-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2021.1082.4
         OpenSSL Multiple Vulnerabilities affecting Cisco Products
                             13 September 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco Products
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Access Privileged Data         -- Remote/Unauthenticated
                   Denial of Service              -- Remote/Unauthenticated
                   Provide Misleading Information -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-3450 CVE-2021-3449 

Reference:         ESB-2021.1068
                   ESB-2021.1065
                   ESB-2021.1063

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd

Revision History:  September 13 2021: Updated the fixed release availability information for Cisco IOS and IOS XE Software. 
				      Removed a duplicate entry for Webex Room Phone
                   July      28 2021: Vendor updated and marked as Final
                   April     15 2021: Vendor updated list for affected products, vulnerable products and products confirmed not vulnerable.
                   March     30 2021: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2021

Priority:        High
Advisory ID:     cisco-sa-openssl-2021-GHY28dJd
First Published: 2021 March 25 16:00 GMT
Last Updated:    2021 September 10 17:29 GMT
Version 1.20:    Final
Workarounds:     No workarounds available
CVE Names:       CVE-2021-3449 CVE-2021-3450
CWEs:            CWE-295 CWE-476

Summary

  o On March 25, 2021, the OpenSSL Project released a security advisory,
    OpenSSL Security Advisory [25 March 2021], that disclosed two
    vulnerabilities.

    Exploitation of these vulnerabilities could allow an attacker to use a
    valid non-certificate authority (CA) certificate to act as a CA and sign a
    certificate for an arbitrary organization, user or device, or to cause a
    denial of service (DoS) condition.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd

Affected Products

  o Cisco investigated its product line to determine which products and
    services may be affected by this vulnerability.
   
    The Vulnerable Products section includes Cisco bug IDs for each product.
    The bugs will be accessible through the Cisco Bug Search Tool and will
    contain additional platform-specific information, including workarounds (if
    available) and fixed software releases.

    Any product or service not listed in the Vulnerable Products section of
    this advisory is to be considered not vulnerable.

    Vulnerable Products

    The following table lists Cisco products that are affected by the
    vulnerabilities that are described in this advisory. If a future release
    date is indicated for software, the date provided represents an estimate
    based on all information known to Cisco as of the Last Updated date at the
    top of the advisory. Availability dates are subject to change based on a
    number of factors, including satisfactory testing results and delivery of
    other priority features and fixes. If no version or date is listed for an
    affected component (indicated by a blank field and/or an advisory
    designation of Interim), customers should refer to the associated Cisco bug
    (s) for further details. After the advisory is marked Final, customers
    should refer to the associated Cisco bug(s) for further details.

