Related Vulnerabilities: CVE-2016-2177 CVE-2016-2178 CVE-2016-2179 CVE-2016-2180 CVE-2016-2181 CVE-2016-2182 CVE-2016-2183 CVE-2016-6302 CVE-2016-6303 CVE-2016-6304 CVE-2016-6305 CVE-2016-6306 CVE-2016-6307 CVE-2016-6308 CVE-2016-6309 CVE-2016-7052

On September 22, 2016, the OpenSSL Software Foundation released an advisory that describes 14 vulnerabilities. Of these 14 vulnerabilities, the OpenSSL Software Foundation classifies one as “Critical Severity,” one as “Moderate Severity,” and the other 12 as “Low Severity.” Subsequently, on September 26, the OpenSSL Software Foundation released an additional advisory that describes two new vulnerabilities. These vulnerabilities affect the OpenSSL versions that were released to address the vulnerabilities disclosed in the previous advisory. One of the new vulnerabilities was rated as “High Severity” and the other as “Moderate Severity.” Of the 16 released vulnerabilities: Fourteen track issues that could result in a denial of service (DoS) condition One (CVE-2016-2183, aka SWEET32) tracks an implementation of a Birthday attack against Transport Layer Security (TLS) block ciphers that use a 64-bit block size that could result in loss of confidentiality One (CVE-2016-2178) is a timing side-channel attack that, in specific circumstances, could allow an attacker to derive the private DSA key that belongs to another user or service running on the same system Five of the 16 vulnerabilities exclusively affect the recently released OpenSSL versions that are part of the 1.1.0 release series, which has not yet been integrated into any Cisco product. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160927-openssl

Source

Summary

On September 22, 2016, the OpenSSL Software Foundation released an advisory that describes 14 vulnerabilities. Of these 14 vulnerabilities, the OpenSSL Software Foundation classifies one as “Critical Severity,” one as “Moderate Severity,” and the other 12 as “Low Severity.”

Subsequently, on September 26, the OpenSSL Software Foundation released an additional advisory that describes two new vulnerabilities. These vulnerabilities affect the OpenSSL versions that were released to address the vulnerabilities disclosed in the previous advisory. One of the new vulnerabilities was rated as “High Severity” and the other as “Moderate Severity.”

Of the 16 released vulnerabilities:
- Fourteen track issues that could result in a denial of service (DoS) condition
- One (CVE-2016-2183, aka SWEET32) tracks an implementation of a Birthday attack against Transport Layer Security (TLS) block ciphers that use a 64-bit block size that could result in loss of confidentiality
- One (CVE-2016-2178) is a timing side-channel attack that, in specific circumstances, could allow an attacker to derive the private DSA key that belongs to another user or service running on the same system
Five of the 16 vulnerabilities exclusively affect the recently released OpenSSL versions that are part of the 1.1.0 release series, which has not yet been integrated into any Cisco product.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160927-openssl

Affected Products

Cisco investigated its product line to determine which products may be affected by these vulnerabilities and the impact on each affected product. Refer to the "Vulnerable Products" and "Products Confirmed Not Vulnerable" sections of this advisory for information about whether a product is affected.

The "Vulnerable Products" section includes Cisco bug IDs for each affected product. The bugs are accessible through the Cisco Bug Search Tool and contain additional platform-specific information, including workarounds (if available) and fixed software releases.

