Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

       OpenSSL Project Notification on Critical Vulnerability Fixed
                             in Version 3.0.7
                             25 November 2022


        AusCERT Security Bulletin Summary

Product:           Cisco Products
Publisher:         Cisco Systems
Operating System:  Cisco
Resolution:        None
CVE Names:         CVE-2022-3786 CVE-2022-3602 

Original Bulletin: 

Comment: CVSS (Max):  7.5 CVE-2022-3786 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
         CVSS Source: NVD
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Revision History:  November 25 2022: Updated the CVSS score
                   November 24 2022: Vendor updated vulnerable products
                   November  9 2022: Vendor updated bulletin
                   November  7 2022: Vendor Updated bulletin
                   November  3 2022: Vendor updated bulletin
                   November  2 2022: Cisco updated advisory with CVE details and Products Under Investigation
                   November  1 2022: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Vulnerabilities in OpenSSL Affecting Cisco Products: November 2022

Priority:        High
Advisory ID:     cisco-sa-openssl-W9sdCc2a
First Published: 2022 October 28 16:00 GMT
Last Updated:    2022 November 8 20:57 GMT
Version 1.5:     Final
Workarounds:     No workarounds available
CVE Names:       CVE-2022-3602 CVE-2022-3786


  o On November 1, 2022, the OpenSSL Project announced the following

       CVE-2022-3602 - X.509 Email Address 4-byte Buffer Overflow
       CVE-2022-3786 - X.509 Email Address Variable Length Buffer Overflow

    For a description of these vulnerabilities, see OpenSSL Security Advisory
    [Nov 1 2022] .

    This advisory is available at the following link:

Affected Products

  o Cisco investigated its product line to determine which products and cloud
    services may be affected by these vulnerabilities. OpenSSL 3.x is not
    widely used in Cisco products and cloud offers, and only products that may
    contain the affected software are listed in this advisory. If a product or
    cloud offer is not explicitly listed in this advisory, it is not

    Vulnerable Products

    The following table lists Cisco products that are affected by one or more
    of the vulnerabilities that are described in this advisory. If a future
    release date is indicated for software, the date provided represents an
    estimate based on all information known to Cisco as of the Last Updated
    date at the top of the advisory. Availability dates are subject to change
    based on a number of factors, including satisfactory testing results and
    delivery of other priority features and fixes. If no version or date is
    listed for an affected component (indicated by a blank field and/or an
    advisory designation of Interim), Cisco is continuing to evaluate the fix
    and will update the advisory as additional information becomes available.
    After the advisory is marked Final, customers should refer to the
    associated Cisco bug(s) for further details.

                        Product                     Cisco Bug   Fixed Release
                                                        ID       Availability
                        Network Management and Provisioning
    IoT Field Network Director, formerly Connected             (Available)
    Grid Network Management System                  CSCwd44112 4.9.0
                                                               5.0.0 (May 2023)

    Products Confirmed Not Vulnerable

    Only products that may contain the affected software are listed in this
    advisory. If a product or cloud offer is not explicitly listed in this
    advisory, it is not vulnerable.

    Cisco has confirmed that this vulnerability does not affect the following
    Cisco products:

    Cable Devices

       Ultra Cloud Core - Network Repository Function
       Ultra Cloud Core - User Plane Function

    Network and Content Security Devices

       Identity Services Engine (ISE)
       Secure Network Analytics

    Network Management and Provisioning

       Application Policy Infrastructure Controller (APIC)
       Container Platform
       Data Center Network Manager (DCNM)
       Elastic Services Controller (ESC)
       Evolved Programmable Network Manager
       Nexus Dashboard, formerly known as Application Services Engine
       Prime Infrastructure

    Routing and Switching - Enterprise and Service Provider

       SD-WAN vAnalytics Software
       SD-WAN vManage Software
       Ultra Cloud Core - Policy Control Function
       Ultra Cloud Core - Redundancy Configuration Manager
       Ultra Cloud Core - Subscriber Microservices Infrastructure

    Unified Computing

       HyperFlex System
       UCS Blade Server - Integrated Management Controller
       UCS Manager

    Cisco Cloud Offerings

    Cisco investigated its cloud offers to determine which products may be
    affected by these vulnerabilities. The following table lists Cisco cloud
    offers that are under investigation. Only cloud offers known to possibly be
    affected are listed. If a cloud offer is not explicitly listed in this
    advisory, it is not vulnerable.

                  Product                Disposition
    AppDynamics                          Not affected
    CX Cloud                             Not affected
    Duo                                  Not affected
    Intersight                           Not affected
    Meraki                               Not affected
    SD-WAN                               Not affected
    SecureX                              Not affected
    ThousandEyes                         Not affected
    Umbrella                             Not affected
    Unified Communications Manager Cloud Not affected
    Webex Calling                        Not affected
    Webex Cloud-Connected UC             Not affected
    Webex Contact Center                 Not affected
    Webex Teams                          Not affected


  o Any workarounds for a specific Cisco product or service will be documented
    in the relevant Cisco bugs, which are identified in the Vulnerable Products
    section of this advisory.

Fixed Software

  o For information about fixed software releases , consult the Cisco bugs
    identified in the Vulnerable Products section of this advisory.

    When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories page, to determine exposure and a complete
    upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any malicious use of the vulnerabilities that are described in this


  o These vulnerabilities were publicly disclosed by the OpenSSL Software
    Foundation on November 1, 2022.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Action Links for This Advisory

  o Snort Rule 60790
    Snort Rule 300307
    Snort Rule 300306

Related to This Advisory



  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-W9sdCc2a

Revision History

  o +---------+-----------------------+---------------+---------+-------------+
    | Version |      Description      |    Section    | Status  |    Date     |
    |         | Update summary,       | Summary,      |         |             |
    | 1.5     | affected products,    | Affected      | Final   | 2022-NOV-08 |
    |         | and disposition of    | Products      |         |             |
    |         | cloud offers.         |               |         |             |
    |         | Update affected       |               |         |             |
    | 1.4     | products and          | Affected      | Interim | 2022-NOV-04 |
    |         | disposition of cloud  | Products      |         |             |
    |         | offers.               |               |         |             |
    |         | Update products under |               |         |             |
    |         | investigation,        |               |         |             |
    | 1.3     | vulnerable products,  | Affected      | Interim | 2022-NOV-03 |
    |         | and products          | Products      |         |             |
    |         | confirmed not         |               |         |             |
    |         | vulnerable.           |               |         |             |
    |         | Update products under |               |         |             |
    | 1.2     | investigation and     | Affected      | Interim | 2022-NOV-02 |
    |         | products confirmed    | Products      |         |             |
    |         | not vulnerable.       |               |         |             |
    |         |                       | Summary,      |         |             |
    |         |                       | Affected      |         |             |
    | 1.1     | Update with OpenSSL   | Products,     | Interim | 2022-NOV-01 |
    |         | public announcement.  | Fixed         |         |             |
    |         |                       | Software, and |         |             |
    |         |                       | Source        |         |             |
    | 1.0     | Initial public        | -             | Interim | 2022-OCT-28 |
    |         | release.              |               |         |             |

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: https://auscert.org.au/gpg-key/