | products and | Affected | Interim | 2022-NOV-04 | | | disposition of cloud | Products | | | | | offers. | | | | +---------+-----------------------+---------------+---------+-------------+ | | Update products under | | | | | | investigation, | | | | | 1.3 | vulnerable products, | Affected | Interim | 2022-NOV-03 | | | and products | Products | | | | | confirmed not | | | | | | vulnerable. | | | | +---------+-----------------------+---------------+---------+-------------+ | | Update products under | | | | | 1.2 | investigation and | Affected | Interim | 2022-NOV-02 | | | products confirmed | Products | | | | | not vulnerable. | | | | +---------+-----------------------+---------------+---------+-------------+ | | | Summary, | | | | | | Affected | | | | 1.1 | Update with OpenSSL | Products, | Interim | 2022-NOV-01 | | | public announcement. | Fixed | | | | | | Software, and | | | | | | Source | | | +---------+-----------------------+---------------+---------+-------------+ | 1.0 | Initial public | - | Interim | 2022-OCT-28 | | | release. | | | | +---------+-----------------------+---------------+---------+-------------+ Legal Disclaimer o THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY6UY8MkNZI30y1K9AQjPfhAAvOfipKszwncx5VfaMx/jy0bqcudZc+Gq /dfK+nT95T5bxR/oEqgl950veBOlQ3xwsKnuvdSmZDLWEiG51oGrNEg8Mv+83xtY CrH0ySS17LnNXhL+7izz5KziNrPdbKh3CID1QEjmYAqEraTbwbrBwMdViOwY8eEl bFWeP0yrDYKqk3iEg0dsvtzMHPwumL75QoEFFcRc1KuQ+zC8rtD4XVlqDfS9ZKak APlUEuovyyP72MRjTk4o0wlSAN97ADGR7iVlssuAzvdov9dVdqIy++vWFpLPtfnN GZ6i2+cSkyWzENW5KBHsqvzZy1+kNTnpc78RCL++19dy06HVPBUItBJdMdmaUtQF YhfDVLtV69NTP5vheP3XnuTs2onbgGulzYXb0FK4mDAbh0c2ZNn6F5XZtQpLcyBv YwGqjzxjgqzwx5AdtwljzqlHOtaDo9YrvM5lj7ullnnb4JzSPt576KTHFJ6G7t8v H5H9WW1UDORa/ATiZqtvFXO6/Hlk2RNXWz5m2PEoXyUSYDZAfGNhjaFdTiOvzeyn OBe0d3nQAKjrx06xYUL14gFtNXOjkhshtocOQa+rtst40OFz0ZWDPmcll1a6Lwt1 koVSZJen+FS7hxsm/YLc019JVJJvwlx/7/TxNqVTELYTEjtrLW1g3znoYUh2gH+k SUNNKO9QCX4= =sssR -----END PGP SIGNATURE-----