Vulnerable Products

Product	Cisco Bug ID	Fixed Release Availability
Cable Modems
Cisco IOS XE Software - Web user interface only	CSCvc32062
Collaboration and Social Media
Cisco SocialMiner	CSCvb50787
Cisco Unified MeetingPlace	CSCvb48712	8.6MR1 (14-Oct-2016)
Cisco WebEx Meetings Server Release 1.x	CSCvb48548	2.6.1.3xx (12-Oct-2016)
Cisco WebEx Meetings Server Release 2.x	CSCvb48548	2.6.1.3xx (12-Oct-2016)
Cisco WebEx Node for MCS	CSCvb48543	Affected versions will be updated (25-Oct-2016)
Endpoint Clients and Client Software
Cisco Agent for OpenFlow	CSCvb48661	No fix is expected.
Cisco AnyConnect Secure Mobility Client for Android	CSCvb48664	4.0.7 (31-Oct-2016)
Cisco AnyConnect Secure Mobility Client for Desktop Platforms	CSCvb48665	4.4 (30-Nov-2016) 4.3.4 (31-Dec-2016)
Cisco AnyConnect Secure Mobility Client for Linux	CSCvb48663	4.0.7 (31-Oct-2016)
Cisco AnyConnect Secure Mobility Client for Mac OS X	CSCvb48663	4.0.7 (31-Oct-2016)
Cisco AnyConnect Secure Mobility Client for Windows	CSCvb48663	4.0.7 (31-Oct-2016)
Cisco AnyConnect Secure Mobility Client for iOS	CSCvb48663	4.0.7 (31-Oct-2016)
Cisco Jabber Client Framework (JCF) Components	CSCvb45724	11.8.0 (15-Nov-2016)
Cisco Jabber Guest	CSCvb48710	11.0 (30-Nov-2016)
Cisco Jabber Software Development Kit	CSCvb47717	11.8.0 (15-Nov-2016)
Cisco Jabber for Android	CSCvb48725	11.8.0 1 (15-Nov-2016)
Cisco Jabber for Mac	CSCvb48290	11.8.0 (15-Nov-2016)
Cisco Jabber for Windows	CSCvb48708	11.8.0 (15-Nov-2016)
Cisco WebEx Business Suite	CSCvb48552
Cisco WebEx Meetings Client - Hosted	CSCvb48553	T32 (21-Nov-2016)
Cisco WebEx Meetings Client - On-Premises	CSCvb48547	T32 (1-Nov-2016)
Cisco WebEx Meetings Server - Multimedia Platform (MMP)	CSCvb48554	Affected versions have been updated.
Cisco WebEx Meetings for Android	CSCvb48544	Affected versions will be updated (31-Oct-2016)
Cisco WebEx Meetings for BlackBerry	CSCvb48545	Users need to Update BlackBerry OS
Cisco WebEx Meetings for Windows Phone 8	CSCvb48546	2.8 (11-Nov-2016)
Network Application, Service, and Acceleration
Cisco ACE 4710 Application Control Engine - Running Software Release A5	CSCvb48557	No fix is expected.
Cisco ACE30 Application Control Engine Module	CSCvb48557	No fix is expected.
Cisco Application and Content Networking System (ACNS)	CSCvb48634	No fix is expected.
Cisco InTracer	CSCvb48517	No fix is expected.
Cisco NAC Appliance - Clean Access Manager	CSCvb48635	No fix is expected.
Cisco Visual Quality Experience Server	CSCvb48633	Affected versions will be fixed (28-Oct-16)
Cisco Visual Quality Experience Tools Server	CSCvb48633	Affected versions will be fixed (28-Oct-16)
Cisco Wide Area Application Services (WAAS)	CSCvb48643	All affected versions fixed (11-Sept-2016)
Network and Content Security Devices
Cisco ASA Next-Generation Firewall Services	CSCvb48642	2.1.2 (Dec. 2016)
Cisco Adaptive Security Appliance (ASA)	CSCvb48640
Cisco Clean Access Manager	CSCvb48636	No fix is expected.
Cisco Content Security Appliance Update Servers	CSCvb48539	Affected versions will be updated (21-Oct-2016)
Cisco Content Security Management Appliance (SMA)	CSCvb48537	11.0.0-115
Cisco Email Security Appliance (ESA)	CSCvb48533	11.0 (Available)
Cisco FireSIGHT System Software	CSCvb48536	5.4.0.10 (5-Dec-2016) 5.4.1.9 (5-Dec-2016) 6.0.1.3 (21-Nov-2016) 6.1.0.1 (31-Oct-2016)
Cisco Identity Services Engine (ISE)	CSCvb48654
Cisco Intrusion Prevention System (IPS) Solutions	CSCvb48667	No fix is expected.
Cisco NAC Appliance - Clean Access Server	CSCvb48637	No fix is expected.
Cisco NAC Guest Server	CSCvb48638	No fix is expected.
Cisco Secure Access Control System (ACS)	CSCvb48662	5.8.0.32.7 (Jan-2017) 5.8.0.32.8 (Jan-2017)
Cisco Web Security Appliance (WSA)	CSCvb48542	Affected versions will be updated (1-May-2017)
Network Management and Provisioning
Cisco Application Networking Manager	CSCvb48558	No fix is expected.
Cisco Application Policy Infrastructure Controller (APIC)	CSCvb48563	2.2(1) (Jan-2017)
Cisco Cloupia Unified Infrastructure Controller	CSCvb48560	FB_MR1 (9-Dec-2016)
Cisco Digital Media Manager	CSCvb48609	5.3.6_RB3 (29-Oct-2016) 5.4.1_RB4 (29-Oct-2016)
Cisco Management Appliance	CSCvb48524	Affected versions will be fixed (25-Jan-2017)
Cisco Mobile Wireless Transport Manager	CSCvb48600	No fix is expected.
