Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2018.0064.14
CPU Side-Channel Information Disclosure Vulnerabilities
14 June 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco Products
Publisher: Cisco Systems
Operating System: Cisco
Impact/Access: Access Privileged Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2017-5754 CVE-2017-5753 CVE-2017-5715
Reference: ASB-2018.0002.3
ESB-2018.0059
ESB-2018.0057
ESB-2018.0046
ESB-2018.0044
ESB-2018.0042
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180104-cpusidechannel
Revision History: June 14 2018: Updated vulnerable products table from Cisco
June 6 2018: Updated vulnerable products table from Cisco
May 23 2018: Updated vulnerable products table from Cisco
May 16 2018: Updated Vulnerable Products table.
April 12 2018: Updated Vulnerable Products table.
February 6 2018: Updated Vulnerable Products table.
January 25 2018: Updated Products Under Investigation and
Vulnerable Products sections.
January 23 2018: Updated Products Under Investigation and
Vulnerable Products sections. Removed UCS
M5 server firmware release date. The UCS
M5 BIOS updates have been removed from
cisco.com at this time. Customers are
advised to wait for the next revision of
these updates before updating their devices.
January 22 2018: Updated Products Under Investigation and
Vulnerable Products.
January 19 2018: Updated Summary section to provide guidance
on updating underlying operating systems and
hypervisors within virtual environments.
Updated Affected Products sections and fixed
release table.
January 18 2018: Updated vulnerable products section with fixed
release availability and estimates
January 15 2018: Updated information about vulnerable products,
products under investigation, and products
confirmed not vulnerable.
January 10 2018: Updated information about affected products
January 5 2018: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
CPU Side-Channel Information Disclosure Vulnerabilities
Medium
Advisory ID: cisco-sa-20180104-cpusidechannel
First Published: 2018 January 4 22:20 GMT
Last Updated:
2018 June 13 18:39 GMT
Version 1.28: Interim
Workarounds: No workarounds available
CVE-2017-5715
CVE-2017-5753
CVE-2017-5754
CWE-200
Summary
o On January 3, 2018, researchers disclosed three vulnerabilities that take
advantage of the implementation of speculative execution of instructions on
many modern microprocessor architectures to perform side-channel
information disclosure attacks. These vulnerabilities could allow an
unprivileged local attacker, in specific circumstances, to read privileged
memory belonging to other processes or memory allocated to the operating
system kernel.
The first two vulnerabilities, CVE-2017-5753 and CVE-2017-5715, are
collectively known as Spectre. The third vulnerability, CVE-2017-5754, is
known as Meltdown. The vulnerabilities are all variants of the same attack
and differ in the way that speculative execution is exploited.
To exploit any of these vulnerabilities, an attacker must be able to run
crafted code on an affected device. Although the underlying CPU and
operating system combination in a product or service may be affected by
these vulnerabilities, the majority of Cisco products are closed systems
that do not allow customers to run custom code and are, therefore, not
vulnerable. There is no vector to exploit them. Cisco products are
considered potentially vulnerable only if they allow customers to execute
custom code side-by-side with Cisco code on the same microprocessor.
A Cisco product that may be deployed as a virtual machine or a container,
even while not directly affected by any of these vulnerabilities, could be
targeted by such attacks if the hosting environment is vulnerable. Cisco
recommends that customers harden their virtual environments, tightly
control user access, and ensure that all security updates are installed.
Customers who are deploying products as a virtual device in multi-tenant
hosting environments should ensure that the underlying hardware, as well as
operating system or hypervisor, is patched against the vulnerabilities in
question.
Although Cisco cloud services are not directly affected by these
vulnerabilities, the infrastructure on which they run may be impacted.
Refer to the "Affected Products" section of this advisory for information
about the impact of these vulnerabilities on Cisco cloud services.
Cisco will release software updates that address these vulnerabilities.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180104-cpusidechannel
Affected Products
o Cisco is investigating its product line to determine which products and
cloud services may be affected by these vulnerabilities. As the
investigation progresses, Cisco will update this advisory with information
about affected products and services, including the Cisco bug ID for each
affected product or service.
