-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2022.5478.8
       OpenSSL Project Notification on Critical Vulnerability Fixed
                             in Version 3.0.7
                             23 December 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco Products
Publisher:         Cisco Systems
Operating System:  Cisco
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-3786 CVE-2022-3602 

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-W9sdCc2a

Comment: CVSS (Max):  7.5 CVE-2022-3786 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
         CVSS Source: NVD
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Revision History:  December 23 2022: Vendor updated bulletin
                   November 25 2022: Updated the CVSS score
                   November 24 2022: Vendor updated vulnerable products
                   November  9 2022: Vendor updated bulletin
                   November  7 2022: Vendor Updated bulletin
                   November  3 2022: Vendor updated bulletin
                   November  2 2022: Cisco updated advisory with CVE details and Products Under Investigation
                   November  1 2022: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Vulnerabilities in OpenSSL Affecting Cisco Products: November 2022

Priority:        High
Advisory ID:     cisco-sa-openssl-W9sdCc2a
First Published: 2022 October 28 16:00 GMT
Last Updated:    2022 November 23 20:23 GMT
Version 1.6:     Final
Workarounds:     No workarounds available
CVE Names:       CVE-2022-3602 CVE-2022-3786

Summary

  o On November 1, 2022, the OpenSSL Project announced the following
    vulnerabilities:

       CVE-2022-3602 - X.509 Email Address 4-byte Buffer Overflow
       CVE-2022-3786 - X.509 Email Address Variable Length Buffer Overflow

    For a description of these vulnerabilities, see OpenSSL Security Advisory
    [Nov 1 2022] .

    This advisory is available at the following link:
    https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-W9sdCc2a

Affected Products

  o Cisco investigated its product line to determine which products and cloud
    services may be affected by these vulnerabilities. OpenSSL 3.x is not
    widely used in Cisco products and cloud offers, and only products that may
    contain the affected software are listed in this advisory. If a product or
    cloud offer is not explicitly listed in this advisory, it is not
    vulnerable.

    Vulnerable Products

    The following table lists Cisco products that are affected by one or more
    of the vulnerabilities that are described in this advisory. If a future
    release date is indicated for software, the date provided represents an
    estimate based on all information known to Cisco as of the Last Updated
    date at the top of the advisory. Availability dates are subject to change
    based on a number of factors, including satisfactory testing results and
    delivery of other priority features and fixes. If no version or date is
    listed for an affected component (indicated by a blank field and/or an
    advisory designation of Interim), Cisco is continuing to evaluate the fix
    and will update the advisory as additional information becomes available.
    After the advisory is marked Final, customers should refer to the
    associated Cisco bug(s) for further details.

                   Product                 Cisco Bug        Fixed Release
                                               ID           Availability

                       Endpoint Clients and Client Software

                                                      ScienceLogic Application
                                                      Software 3.0.1 (Nov 2022)
                                                      HPNA Application Software
                                                      2.0.1 (Nov 2022)
    Operational Insights Collector         CSCwd44110 APIC Application Software
                                                      3.0.1 (Nov 2022)
                                                      SolarWinds Application
                                                      Software 3.0.1 (Nov 2022)
                                                      Syslog Collector 2.0.1
                                                      (Nov 2022)

                        Network Management and Provisioning

    IoT Field Network Director, formerly              4.8.1 (Available)
    Connected Grid Network Management      CSCwd44112 4.9.0 (Available)
    System                                            5.0.0 (May 2023)


    Products Confirmed Not Vulnerable

    Only products that may contain the affected software are listed in this
    advisory. If a product or cloud offer is not explicitly listed in this
    advisory, it is not vulnerable.

    Cisco has confirmed that this vulnerability does not affect the following
    Cisco products:

    Network and Content Security Devices

       Identity Services Engine (ISE)
       Secure Network Analytics, formerly Stealthwatch

    Network Management and Provisioning

       Application Policy Infrastructure Controller (APIC)
       Cisco Container Platform
       Data Center Network Manager (DCNM)
       Elastic Services Controller (ESC)
       Evolved Programmable Network Manager
       Nexus Dashboard, formerly Application Services Engine
       Prime Infrastructure

    Routing and Switching - Enterprise and Service Provider

       SD-WAN vAnalytics
       SD-WAN vManage
       Ultra Cloud Core - Network Respository Function
       Ultra Cloud Core - Policy Control Function
       Ultra Cloud Core - Redundancy Configuration Manager
       Ultra Cloud Core - Subscriber Microservices Infrastructure
       Ultra Cloud Core - User Plane Function

    Unified Computing

       HyperFlex System
       UCS Blade Server - Integrated Management Controller
       UCS Manager

    Cisco Cloud Offerings

    Cisco investigated its cloud offers to determine which products may be
    affected by these vulnerabilities. The following table lists Cisco cloud
    offers that are under investigation. Only cloud offers known to possibly be
    affected are listed. If a cloud offer is not explicitly listed in this
    advisory, it is not vulnerable.