Cisco Multicast Manager	CSCvb48586	No fix is expected.
Cisco NetFlow Generation Appliance	CSCvb48596	1.1(1) (14-Oct-2016)
Cisco Network Analysis Module	CSCvb48593	6.2(1-b) (14-Oct-2016) 6.2(2) (14-Oct-2016)
Cisco Packet Tracer	CSCvb48617	Affected versions have been updated.
Cisco Policy Suite	CSCvc39197	12.0 (3-Mar-2017)
Cisco Prime Access Registrar	CSCvb48589
Cisco Prime Collaboration Assurance	CSCvb48599	PCA 11.6 (Nov-2016)
Cisco Prime Collaboration Deployment	CSCvb48693
Cisco Prime Collaboration Provisioning	CSCvb48598	11.6 (7-Oct-2016)
Cisco Prime Data Center Network Manager	CSCvb48562	DCNM 10.2.(1) (1-May-2017)
Cisco Prime IP Express	CSCvb48591
Cisco Prime Infrastructure Plug and Play Standalone Gateway	CSCvb48594	No fix is expected.
Cisco Prime Infrastructure	CSCvb48595	3.2: (First quarter 2017)
Cisco Prime LAN Management Solution - Solaris	CSCvb48585	4.2.5 (Available) MR5 (30-May-2017)
Cisco Prime License Manager	CSCvb48619
Cisco Prime Network Registrar	CSCvb48587	CPNR 8.3.5 (Jan. 2017) CPNR 9.0 (Dec. 2016)
Cisco Prime Network Services Controller	CSCvb48602	Moved to openssl 1.01u (6-Oct-2016)
Cisco Prime Network	CSCvb48581	PN 431 (Dec. 2016)
Cisco Prime Optical for Service Providers	CSCvb48590
Cisco Prime Performance Manager	CSCvb48582	1.7.0 SP1611 (30-Nov-2016)
Cisco Security Manager	CSCvb17176	4.13 (30-Jan-2017) 4.12 (30-Oct-2016)
Cisco Smart Net Total Care - Local Collector appliance	CSCvb48680	Affected versions will be updated (4-Nov-2016)
Cisco UCS Central Software	CSCvb48578	Affected versions will be fixed Mar 2017.
Cisco Unified Intelligence Center	CSCvb50784	11.6(1) (15-Jun-2017)
Lancope Stealthwatch Endpoint Concentrator	lancopeSep	6.7.4 (Available) 6.8.3 (14-Nov-2016) 6.9.0 (Feb 2017) Patches: patch-common-LVA-ROLLUP001-6.7.x-6.7.4-03.swu (Available) patch-common-LVA-ROLLUP001-6.8.x-6.8.3-03.swu (Available)
Lancope Stealthwatch FlowCollector NetFlow	lancopeSep	6.7.4 (Available) 6.8.3 (14-Nov-2016) 6.9.0 (Feb 2017) Patches: patch-common-LVA-ROLLUP001-6.7.x-6.7.4-03.swu (Available) patch-common-LVA-ROLLUP001-6.8.x-6.8.3-03.swu (Available)
Lancope Stealthwatch FlowCollector sFlow	lancopeSep	6.7.4 (Available) 6.8.3 (14-Nov-2016) 6.9.0 (Feb 2017) Patches: patch-common-LVA-ROLLUP001-6.7.x-6.7.4-03.swu (Available) patch-common-LVA-ROLLUP001-6.8.x-6.8.3-03.swu (Available)
Lancope Stealthwatch FlowSensor	lancopeSep	6.7.4 (Available) 6.8.3 (14-Nov-2016) 6.9.0 (Feb 2017) Patches: patch-common-LVA-ROLLUP001-6.7.x-6.7.4-03.swu (Available) patch-common-LVA-ROLLUP001-6.8.x-6.8.3-03.swu (Available)
Lancope Stealthwatch SMC	lancopeSep	6.7.4 (Available) 6.8.3 (14-Nov-2016) 6.9.0 (Feb 2017) Patches: patch-common-LVA-ROLLUP001-6.7.x-6.7.4-03.swu (Available) patch-common-LVA-ROLLUP001-6.8.x-6.8.3-03.swu (Available)
Lancope Stealthwatch UDP Director	lancopeSep	6.7.4 (Available) 6.8.3 (14-Nov-2016) 6.9.0 (Feb 2017) Patches: patch-common-LVA-ROLLUP001-6.7.x-6.7.4-03.swu (Available) patch-common-LVA-ROLLUP001-6.8.x-6.8.3-03.swu (Available)
Routing and Switching - Enterprise and Service Provider
Cisco 910 Industrial Router	CSCvb48671	1.2.1RB4 (Available)
Cisco ASR 5000 Series	CSCvb31279	21.2.0 (30-Apr-2017)
Cisco Connected Grid Routers - Running Cisco CG-OS Software	CSCvb48559	7.3 (27-Oct-2016)
Cisco Connected Grid Routers	CSCvb48684	15.008.009 (26-Oct-2016)
Cisco IOS XR Software	CSCvb48604	6.3.1 (1-July-2017)
Cisco IOS and Cisco IOS XE Software (16.3 and earlier releases)	CSCvb92562	16.4(2) 16.3(2) 15.5(3)M5 15.5(3)S5 See BST for more fix information.
Cisco IOS and Cisco IOS XE Software (16.4 and later releases)	CSCvb48683	16.4(2) 16.3(2) 15.5(3)M5 15.5(3)S5 See BST for more fix information.
Cisco MDS 9000 Series Multilayer Switches	CSCvb48567	5.2.8(i) (Dec 2016) 6.2.19 (Dec. 2016)
Cisco MDS 9000 Series Multilayer Switches	CSCvb48568	5.2.8(i) (Dec. 2016) 6.2.19 (Dec. 2016)
Cisco Nexus 1000V InterCloud	CSCvb48566
Cisco Nexus 1000V Series Switches	CSCvb48570	5.2(1)SV3(2.5) (17-Dec-2016)
Cisco Nexus 3000 Series Switches	CSCvb48572	6.0(2)A8(3) (Available)
Cisco Nexus 4000 Series Blade Switches	CSCvb48670	4.1(2)E1(1r) (3-Mar-2017)
Cisco Nexus 5000 Series Switches	CSCvb48568	5.2.8(i) (Dec. 2016) 6.2.19 (Dec. 2016)
Cisco Nexus 5000 Series Switches	CSCvb48573