Any product or service not listed in the "Products Under Investigation" or
"Vulnerable Products" section of this advisory is to be considered not
vulnerable. The criteria for considering whether a product is vulnerable is
explained in the "Summary" section of this advisory. Because this is an
ongoing investigation, please be aware that products and services currently
considered not vulnerable may subsequently be considered vulnerable as
additional information becomes available.
Products Under Investigation
No products are currently under active investigation to determine whether
they are affected by the vulnerability that is described in this advisory.
Vulnerable Products
The following table lists Cisco products and cloud services that are
affected by the vulnerabilities described in this advisory:
Product Cisco Bug Fixed Release
ID Availability
Network Application, Service, and Acceleration
Cisco Cloud Services Platform 2100 CSCvh32644 A fix is pending on
upstream vendors.
Cisco Network Functions Virtualization CSCvh49919 A fix is pending on
Infrastructure Software upstream vendors.
Cisco Nexus 3000 Series Switches CSCvh32392 A fix is pending on
upstream vendors.
Cisco Nexus 9000 Series Switches - CSCvh32392 A fix is pending on
Standalone, NX-OS mode upstream vendors.
Cisco Wide Area Application Services CSCvh49646 Update to v6.x (Available
(WAAS) now)
Cisco vBond Orchestrator -- 18.2 (Available Now)
Cisco vEdge 5000 -- 18.2 (Available Now)
Cisco vEdge Cloud -- 18.2 (Available Now)
Cisco vManage NMS -- A fix is pending on
upstream vendors.
Cisco vSmart Controller -- 18.2 (Available Now)
Network Management and Provisioning
Cisco Application Policy CSCvh58549 3.2(1l) (Available Now)
Infrastructure Controller (APIC)
Cisco Evolved Programmable Network CSCvh64005 A fix is pending on
Manager upstream vendors.
Cisco Virtual Application Policy CSCvh58549 3.2(1l) (Available Now)
Infrastructure Controller (APIC)
Routing and Switching - Enterprise and Service Provider
Cisco 4000 Series Integrated Services
Routers (IOS XE Open Service CSCvh32416 16.3.7 (June-2018)
Containers)
Cisco 800 Industrial Integrated CSCvh31418 A fix is pending on
Services Routers (IOx feature) upstream vendors.
Cisco ASR 1000 Series Aggregation
Services Router with RP2 or RP3 (IOS CSCvh32416 16.3.7 (June-2018)
XE Open Service Containers)
Cisco ASR 1001-HX Series Aggregation
Services Routers (IOS XE Open Service CSCvh32416 16.3.7 (June-2018)
Containers)
Cisco ASR 1001-X Series Aggregation
Services Routers (IOS XE Open Service CSCvh32416 16.3.7 (June-2018)
Containers)
Cisco ASR 1002-HX Series Aggregation
Services Routers (IOS XE Open Service CSCvh32416 16.3.7 (June-2018)
Containers)
Cisco ASR 1002-X Series Aggregation
Services Routers (IOS XE Open Service CSCvh32416 16.3.7 (June-2018)
Containers)
Cisco ASR 9000 XR 64-bit Series CSCvh32429 A fix is pending on
Routers upstream vendors.
Cisco CGR 1000 Compute Module (IOx CSCvh32516 A fix is pending on
feature) upstream vendors.
16.6.3
Cisco Catalyst 9300 Series Switches 16.7.2
(Open Service Container or IOx CSCvh44164 16.8.1
feature) 16.9.1
(June - 2018)
16.6.3
Cisco Catalyst 9400 Series Switches 16.7.2
(Open Service Container or IOx CSCvh44165 16.8.1
feature) 16.9.1
(June - 2018)
16.6.3
Cisco Catalyst 9500 Series Switches 16.7.2
(Open Service Container or IOx CSCvh44166 16.8.1
feature) 16.9.1
(June -2018)
Cisco Cloud Services Router 1000V
Series (IOS XE Open Service CSCvh32416 16.3.7 (June-2018)
Containers)
Cisco NCS 1000 Series Routers CSCvh32429 A fix is pending on
upstream vendors.
Cisco NCS 5000 Series Routers CSCvh32429 A fix is pending on
upstream vendors.
Cisco NCS 5500 Series Routers CSCvh32429 A fix is pending on
upstream vendors.
Cisco Nexus 3500 Series Switches CSCvh32393 No fix expected.