                  Product                Disposition
    AppDynamics                          Not affected
    CX Cloud                             Not affected
    Duo                                  Not affected
    Intersight                           Not affected
    Meraki                               Not affected
    SD-WAN                               Not affected
    SecureX                              Not affected
    ThousandEyes                         Not affected
    Umbrella                             Not affected
    Unified Communications Manager Cloud Not affected
    Webex Calling                        Not affected
    Webex Cloud-Connected UC             Not affected
    Webex Contact Center                 Not affected
    Webex Teams                          Not affected



Workarounds

  o Any workarounds for a specific Cisco product or service will be documented
    in the relevant Cisco bugs, which are identified in the Vulnerable Products
    section of this advisory.

Fixed Software

  o For information about fixed software releases , consult the Cisco bugs
    identified in the Vulnerable Products section of this advisory.

    When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories page, to determine exposure and a complete
    upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any malicious use of the vulnerabilities that are described in this
    advisory.

Source

  o These vulnerabilities were publicly disclosed by the OpenSSL Software
    Foundation on November 1, 2022.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

  o Subscribe

Action Links for This Advisory

  o Snort Rule 60790
    Snort Rule 300307
    Snort Rule 300306

Related to This Advisory

  o 

URL

  o https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-W9sdCc2a

Revision History

  o +---------+-----------------------+---------------+---------+-------------+
    | Version |      Description      |    Section    | Status  |    Date     |
    +---------+-----------------------+---------------+---------+-------------+
    |         | Updated vulnerable    |               |         |             |
    | 1.6     | products and products | Affected      | Final   | 2022-NOV-23 |
    |         | confirmed not         | Products      |         |             |
    |         | vulnerable.           |               |         |             |
    +---------+-----------------------+---------------+---------+-------------+
    |         | Update summary,       | Summary,      |         |             |
    | 1.5     | affected products,    | Affected      | Final   | 2022-NOV-08 |
    |         | and disposition of    | Products      |         |             |
    |         | cloud offers.         |               |         |             |
    +---------+-----------------------+---------------+---------+-------------+
    |         | Update affected       |               |         |             |
    | 1.4     | products and          | Affected      | Interim | 2022-NOV-04 |
    |         | disposition of cloud  | Products      |         |             |
    |         | offers.               |               |         |             |
    +---------+-----------------------+---------------+---------+-------------+
    |         | Update products under |               |         |             |
    |         | investigation,        |               |         |             |
    | 1.3     | vulnerable products,  | Affected      | Interim | 2022-NOV-03 |
    |         | and products          | Products      |         |             |
    |         | confirmed not         |               |         |             |
    |         | vulnerable.           |               |         |             |
    +---------+-----------------------+---------------+---------+-------------+
    |         | Update products under |               |         |             |
    | 1.2     | investigation and     | Affected      | Interim | 2022-NOV-02 |
    |         | products confirmed    | Products      |         |             |
    |         | not vulnerable.       |               |         |             |
    +---------+-----------------------+---------------+---------+-------------+
    |         |                       | Summary,      |         |             |
    |         |                       | Affected      |         |             |
    | 1.1     | Update with OpenSSL   | Products,     | Interim | 2022-NOV-01 |
    |         | public announcement.  | Fixed         |         |             |
    |         |                       | Software, and |         |             |
    |         |                       | Source        |         |             |
    +---------+-----------------------+---------------+---------+-------------+
    | 1.0     | Initial public        | -             | Interim | 2022-OCT-28 |
    |         | release.              |               |         |             |
    +---------+-----------------------+---------------+---------+-------------+

Legal Disclaimer

  o THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND
    OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR
    FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT
    OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES
    THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

    A standalone copy or paraphrase of the text of this document that omits the
    distribution URL is an uncontrolled copy and may lack important information
    or contain factual errors. The information in this document is intended for
    end users of Cisco products.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBY6UY8MkNZI30y1K9AQjPfhAAvOfipKszwncx5VfaMx/jy0bqcudZc+Gq
/dfK+nT95T5bxR/oEqgl950veBOlQ3xwsKnuvdSmZDLWEiG51oGrNEg8Mv+83xtY
CrH0ySS17LnNXhL+7izz5KziNrPdbKh3CID1QEjmYAqEraTbwbrBwMdViOwY8eEl
bFWeP0yrDYKqk3iEg0dsvtzMHPwumL75QoEFFcRc1KuQ+zC8rtD4XVlqDfS9ZKak
APlUEuovyyP72MRjTk4o0wlSAN97ADGR7iVlssuAzvdov9dVdqIy++vWFpLPtfnN
GZ6i2+cSkyWzENW5KBHsqvzZy1+kNTnpc78RCL++19dy06HVPBUItBJdMdmaUtQF
YhfDVLtV69NTP5vheP3XnuTs2onbgGulzYXb0FK4mDAbh0c2ZNn6F5XZtQpLcyBv
YwGqjzxjgqzwx5AdtwljzqlHOtaDo9YrvM5lj7ullnnb4JzSPt576KTHFJ6G7t8v
H5H9WW1UDORa/ATiZqtvFXO6/Hlk2RNXWz5m2PEoXyUSYDZAfGNhjaFdTiOvzeyn
OBe0d3nQAKjrx06xYUL14gFtNXOjkhshtocOQa+rtst40OFz0ZWDPmcll1a6Lwt1
koVSZJen+FS7hxsm/YLc019JVJJvwlx/7/TxNqVTELYTEjtrLW1g3znoYUh2gH+k
SUNNKO9QCX4=
=sssR
-----END PGP SIGNATURE-----