Cisco Nexus 6000 Series Switches	CSCvb48568	5.2.8(i) (Dec. 2016) 6.2.19 (Dec. 2016)
Cisco Nexus 7000 Series Switches	CSCvb48568	5.2.8(i) (Dec. 2016) 6.2.19 (Dec. 2016)
Cisco Nexus 9000 Series Fabric Switches - ACI mode	CSCvb48565	Danube 12.2(2x) (1-Dec-2016)
Cisco Nexus 9000 Series Switches - Standalone, NX-OS mode	CSCvb48569	7.0(3)I5(1) (15-Oct-2016)
Cisco ONS 15454 Series Multiservice Provisioning Platforms	CSCvb48647	10.7 (31-Jan-2017)
Cisco Service Control Operating System	CSCvb48685	Affected versions will be updated (15-Jan-2017)
Cisco onePK All-in-One Virtual Machine	CSCvb48646	Customers are advised to keep the software in their virtual machine installations up to date using the software upgrade utilities provided by the operating system.
Routing and Switching - Small Business
Cisco 220 Series Smart Plus (Sx220) Switches	CSCvb48655
Cisco 500 Series Stackable (Sx500) Managed Switches	CSCvb48660	No fix is expected.
Cisco Small Business 300 Series (Sx300) Managed Switches	CSCvb48659	No fix is expected.
Unified Computing
Cisco Common Services Platform Collector	CSCvb48520	CASP 1.11 (Dec-2016)
Cisco UCS 6200 Series and 6300 Series Fabric Interconnects	CSCvb48644	Affected systems will be updated (15-Dec-2016)
Cisco UCS B-Series Blade Servers	CSCvb48577	3.1.3: TBD
Cisco UCS Director	CSCvb48561
Cisco UCS Manager	CSCvb48645	Affected versions will be fixed (15-Dec-2016)
Cisco UCS Standalone C-Series Rack Server - Integrated Management Controller	CSCvb48579	3.0.0 (30-Nov-2016)
Cisco Virtual Security Gateway	CSCvb48574	2.1.6 (2-Feb-2017)
Voice and Unified Communications Devices
Cisco ATA 187 Analog Telephone Adaptor	CSCvb48718
Cisco ATA 190 Series Analog Terminal Adaptors	CSCvb48690	1.3.0: (1-Oct-2017)
Cisco Agent Desktop for Cisco Unified Contact Center Express	CSCvb48695
Cisco Computer Telephony Integration Object Server (CTIOS)	CSCvb48529	11.6.1 (1-July-2017)
Cisco DX Series IP Phones	CSCvb48720	Affected versions will be updated (3-Mar-2017)
Cisco Emergency Responder	CSCvb48700	Affected versions will be updated (20-Oct-2016)
Cisco Hosted Collaboration Mediation Fulfillment	CSCvb48703	11.5(1) (22-Dec-2016)
Cisco IP 7800 Series Phones	CSCvb48723
Cisco IP 8800 Series Phones - VPN feature	CSCvb48721
Cisco IP Interoperability and Collaboration System (IPICS)	CSCvb48628	5.0.2 (14-April-2017)
Cisco Jabber for iPhone and iPad	CSCvb48705	11.8.0 (15-Nov-2016)
Cisco MediaSense	CSCvb50790
Cisco Packaged Contact Center Enterprise	CSCvb48530	No fix is expected.
Cisco Paging Server (InformaCast)	CSCvb48704	All affected versions will be fixed (Oct-2016)
Cisco Paging Server	CSCvb48704	All affected versions will be fixed (Oct-2016)
Cisco SPA112 2-Port Phone Adapter	CSCvb48656	1.4.2: (1-Oct-2017)
Cisco SPA122 Analog Telephone Adapter (ATA) with Router	CSCvb48656	1.4.2: (1-Oct-2017)
Cisco SPA232D Multi-Line DECT Analog Telephone Adapter (ATA)	CSCvb48656	1.4.2: (1-Oct-2017)
Cisco SPA525G 5-Line IP Phone	CSCvb48657	No fix is expected.
Cisco TAPI Service Provider (TSP)	CSCvb48692	No fix is expected.
Cisco UC Integration for Microsoft Lync	CSCvb48697	11.6.3 (1-Nov-2016)
Cisco Unified Attendant Console Advanced	CSCvb48688	12.0(1) (Available)
Cisco Unified Attendant Console Business Edition	CSCvb48688	12.0(1) (Available)
Cisco Unified Attendant Console Department Edition	CSCvb48688	12.0(1) (Available)
Cisco Unified Attendant Console Enterprise Edition	CSCvb48688	12.0(1) (Available)
Cisco Unified Attendant Console Premium Edition	CSCvb48688	12.0(1) (Available)
Cisco Unified Attendant Console Standard	CSCvb48689	11.0.2 patch (Available)
Cisco Unified Communications Domain Manager	CSCvb48696	11.5(1) (16-Dec-2016)
Cisco Unified Communications Manager IM & Presence Service (formerly CUPS)	CSCvb48701	Affected versions will be updated (20-Oct-2016)
Cisco Unified Communications Manager Session Management Edition	CSCvb48691	Affected versions will be updated (20-Oct-2016)
Cisco Unified Communications Manager	CSCvb48691	Affected versions will be updated (20-Oct-2016)
Cisco Unified Contact Center Enterprise - Live Data server	CSCvb50785
Cisco Unified Contact Center Enterprise	CSCvb48529	11.6.1 (1-July-2017)
Cisco Unified Contact Center Express	CSCvb50788	11.6: (10-Nov-2016)
Cisco Unified IP 6901 Phone	CSCvb48713	9.3(1)SR3 (June 2016)
Cisco Unified IP 6945 Phone	CSCvb48719