Cisco Nexus 5000 Series Switches (OAC CSCvh32394 A fix is pending on
feature) upstream vendors.
Cisco Nexus 6000 Series Switches (OAC CSCvh32390 A fix is pending on
feature) upstream vendors.
Cisco Nexus 7000 Series Switches (OAC CSCvh32390 A fix is pending on
feature, Feature Bash) upstream vendors.
Cisco XRv 9000 Series Routers CSCvh32429 A fix is pending on
upstream vendors.
Cisco c800 Series Integrated Services CSCvh51582 A fix is pending on
Routers (IOx feature) upstream vendors.
Unified Computing
Cisco C880 M4 Server CSCvh66783 A fix is pending on
upstream vendors.
Cisco C880 M5 Server CSCvh66783 A fix is pending on
upstream vendors.
Cisco Enterprise Network Compute CSCvh48274 A fix is pending on
System 5100 Series Servers upstream vendors.
Cisco Enterprise Network Compute CSCvh48274 A fix is pending on
System 5400 Series Servers upstream vendors.
HX 2.5.1d
Cisco HyperFlex with VMWare Hypervisor CSCvh68612 HX 2.6.1d
HX 3.0.1a
(Available Now)
UCS B-Series M2 Blade
Servers - UCS Manager 2.2
(8j) (April 2018)
UCS Manager 3.1(3h) (May
2018)
UCS Manager 3.2(3b) (May
Cisco UCS B-Series M2 Blade Servers CSCvh31576 2018)
UCS C-Series M2 Rack
Servers -UCS Manager 2.2
(8j) (April 2018)
IMC 1.4(3z08) (April
2018) / 1.5(9e) (April
2018)
UCS B-Series M3 Blade
Servers
3.2(3a)(Mar 2018)
3.2(2f) (Mar 2018)
3.1(3f) (Mar 2018)
2.2(8j) (April 2018)
UCS C-Series M3 Rack
Cisco UCS B-Series M3 Blade Servers CSCvg97965 Servers
3.2(3a) (Mar 2018)
3.2(2f) (Mar 2018)
3.1(3f) (Mar 2018)
UCS Manager 2.2(8j)
(April 2018)
IMC 3.0(4a) (Mar 2018)
IMC 2.0(9n) (April 2018)
UCS B-Series M4 Blade
Servers (except B260
B460)
3.2(3a) (Mar 2018)
3.2(2f) (Mar 2018)
3.1(3f) (Mar 2018)
2.2(8j) (April 2018)
UCS C-Series M4 Rack
Servers (except C460)
Cisco UCS B-Series M4 Blade Servers 3.2(3a) (Mar 2018)
(except B260, B460) CSCvg97979 3.2(2f) (Mar 2018)
3.1(3f) (Mar 2018)
2.2(8j) (April 2018)
IMC 3.0(4a) (Mar 2018)
IMC 2.0(10i) (April 2018)
UCS S3260 M4 Storage
Servers
3.2(3a) (Mar 2018)
3.2(2f) (Mar 2018)
3.1(3f) (Mar 2018)
IMC 3.0(4a) (Mar 2018)
UCS B-Series M5 Blade
Servers
3.2(3a) (Mar 2018)
3.2(2f) (Mar 2018)
Cisco UCS B-Series M5 Blade Servers CSCvh31577 UCS C-Series M5 Rack
Servers
3.2(3a) (Mar 2018)
3.2(2f) (Mar 2018)
IMC 3.1(3a) (Mar 2018)
UCS B260 M4 Blade Servers
3.2(3a) (Mar 2018)
3.2(2f) (Mar 2018)
3.1(3f) (Mar 2018)
2.2(8j) (April 2018)
UCS B460 M4 Blade Servers
3.2(3a) (Mar 2018)
Cisco UCS B260 M4 Blade Server CSCvg98015 3.2(2f) (Mar 2018)
3.1(3f) (Mar 2018)
2.2(8j) (April 2018)
UCS C460 M4 Rack Servers
3.2(3a) (Mar 2018)
3.2(2f) (Mar 2018)
3.1(3f) (Mar 2018)
2.2(8j) (April 2018)
UCS B260 M4 Blade Servers
3.2(3a) (Mar 2018)
3.2(2f) (Mar 2018)
3.1(3f) (Mar 2018)
2.2(8j) (April 2018)
UCS B460 M4 Blade Servers
3.2(3a) (Mar 2018)
Cisco UCS B460 M4 Blade Server CSCvg98015 3.2(2f) (Mar 2018)
3.1(3f) (Mar 2018)
2.2(8j) (April 2018)
UCS C460 M4 Rack Servers
3.2(3a) (Mar 2018)
3.2(2f) (Mar 2018)
3.1(3f) (Mar 2018)
2.2(8j) (April 2018)
UCS B-Series M2 Blade
Servers - UCS Manager 2.2
(8j) (April 2018)
UCS Manager 3.1(3h) (May
2018)
UCS Manager 3.2(3b) (May
Cisco UCS C-Series M2 Rack Servers CSCvh31576 2018)
UCS C-Series M2 Rack
Servers -UCS Manager 2.2
(8j) (April 2018)
IMC 1.4(3z08) (April
2018) / 1.5(9e) (April
2018)
UCS B-Series M3 Blade
Servers
3.2(3a)(Mar 2018)
3.2(2f) (Mar 2018)
3.1(3f) (Mar 2018)
2.2(8j) (April 2018)
UCS C-Series M3 Rack
Cisco UCS C-Series M3 Rack Servers CSCvg97965 Servers
3.2(3a) (Mar 2018)
3.2(2f) (Mar 2018)
3.1(3f) (Mar 2018)
UCS Manager 2.2(8j)
(April 2018)
IMC 3.0(4a) (Mar 2018)
IMC 2.0(9n) (April 2018)
UCS B-Series M4 Blade
Servers (except B260
B460)
3.2(3a) (Mar 2018)
3.2(2f) (Mar 2018)
3.1(3f) (Mar 2018)
2.2(8j) (April 2018)
UCS C-Series M4 Rack
Servers (except C460)
Cisco UCS C-Series M4 Rack Servers 3.2(3a) (Mar 2018)
(except C460) ^1 CSCvg97979 3.2(2f) (Mar 2018)
3.1(3f) (Mar 2018)
2.2(8j) (April 2018)
IMC 3.0(4a) (Mar 2018)
IMC 2.0(10i) (April 2018)
UCS S3260 M4 Storage
Servers
3.2(3a) (Mar 2018)
3.2(2f) (Mar 2018)
3.1(3f) (Mar 2018)
IMC 3.0(4a) (Mar 2018)
UCS B-Series M5 Blade
Servers
3.2(3a) (Mar 2018)
3.2(2f) (Mar 2018)
Cisco UCS C-Series M5 Rack Servers ^1 CSCvh31577 UCS C-Series M5 Rack
Servers
3.2(3a) (Mar 2018)
3.2(2f) (Mar 2018)
IMC 3.1(3a) (Mar 2018)
UCS B260 M4 Blade Servers
3.2(3a) (Mar 2018)
3.2(2f) (Mar 2018)
3.1(3f) (Mar 2018)
2.2(8j) (April 2018)
UCS B460 M4 Blade Servers
3.2(3a) (Mar 2018)
Cisco UCS C460 M4 Rack Server CSCvg98015 3.2(2f) (Mar 2018)
3.1(3f) (Mar 2018)
2.2(8j) (April 2018)
UCS C460 M4 Rack Servers
3.2(3a) (Mar 2018)
3.2(2f) (Mar 2018)
3.1(3f) (Mar 2018)
2.2(8j) (April 2018)
Cisco UCS E-Series M2 Servers CSCvh48274 A fix is pending on
upstream vendors.
Cisco UCS E-Series M3 Servers CSCvh48274 A fix is pending on
upstream vendors.
Cisco UCS M-Series Modular Servers CSCvh55760 No fix expected.