Cisco Unified IP 7900 Series Phones	CSCvb48724	No fix is expected.
Cisco Unified IP 8831 Conference Phone for Third-Party Call Control	CSCvb48687	9.3(4)SR3 (13-May-2017)
Cisco Unified IP 8831 Conference Phone	CSCvb48716	10.3.1SR4 (30-Nov-2017)
Cisco Unified IP 8945 Phone	CSCvb48715	9.4.2SR4 (10-Nov-2017)
Cisco Unified IP 8961 Phone	CSCvb48702
Cisco Unified IP 9951 Phone	CSCvb48702
Cisco Unified IP 9971 Phone	CSCvb48702
Cisco Unified Intelligent Contact Management Enterprise	CSCvb48529	11.6.1 (1-July-2017)
Cisco Unified SIP Proxy Software	CSCvb48516	10.0 (Mar-2017)
Cisco Unified Wireless IP Phone	CSCvb48729
Cisco Unified Workforce Optimization - Quality Management Solution	CSCvb48727	11.5(1)SU1 (31-Dec-2016)
Cisco Unified Workforce Optimization	CSCvb48728
Cisco Unity Connection	CSCvb48694
Cisco Unity Express	CSCvb48514	10.0 (1-Feb-2017)
Cisco Virtualization Experience Media Edition	CSCvb48726	11.8.0 (29-Nov-2016)
Video, Streaming, TelePresence, and Transcoding Devices
Cisco 4300 Series Digital Media Players	CSCvb48608	5.3.6_RB3 (29-Oct-2016) 5.4.1_RB4 (29-Oct-2016)
Cisco 4400 Series Digital Media Players	CSCvb48608	5.3.6_RB3 (29-Oct-2016) 5.4.1_RB4 (29-Oct-2016)
Cisco Cloud Object Storage	CSCvb48630	Affected versions will be fixed (30-Oct-2016)
Cisco DCM Series D990x Digital Content Manager	CSCvb48580
Cisco Edge 300 Digital Media Player	CSCvb48672	1.6RB5 (26-Oct-2016)
Cisco Edge 340 Digital Media Player	CSCvb48673	1.2RB1.0.3 (26-Oct-2016)
Cisco Enterprise Content Delivery System (ECDS)	CSCvb48610	2.6.9 (7-Jan-2017)
Cisco Expressway Series	CSCvb48625	X8.8.3 (24-Oct-2016)
Cisco MXE 3500 Series Media Experience Engines	CSCvb48615	Affected versions will be fixed (7-Oct-2016)
Cisco Media Services Interface	CSCvb48605	No fix is expected.
Cisco Show and Share	CSCvb48621	No fix is expected.
Cisco TelePresence Conductor	CSCvb48607	XC4.3.1 (29-March-2017)
Cisco TelePresence Content Server	CSCvb48623	Affected versions will be updated (17-Oct-2016)
Cisco TelePresence ISDN Gateway 3241	CSCvb48611	2.2(1.122) (31-March-2017)
Cisco TelePresence ISDN Gateway MSE 8321	CSCvb48611	2.2(1.122) (31-March-2017)
Cisco TelePresence ISDN Link	CSCvb48612
Cisco TelePresence MCU 4200 Series, 4500 Series, 5300 Series, MSE 8420, and MSE 8510	CSCvb48613	MCU 4.5(1.89) (9-Dec-2016)
Cisco TelePresence MX Series	CSCvb51602	TC7.3.7 (Fix Available Now) CE8.2.2 (Oct. 2016)
Cisco TelePresence Profile Series	CSCvb51602	TC7.3.7 (Fix Available Now) CE8.2.2 (Oct. 2016)
Cisco TelePresence SX Series	CSCvb51602	TC7.3.7 (Fix Available Now) CE8.2.2 (Oct. 2016)
Cisco TelePresence Serial Gateway Series	CSCvb48620
Cisco TelePresence Server 7010 and MSE 8710	CSCvb48624	4.4 (Nov 2016)
Cisco TelePresence Server on Multiparty Media 310 and 320	CSCvb48624	4.4 (Nov 2016)
Cisco TelePresence Server on Multiparty Media 820	CSCvb48624	4.4 (Nov 2016)
Cisco TelePresence Server on Virtual Machine	CSCvb48624	4.4 (Nov 2016)
Cisco TelePresence Supervisor MSE 8050	CSCvb48614
Cisco TelePresence System 1000	CSCvb48686	1.0.2 (28-Feb-2017)
Cisco TelePresence System 1100	CSCvb48686	1.0.2 (28-Feb-2017)
Cisco TelePresence System 1300	CSCvb48686	1.0.2 (28-Feb-2017)
Cisco TelePresence System 3000 Series	CSCvb48686	1.0.2 (28-Feb-2017)
Cisco TelePresence System 500-32	CSCvb48686	1.0.2 (28-Feb-2017)
Cisco TelePresence System 500-37	CSCvb48686	1.0.2 (28-Feb-2017)
Cisco TelePresence System EX Series	CSCvb51602	TC7.3.7 (Fix Available Now) CE8.2.2 (Oct.2016)
Cisco TelePresence System TX1310	CSCvb48686	1.0.2 (28-Feb-2017)
Cisco TelePresence TX9000 Series	CSCvb48686	1.0.2 (28-Feb-2017)
Cisco TelePresence Video Communication Server (VCS)	CSCvb48625	X8.8.3 (24-Oct-2016)
Cisco Telepresence Integrator C Series	CSCvb51602	TC7.3.7 (Fix available now) CE8.2.2 (Oct.2016)
Cisco Video Distribution Suite for Internet Streaming (VDS-IS/CDS-IS)	CSCvb48631	4.003(002) (Oct. 2016)
Cisco Video Surveillance 3000 Series IP Cameras	CSCvb48651	2.9 (16-Jan-2017)
Cisco Video Surveillance 4000 Series High-Definition IP Cameras	CSCvb48649	2.9 (16-Jan-2017)
Cisco Video Surveillance 4300E and 4500E High-Definition IP Cameras	CSCvb48650	2.9 (16-Jan-2017)
Cisco Video Surveillance 6000 Series IP Cameras	CSCvb48651	2.9 (16-Jan-2017)
Cisco Video Surveillance 7000 Series IP Cameras	CSCvb48651	2.9 (16-Jan-2017)