UCS B-Series M4 Blade
Servers (except B260
B460)
3.2(3a) (Mar 2018)
3.2(2f) (Mar 2018)
3.1(3f) (Mar 2018)
2.2(8j) (April 2018)
UCS C-Series M4 Rack
Servers (except C460)
3.2(3a) (Mar 2018)
Cisco UCS S3260 M4 Storage Server CSCvg97979 3.2(2f) (Mar 2018)
3.1(3f) (Mar 2018)
2.2(8j) (April 2018)
IMC 3.0(4a) (Mar 2018)
IMC 2.0(10i) (April 2018)
UCS S3260 M4 Storage
Servers
3.2(3a) (Mar 2018)
3.2(2f) (Mar 2018)
3.1(3f) (Mar 2018)
IMC 3.0(4a) (Mar 2018)
Voice and Unified Communications Devices
Cisco Remote Expert Mobile CSCvh58132 11.6(1)ES3 11.5(1)ES8
(Available Now)
Wireless
Cisco Wireless Gateway for LoRaWAN CSCvh58504 A fix is pending on
upstream vendors.
Cisco Cloud Hosted Services
Meltdown and Spectre
variant 1 (v4.7) (Feb
Cisco Metacloud CSCvh53992 2018)
Spectre variant 2 (Apr
2018)
Cisco Threat Grid -- (Feb-2018)
^1 Cisco UCS M4 and M5 Rack Servers are used as part of the Cisco HyperFlex
Solution.
Products Confirmed Not Vulnerable
No other Cisco products or cloud services are currently known to be
affected by these vulnerabilities.
Cisco has confirmed that these vulnerabilities do not affect the following
products or cloud services:
Collaboration and Social Media
o Cisco Meeting Server
Network Application, Service, and Acceleration
o Cisco vEdge 1000
o Cisco vEdge 100
o Cisco vEdge 2000
Routing and Switching - Enterprise and Service Provider
o Cisco 1000 Series Connected Grid Routers
o Cisco 500 Series WPAN Industrial Routers (IOx feature)
o Cisco ASR 1001 Fixed Configuration Aggregation Services Router
o Cisco ASR 1002 Fixed Configuration Aggregation Services Router
o Cisco ASR 1002-F Fixed Configuration Aggregation Services Router
o Cisco Catalyst 3650 Series Switches
o Cisco Catalyst 3850 Series Switches
o Cisco Industrial Ethernet 4000 Series Switches (IOx feature)
o Cisco Nexus 4000 Series Blade Switches
o Cisco Nexus 9000 Series Fabric Switches - ACI mode
Cisco Cloud Hosted Services
o Cisco Cloudlock
o Cisco Managed Services
o Cisco Meraki
o Cisco Spark
o Cisco Umbrella
o Cisco WebEx Centers - Meeting Center, Training Center, Event Center,
Support Center
Details
o Details about the vulnerabilities are as follows.
Modern CPU Process Prediction Information Disclosure Vulnerability
A vulnerability due to the design of most modern CPUs could allow a local
attacker to access sensitive information on a targeted system.
The vulnerability is due to improper implementation of the speculative
execution of instructions by the affected software. This vulnerability can
by triggered by utilizing branch target injection. An attacker could
exploit this vulnerability by executing arbitrary code and performing a
side-channel attack on a targeted system. A successful exploit could allow
the attacker to read sensitive memory information.
This vulnerability has been assigned the following CVE ID: CVE-2017-5715
Modern CPU Process Branch Prediction Information Disclosure Vulnerability
A vulnerability due to the design of most modern CPUs could allow a local
attacker to access sensitive information on a targeted system.
The vulnerability is due to improper implementation of the speculative
execution of instructions by the affected software. This vulnerability can
by triggered by performing a bounds check bypass. An attacker could exploit
this vulnerability by executing arbitrary code and performing a
side-channel attack on a targeted system. A successful exploit could allow
the attacker to read sensitive memory information.
This vulnerability has been assigned the following CVE ID: CVE-2017-5753
Intel CPU Indirect Branch Prediction Information Disclosure Vulnerability
A vulnerability in Intel CPU hardware could allow a local attacker to gain
access to sensitive information on a targeted system.
The vulnerability is due to side-channel attacks, which are also referred
to as Meltdown attacks. A local attacker could exploit this vulnerability
by executing arbitrary code on the affected system. A successful exploit
could allow the attacker to gain access to sensitive information on the
targeted system, including accessing memory from the CPU cache.
This vulnerability has been assigned the following CVE ID: CVE-2017-5754
Workarounds
o Any workarounds will be documented in the product-specific Cisco bugs,
which are accessible through the Cisco Bug Search Tool.
Fixed Software
o For information about fixed software releases, consult the Cisco bugs
identified in the "Vulnerable Products" section of this advisory.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page, to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Exploitation and Public Announcements
o The vulnerabilities described in this advisory were discussed in several
articles and discussion forums as of January 3, 2018.
The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any malicious use of the vulnerabilities that are described in this
advisory.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy. This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Subscribe to Cisco Security Notifications
o Subscribe
Action Links for This Advisory
o Snort Rule 45357
Snort Rule 45358
Snort Rule 45359
Snort Rule 45360
Snort Rule 45361
Snort Rule 45362
Snort Rule 45363
Snort Rule 45364
Snort Rule 45365
Snort Rule 45366
Snort Rule 45367
Snort Rule 45368
Snort Rule 45443
Snort Rule 45444
Related to This Advisory
o CPU Side-Channel Information Disclosure Vulnerabilities
Intel CPU Process Prediction Information Disclosure Vulnerability
Intel CPU Indirect Branch Prediction Information Disclosure Vulnerability
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180104-cpusidechannel
Revision History
o +---------+---------------------+------------+---------+------------------+
| Version | Description | Section | Status | Date |
+---------+---------------------+------------+---------+------------------+
| | Updated Vulnerable | | | |
| | Products table with | Vulnerable | | |
| 1.28 | fixed version | Products | Interim | 2018-June-13 |
| | information for | | | |
| | multiple products. | | | |
+---------+---------------------+------------+---------+------------------+
| | Updated Vulnerable | | | |
| | Products table with | Vulnerable | | |
| 1.27 | fixed version | Products | Interim | 2018-June-08 |
| | information for | | | |
| | multiple products. | | | |
+---------+---------------------+------------+---------+------------------+
| | Updated Vulnerable | | | |
| | Products table with | Vulnerable | | |
| 1.26 | fixed version | Products | Interim | 2018-June-04 |
| | information for | | | |
| | multiple products. | | | |
+---------+---------------------+------------+---------+------------------+
| | Updated Vulnerable | | | |
| | Products table with | Vulnerable | | |
| 1.25 | fixed version | Products | Interim | 2018-May-22 |
| | information for | | | |
| | multiple products. | | | |
+---------+---------------------+------------+---------+------------------+
| | Updated Vulnerable | | | |
| | Products table with | Vulnerable | | |
| 1.24 | fixed version | Products | Interim | 2018-May-14 |
| | information for | | | |
| | multiple products. | | | |
+---------+---------------------+------------+---------+------------------+
| | Updated Vulnerable | | | |
| | Products table with | | | |
| | fixed version | Vulnerable | | |
| 1.23 | information for UCS | Products | Interim | 2018-April-09 |
| | M2, M3, and | | | |
| | additional M4 | | | |
| | models. | | | |
+---------+---------------------+------------+---------+------------------+
| | Updated Vulnerable | | | |
| | Products table with | | | |
| | version information | | | |
| 1.22 | and estimated | Vulnerable | Interim | 2018-March-20 |
| | availability dates | Products | | |
| | for the delivery of | | | |
| | fixed software for | | | |
| | Cisco UCS Servers. | | | |
+---------+---------------------+------------+---------+------------------+
| | Updated Vulnerable | | | |
| | Products table with | | | |
| | estimated | Vulnerable | | |
| 1.21 | availability dates | Products | Interim | 2018-March-07 |
| | for the delivery of | | | |
| | fixed software for | | | |
| | Cisco UCS Servers. | | | |
+---------+---------------------+------------+---------+------------------+
| | Updated Vulnerable | | | |
| | Products table with | | | |
| | estimated | Vulnerable | | |
| 1.20 | availability dates | Products | Interim | 2018-March-01 |
| | for the delivery of | | | |
| | fixed software for | | | |
| | multiple products. | | | |