Cisco Video Surveillance Media Server	CSCvb48653	VSM 7.9 (16-Dec-2016)
Cisco Video Surveillance PTZ IP Cameras	CSCvb48651	2.9 (16-Jan-2017)
Cisco Videoscape AnyRes Live	CSCvb48677	CAL 9.7.2 (Oct. 2016)
Cisco Videoscape Control Suite	CSCvb48629
Tandberg Codian ISDN Gateway 3210, 3220, and 3240	CSCvb48611	2.2(1.122) (31-March-2017)
Tandberg Codian MSE 8320	CSCvb48611	2.2(1.122) (31-March-2017)
Wireless
Cisco 5760 Wireless LAN Controller	CSCvd82146	No fix is expected.
Cisco Aironet 1040 Series	CSCvb48583	16.4 (20-Oct-2016) 16.3 (20-Oct-2016) 16.2 (25-Oct-2016) 16.1 (25-Oct-2016) 15.5(3) (25-Oct-2016)
Cisco Aironet 1130 AG Series	CSCvb48583	16.4 (20-Oct-2016) 16.3 (20-Oct-2016) 16.2 (25-Oct-2016) 16.1 (25-Oct-2016) 15.5(3) (25-Oct-2016)
Cisco Aironet 1140 Series	CSCvb48583	16.4 (20-Oct-2016) 16.3 (20-Oct-2016) 16.2 (25-Oct-2016) 16.1 (25-Oct-2016) 15.5(3) (25-Oct-2016)
Cisco Aironet 1200 Series	CSCvb48583	16.4 (20-Oct-2016) 16.3 (20-Oct-2016) 16.2 (25-Oct-2016) 16.1 (25-Oct-2016) 15.5(3) (25-Oct-2016)
Cisco Aironet 1530 Series	CSCvb48583	16.4 (20-Oct-2016) 16.3 (20-Oct-2016) 16.2 (25-Oct-2016) 16.1 (25-Oct-2016) 15.5(3) (25-Oct-2016)
Cisco Aironet 1550 Series	CSCvb48583	16.4 (20-Oct-2016) 16.3 (20-Oct-2016) 16.2 (25-Oct-2016) 16.1 (25-Oct-2016) 15.5(3) (25-Oct-2016)
Cisco Aironet 1570 Series	CSCvb48583	16.4 (20-Oct-2016) 16.3 (20-Oct-2016) 16.2 (25-Oct-2016) 16.1 (25-Oct-2016) 15.5(3) (25-Oct-2016)
Cisco Aironet 1600 Series	CSCvb48583	16.4 (20-Oct-2016) 16.3 (20-Oct-2016) 16.2 (25-Oct-2016) 16.1 (25-Oct-2016) 15.5(3) (25-Oct-2016)
Cisco Aironet 1700 Series	CSCvb48583	16.4 (20-Oct-2016) 16.3 (20-Oct-2016) 16.2 (25-Oct-2016) 16.1 (25-Oct-2016) 15.5(3) (25-Oct-2016)
Cisco Aironet 2600 Series	CSCvb48583	16.4 (20-Oct-2016) 16.3 (20-Oct-2016) 16.2 (25-Oct-2016) 16.1 (25-Oct-2016) 15.5(3) (25-Oct-2016)
Cisco Aironet 2700 Series	CSCvb48583	16.4 (20-Oct-2016) 16.3 (20-Oct-2016) 16.2 (25-Oct-2016) 16.1 (25-Oct-2016) 15.5(3) (25-Oct-2016)
Cisco Aironet 3500 Series	CSCvb48583	16.4 (20-Oct-2016) 16.3 (20-Oct-2016) 16.2 (25-Oct-2016) 16.1 (25-Oct-2016) 15.5(3) (25-Oct-2016)
Cisco Aironet 3600 Series	CSCvb48583	16.4 (20-Oct-2016) 16.3 (20-Oct-2016) 16.2 (25-Oct-2016) 16.1 (25-Oct-2016) 15.5(3) (25-Oct-2016)
Cisco Aironet 3700 Series	CSCvb48583	16.4 (20-Oct-2016) 16.3 (20-Oct-2016) 16.2 (25-Oct-2016) 16.1 (25-Oct-2016) 15.5(3) (25-Oct-2016)
Cisco Aironet 700 Series	CSCvb48583	16.4 (20-Oct-2016) 16.3 (20-Oct-2016) 16.2 (25-Oct-2016) 16.1 (25-Oct-2016) 15.5(3) (25-Oct-2016)
Cisco Aironet 700W Series	CSCvb48583	16.4 (20-Oct-2016) 16.3 (20-Oct-2016) 16.2 (25-Oct-2016) 16.1 (25-Oct-2016) 15.5(3) (25-Oct-2016)
Cisco Industrial Wireless 3700 Series	CSCvb48583	16.4 (20-Oct-2016) 16.3 (20-Oct-2016) 16.2 (25-Oct-2016) 16.1 (25-Oct-2016) 15.5(3) (25-Oct-2016)
Cisco Mobility Services Engine	CSCvb48592	8.0.150.0 (31-Dec-2016)
Cisco Wireless LAN Controller	CSCvb48603	8.4 (Feb. 2017) 8.3 (Feb. 2017)
Cisco Hosted Services
Cisco Cloud Web Security	CSCvb48668
Cisco Network Performance Analysis	CSCvb48682	Affected versions will be fixed (28-Oct-2016)
Cisco Partner Support Service 1.x	CSCvb48641	No fix is expected.
Cisco Proactive Network Operations Center	CSCvb48523	No fix is expected.
Cisco Registered Envelope Service	CSCvb48531	Affected services have been updated.
Cisco Services Provisioning Platform	CSCvb48730	SFP1.1 (26-Oct-2016)
Cisco Smart Care	CSCvb48639	No fix is expected.
Cisco Universal Small Cell 5000 Series - Running Release 3.4.2.x	CSCvb48676	3.5.12.23 (31-Jan-2017)
Cisco Universal Small Cell 7000 Series - Running Release 3.4.2.x	CSCvb48676	3.5.12.23 (31-Jan-2017)
Cisco Universal Small Cell CloudBase Factory Recovery Root Filesystem - Releases 2.99.4 and later	CSCvb48674	3.17.3 (30-Nov-2016)
Cisco Universal Small Cell Iuh	CSCvb48675	3.17.3 (30-Nov-2016)
Cisco WebEx Centers - Meeting Center, Training Center, Event Center, Support Center	CSCvb48555	T32 (15-Nov-2016)
Cisco WebEx Meeting Center	CSCvb48556	WebEx11 v1.3.26 (31-Dec-2016)
Cisco WebEx Messenger Service	CSCvb48551	Affected versions have been updated.
Network Health Framework	CSCvb48681	Affected versions will be fixed (28-Oct-2016)
Services Analytics Platform	CSCvb48526	The deployment will be updated during the second quarter of 2017.