+---------+---------------------+------------+---------+------------------+
| | Updated Vulnerable | | | |
| 1.19 | Products Table Fix | Vulnerable | Interim | 2018-February-07 |
| | information for | Products | | |
| | E-Series servers. | | | |
+---------+---------------------+------------+---------+------------------+
| | Updated Vulnerable | | | |
| 1.18 | Products Table with | Vulnerable | Interim | 2018-February-07 |
| | fix/timelines on a | Products | | |
| | number of products. | | | |
+---------+---------------------+------------+---------+------------------+
| 1.17 | Updated Vulnerable | Vulnerable | Interim | 2018-February-05 |
| | Products table. | Products | | |
+---------+---------------------+------------+---------+------------------+
| | Updated Vulnerable | | | |
| | and Confirmed Not | Vulnerable | | |
| | Vulnerable | Products, | | |
| 1.16 | sections. Cisco | Confirmed | Interim | 2018-January-30 |
| | Industrial Ethernet | Not | | |
| | 4000 devices moved | Vulnerable | | |
| | to Confirmed Not | | | |
| | Vulnerable section. | | | |
+---------+---------------------+------------+---------+------------------+
| 1.15 | Updated Vulnerable | Vulnerable | Interim | 2018-January-26 |
| | Products section. | Products | | |
+---------+---------------------+------------+---------+------------------+
| | Updated Products | Affected | | |
| 1.14 | Under Investigation | Products, | Interim | 2018-January-24 |
| | and Vulnerable | Vulnerable | | |
| | Products sections. | Products | | |
+---------+---------------------+------------+---------+------------------+
| | Updated Products | | | |
| | Under Investigation | | | |
| | and Vulnerable | | | |
| | Products sections. | | | |
| | Removed UCS M5 | | | |
| | server firmware | | | |
| | release date. The | Affected | | |
| | UCS M5 BIOS updates | Products, | | |
| 1.13 | have been removed | Vulnerable | Interim | 2018-January-22 |
| | from cisco.com at | Products | | |
| | this time. | | | |
| | Customers are | | | |
| | advised to wait for | | | |
| | the next revision | | | |
| | of these updates | | | |
| | before updating | | | |
| | their devices. | | | |
+---------+---------------------+------------+---------+------------------+
| | Updated Products | Affected | | |
| 1.12 | Under Investigation | Products, | Interim | 2018-January-19 |
| | and Vulnerable | Vulnerable | | |
| | Products. | Products | | |
+---------+---------------------+------------+---------+------------------+
| | Updated Summary | | | |
| | section to provide | | | |
| | guidance on | | | |
| | updating underlying | Summary, | | |
| | operating systems | Affected | | |
| 1.11 | and hypervisors | Products, | Interim | 2018-January-18 |
| | within virtual | Vulnerable | | |
| | environments. | Products | | |
| | Updated Affected | | | |
| | Products sections | | | |
| | and fixed release | | | |
| | table. | | | |
+---------+---------------------+------------+---------+------------------+
| | Updated Vulnerable | | | |
| | Products section | Vulnerable | | |
| 1.10 | with fixed release | Products | Interim | 2018-January-17 |
| | availability and | | | |
| | estimates. | | | |
+---------+---------------------+------------+---------+------------------+
| | Updated information | | | |
| | about products | Affected | | |
| | under investigation | Products | | |
| 1.9 | and vulnerable | and | Interim | 2018-January-16 |
| | products, including | Vulnerable | | |
| | fixed release | Products | | |
| | availability. | | | |
+---------+---------------------+------------+---------+------------------+
| | Updated information | | | |
| | about products | Affected | | |
| | under investigation | Products | | |
| 1.8 | and vulnerable | and | Interim | 2018-January-15 |
| | products, including | Vulnerable | | |
| | fixed release | Products | | |
| | availability. | | | |
+---------+---------------------+------------+---------+------------------+
| | Updated information | Affected | | |
| | about vulnerable | Products, | | |
| | products, products | Vulnerable | | |
| 1.7 | under | Products, | Interim | 2018-January-12 |
| | investigation, and | Products | | |