Products Confirmed Not Vulnerable

Network Management and Provisioning

Cisco Configuration Professional
Cisco Prime Home
Cisco Prime Network Registrar IP Address Manager (IPAM)

Routing and Switching - Enterprise and Service Provider

Cisco Broadband Access Center for Telco and Wireless

Cisco Hosted Services

Cisco ONE Portal

Details

The associated Common Vulnerabilities and Exposures (CVE) IDs for the vulnerabilities that were disclosed on September 22, 2016, and September 26, 2016, in the OpenSSL Software Foundation security advisories are as follows:
- CVE-2016-2177
- CVE-2016-2178
- CVE-2016-2179
- CVE-2016-2180
- CVE-2016-2181
- CVE-2016-2182
- CVE-2016-2183
- CVE-2016-6302
- CVE-2016-6303
- CVE-2016-6304
- CVE-2016-6305
- CVE-2016-6306
- CVE-2016-6307
- CVE-2016-6308
- CVE-2016-6309
- CVE-2016-7052
Additional Details

OpenSSL OCSP Stapling Status Request Memory Exhaustion Vulnerability

A vulnerability in the Online Certificate Status Protocol (OCSP) stapling implementation of OpenSSL could allow an unauthenticated, remote attacker to keep consuming memory on the targeted system. The vulnerability is due to the implementation of the OCSP Status Request SSL/TLS extension.

An attacker could exploit this vulnerability by establishing an SSL/TLS session to the targeted system and iteratively performing renegotiation...
OpenSSL OCSP Stapling Status Request Memory Exhaustion Vulnerability

A vulnerability in the Online Certificate Status Protocol (OCSP) stapling implementation of OpenSSL could allow an unauthenticated, remote attacker to keep consuming memory on the targeted system. The vulnerability is due to the implementation of the OCSP Status Request SSL/TLS extension.

An attacker could exploit this vulnerability by establishing an SSL/TLS session to the targeted system and iteratively performing renegotiation, sending an OCSP Status Request each time. An exploit could allow the attacker to indefinitely keep increasing the memory allocated to the process that is running the vulnerable OpenSSL code.

This vulnerability has been assigned the following CVE ID: CVE-2016-6304.

OpenSSL 3DES CBC Mode Information Disclosure Vulnerability

A vulnerability in OpenSSL could allow an unauthenticated, remote attacker to access sensitive information.

The vulnerability is due to a cipher block collision that may occur during an encrypted session where OpenSSL uses a 64-bit block cipher, such as 3DES Cipher Block Chaining (CBC) mode. An attacker who is able to capture nearly a terabyte of network traffic could exploit this vulnerability to monitor a cipher block collision, which could be leveraged to decrypt data in transit and gain access to sensitive information. A successful exploit could be leveraged to conduct further attacks.

This vulnerability has been assigned the following CVE ID: CVE-2016-2183.

Vulnerabilities Not Applicable to Cisco Products

The vulnerabilities identified by the following CVE IDs exclusively affect the recently released OpenSSL versions that are part of the 1.1.0 release series, which has not yet been integrated into any Cisco product:

More...
- CVE-2016-6305
- CVE-2016-6307
- CVE-2016-6308
- CVE-2016-6309
- CVE-2016-7052
For details about the remainder of the vulnerabilities, please refer to the security advisories published by the OpenSSL Software Foundation:
- September 22, 2016 Security Advisory
- September 26, 2016 Security Advisory

Workarounds

There are no workarounds that address these vulnerabilities.

Fixed Software

Updates for affected software releases will be published when they are available and information about those updates will be documented in Cisco bugs, which are accessible from the Cisco Bug Search Tool.

When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution.

In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Exploitation and Public Announcements

The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.

Source

These vulnerabilities were publicly disclosed by the OpenSSL Software Foundation on September 22, 2016, and September 26, 2016.

Cisco Security Vulnerability Policy

To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

Revision History

Version	Description	Section	Status	Date
1.18	Updated the fixed release information for Cisco SMA to reflect the SMA version that was fixed.	Vulnerable Products	Final	2018-December-27
1.17	Updated the fixed release information for Cisco ESA to convey that the fixes were not integrated in any 10.x release.	Vulnerable Products	Final	2018-December-19
1.16	Updated the fixed release information.	Vulnerable Products	Final	2017-September-15
1.15	Updated the list of vulnerable products.	Vulnerable Products	Final	2017-April-24
1.14	Updated the fixed release information for Cisco ESA.	Vulnerable Products	Final	2017-April-21
1.13	Updated the lists of products under investigation and vulnerable products.	Affected Products, Vulnerable Products	Final	2017-February-03
1.12	Updated the list of vulnerable products.	Vulnerable Products	Interim	2016-November-16
1.11	Updated the lists of products under investigation and vulnerable products.	Affected Products, Vulnerable Products	Interim	2016-October-28
1.10	Updated the lists of products under investigation and vulnerable products.	Affected Products, Vulnerable Products	Interim	2016-October-26
1.9	Updated the lists of products under investigation and vulnerable products.	Affected Products, Vulnerable Products	Interim	2016-October-19
1.8	Updated the lists of products under investigation and vulnerable products.	Affected Products, Vulnerable Products	Interim	2016-October-14
1.7	Updated the lists of products under investigation and vulnerable products.	Affected Products, Vulnerable Products	Interim	2016-October-12
1.6	Updated the lists of products under investigation and vulnerable products.	Affected Products, Vulnerable Products	Interim	2016-October-07
1.5	Updated the lists of products under investigation, vulnerable, and not vulnerable.	Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable	Interim	2016-October-05
1.4	Updated the lists of products under investigation, vulnerable, and not vulnerable.	Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable	Interim	2016-October-03
1.3	Updated the lists of products under investigation and vulnerable products.	Affected Products, Vulnerable Products	Interim	2016-September-30
1.2	Updated the lists of products under investigation and vulnerable products.	Affected Products, Vulnerable Products	Interim	2016-September-29
1.1	Updated the lists of products under investigation, vulnerable, and not vulnerable.	Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable	Interim	2016-September-28
1.0	Initial public release.	-	Interim	2016-September-27

Show Complete History...

Legal Disclaimer

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.

Feedback

Leave additional feedback

Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: September 2016

Summary

Affected Products

Vulnerable Products

Products Confirmed Not Vulnerable

Details

Additional Details

Workarounds

Fixed Software

Exploitation and Public Announcements

Source

Cisco Security Vulnerability Policy

Subscribe to Cisco Security Notifications

Action Links for This Advisory

Related to This Advisory

URL

Revision History

Legal Disclaimer

Feedback

Vulmon Search

About

Products

Connect