| | products confirmed | Confirmed | | |
| | not vulnerable. | Not | | |
| | | Vulnerable | | |
+---------+---------------------+------------+---------+------------------+
| | Updated information | Affected | | |
| | about vulnerable | Products, | | |
| | products, products | Vulnerable | | |
| 1.6 | under | Products, | Interim | 2018-January-11 |
| | investigation, and | Products | | |
| | products confirmed | Confirmed | | |
| | not vulnerable. | Not | | |
| | | Vulnerable | | |
+---------+---------------------+------------+---------+------------------+
| | Updated the summary | | | |
| | to indicate the | | | |
| | status of Cisco | | | |
| | cloud services and | Summary, | | |
| | remind | Affected | | |
| | administrators to | Products, | | |
| | control user | Vulnerable | | |
| 1.5 | access. Updated | Products, | Interim | 2018-January-10 |
| | information about | Products | | |
| | vulnerable | Confirmed | | |
| | products, products | Not | | |
| | under | Vulnerable | | |
| | investigation, and | | | |
| | products confirmed | | | |
| | not vulnerable. | | | |
+---------+---------------------+------------+---------+------------------+
| | Updated information | Affected | | |
| | about products | Products, | | |
| 1.4 | under investigation | Vulnerable | Interim | 2018-January-09 |
| | and vulnerable | Products | | |
| | products. | | | |
+---------+---------------------+------------+---------+------------------+
| | Updated | | | |
| | vulnerability | | | |
| | details and | | | |
| | information about | Affected | | |
| | products under | Products, | | |
| | investigation and | Vulnerable | | |
| 1.3 | products confirmed | Products, | Interim | 2018-January-08 |
| | not vulnerable. | Details, | | |
| | Added the | Fixed | | |
| | Vulnerable Products | Software | | |
| | table, including | | | |
| | information about | | | |
| | fixed release | | | |
| | availability. | | | |
+---------+---------------------+------------+---------+------------------+
| | Updated Summary and | Summary, | | |
| | Products Under | Affected | | |
| | Investigation, | Products, | | |
| 1.2 | added the | Vulnerable | Interim | 2018-January-05 |
| | Vulnerable Products | Products, | | |
| | table with | Fixed | | |
| | information about | Software | | |
| | fixes. | | | |
+---------+---------------------+------------+---------+------------------+
| | Clarified the | Products | | |
| 1.1 | non-vulnerable | Confirmed | Interim | 2018-January-04 |
| | product section. | Not | | |
| | | Vulnerable | | |
+---------+---------------------+------------+---------+------------------+
| 1.0 | Initial public | - | Interim | 2018-January-04 |
| | release. | | | |
+---------+---------------------+------------+---------+------------------+
Legal Disclaimer
o THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND
OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT
OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES
THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. CISCO EXPECTS TO
UPDATE THIS DOCUMENT AS NEW INFORMATION BECOMES AVAILABLE.
A standalone copy or paraphrase of the text of this document that omits the
distribution URL is an uncontrolled copy and may lack important information
or contain factual errors. The information in this document is intended for
end users of Cisco products.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWyHpuWaOgq3Tt24GAQgUPA//ViKEQXT3R2YWXg10rShOaHisIjFt+Zav
qKlXZUJluOhz7x7pvOfKBXNaJH9RKDhqqBaqQxHtGsVuQNXRfSADFUrsUqfQl9Xk
Ob5uhXjn3Rvjs1NOb4aUuShhsXE579r52xAVMq+3HudB/X9ix6D+KwujL3ARGDIR
EkvghlqOzYifgO6co851nFOeymqBN5BtJgo1TJGOUMxTPNwKTCQjRgf7dnzwHn2i
8CcavY+2mtEZKCQlWpYtYUHzhVK4+BVWqkaki/cORycRD/m/Nngph5DMNK2AMohV
Lwo8NMaDuubCQTNHfpNkKM2w0miDB7+enJCFSs7MwhYs5EGArXmIj7Y6SQ5qrSxe
m3HgL+LKubtbsWHYgH0URwBhW9flLHEZBWdvqIsx34ZnLmxbFC3bN+v6GbFoIUNi
gz2EzelhgdD0T84jmU9xyoEfv8rAB/TMIDa9zWf0iOH2fMRHxMtMsCJmEFye/5qB
7LLiaEQ+CoiqVmVgE7ZuU3wG97DFf3PgxHsqpP00N9bU20E5+5l2E1VG0a4KHpaK
tpGmHz8cihaqAjKY+8TLagfUcndPMLwvoI3Psh4K6Dnyyu46teomrlS+OAN0GynK
YLdRLWMoyEJJMHrvtPLQu9idjIxnQSgv+yiX8IdvJ9SkUKiXgCmKphX9e0klT5CB
AGxX6D+4elI=
=gUM8
-----END PGP SIGNATURE-----