                        Product                     Cisco Bug   Fixed Release
                                                        ID       Availability
                          Collaboration and Social Media
    Cisco Webex Meetings Server                     CSCvx82619 4.0MR4 (May
                                                               2021)
                       Endpoint Clients and Client Software
    Cisco Webex Meetings for iOS                    CSCvx82617 41.4 (Feb 2021)
                                                               11.4 (Feb 2021)
                                  Meraki Products
    Cisco Meraki MS390                              -          Release TBD (May
                                                               2021)
                       Network and Content Security Devices
                                                               2.10.1 (May
                                                               2021)
    Cisco Firepower 4100 Series                     CSCvx82705 2.9.1 (Jun 2021)
                                                               2.11.1 (Oct
                                                               2021)
                                                               2.10.1 (May
                                                               2021)
    Cisco Firepower 9300 Security Appliances        CSCvx82705 2.9.1 (Jun 2021)
                                                               2.11.1 (Oct
                                                               2021)
    Cisco Threat Grid Appliance M5                  CSCvx82740 2.13.0 (Apr
                                                               2021)
    Cisco Web Security Appliance (WSA)              CSCvx82614 14.0 (Jun 2021)
                        Network Management and Provisioning
    Cisco Business Process Automation               CSCvx82587 3.1 (Jun 2021)
    Cisco Connected Pharma                          CSCvx82681 1.5.7 (May 2021)
    Cisco Container Platform                        CSCvx82677 10.0.0 (Apr
                                                               2021)
    Cisco Evolved Programmable Network Manager      CSCvx82652 5.1 (April 2021)
    Cisco Kinetic for Cities                        CSCvx82734 MD 3.5.2.15
                                                               (April 2021)
    Cisco Managed Services Accelerator              CSCvx82693 4.0.0 (Jul 2021)
    Cisco Policy Suite                              CSCvx82748 21.2 (Aug 2021)
    Cisco Prime Infrastructure                      CSCvx82664 3.10 (Sept 2021)
                                                               3.9 (May 2021)
    Cisco Security Manager                          CSCvx82670 CSM 4.24 (Dec
                                                               2021)
                                                               4.2 (May 2021)
    Cisco Virtualized Infrastructure Manager        CSCvx82666 4.2.1 (July
                                                               2021)
              Routing and Switching - Enterprise and Service Provider
    Cisco 800 Series Industrial Integrated Services CSCvx88577 15.9(3)M4 (Jul
    Routers (IOx feature)                                      2021)
    Cisco IOS XR Software                           CSCvx82673 7.3.2 (Oct 2021)
                                                               7.5.1 (Dec 2021)
                                                               17.6.1 (Jul
                                                               2021)
    Cisco IOS and IOS XE Software                   CSCvx82754 17.3.4 (Jun
                                                               2021)
                                                               17.4.3 (Dec
                                                               2021)
    Cisco IOx Fog Director                          CSCvx82750 1.14.3 (Apr
                                                               2021)
    Cisco Nexus 3000 Series Switches (NX-OS 10.1)   CSCvx82861 10.1.2 (Apr
                                                               2021)
    Cisco Nexus 9000 Series Switches in standalone  CSCvx82861 10.1.2 (Apr
    NX-OS mode (NX-OS 10.1)                                    2021)
    Cisco c800 Series Integrated Services Routers   CSCvx82752 15.9(3)M4 (Jul
    (IOx feature)                                              2021)
                      Routing and Switching - Small Business
    Cisco 250 Series Smart Switches                 CSCvx82728 3.2.x (Mar 2022)
    Cisco 350 Series Managed (SF350 and SG350)      CSCvx82727 3.2.x (Mar 2022)
    Switches
    Cisco 550X Series Stackable (SF550 and SG550)   CSCvx82727 3.2.x (Mar 2022)
    Managed Switches
    Cisco Business 250 Series Smart Switches        CSCvx82710 3.2.x (Mar 2022)
    Cisco Business 350 Series Managed Switches      CSCvx82710 3.2.x (Mar 2022)
    Cisco Small Business RV Series RV320 Dual       CSCvx82720 None planned
    Gigabit WAN VPN Router
    Cisco Small Business RV Series RV325 Dual WAN   CSCvx82721 None planned
    VPN Router
    Cisco Small Business RV130 Series VPN Routers   CSCvx82717 None planned
                                 Unified Computing
    Cisco UCS B-Series Blade Servers                CSCvx82644 4.2(1) (May
                                                               2021)
    Cisco UCS Standalone C-Series Rack Server -     CSCvx82648 4.2(1a) (May
    Integrated Management Controller                           2021)
                     Voice and Unified Communications Devices
                                                               12.6(1) (May
    Cisco Computer Telephony Integration Object     CSCvx82605 2021)
    Server (CTIOS)                                             12.5(1) (May
                                                               2021)
    Cisco IP Conference Phone 7832 with             CSCvx84316 11.3.4 (Jun
    Multiplatform Firmware                                     2021)
    Cisco IP Conference Phone 7832                  CSCvx82765 14.1.1 (Sept
                                                               2021)
    Cisco IP Conference Phone 8832 with             CSCvx84321 11.3.4 (Jun
    Multiplatform Firmware                                     2021)
    Cisco IP Conference Phone 8832                  CSCvx82791 14.1.1 (Sept
                                                               2021)
    Cisco IP Phone 6800 Series with Multiplatform   CSCvx84326 11.3.4 (Jun
    Firmware                                                   2021)
    Cisco IP Phone 7800 Series with Multiplatform   CSCvx84320 11.3.4 (Jun
    Firmware                                                   2021)
    Cisco IP Phone 8800 Series with Multiplatform   CSCvx84314 11.3.4 (Jun
    Firmware                                                   2021)
    Cisco IP Phone 8800 Series                      CSCvx84332 14.1.1 (Sept
                                                               2021)
    Cisco IP Phone 8845 with Multiplatform Firmware CSCvx84315 11.3.4 (Jun
                                                               2021)
    Cisco IP Phone 8845                             CSCvx84323 14.1.1 (Sept
                                                               2021)
    Cisco IP Phone 8865 with Multiplatform Firmware CSCvx84315 11.3.4 (Jun
                                                               2021)
    Cisco IP Phone 8865                             CSCvx84323 14.1.1 (Sept
                                                               2021)
                                                               12.6(1) (May
    Cisco Unified Contact Center Enterprise         CSCvx82605 2021)
                                                               12.5(1) (May
                                                               2021)
                                                               12.6(1) (May
    Cisco Unified Intelligent Contact Management    CSCvx82605 2021)
    Enterprise                                                 12.5(1) (May
                                                               2021)
    Cisco Virtualization Experience Media Edition   CSCvx82792 14.0.1 (May
                                                               2021)
    Cisco Webex Hybrid Data Security Node           CSCvx82620 2021.02.10.4763
                                                               (May 2021)
    Cisco Webex Room Phone                          CSCvx84328 1.2(0)SR1 (Aug
                                                               2021)
    Cisco Webex Video Mesh                          CSCvx82684 2021.04.22.2nnn
                                                               (Apr 2021)
    Cisco Webex Wireless Phone                      CSCvx84322 1.3(0) (Jun
                                                               2021)
    Cisco Wireless IP Phone 8821                    CSCvx82788 11.0(6)SR2 (Sept
                                                               2021)
              Video, Streaming, TelePresence, and Transcoding Devices
    Cisco Meeting Server                            CSCvx82685 3.2.1 (May 2021)
                                                               3.1.3 (May 2021)
                                                               CE-10.3.2.x (May
    Cisco TelePresence MX and SX Series             CSCvy03325 2021)
                                                               CE-9.15.3.x (May
                                                               2021)
    Cisco Video Surveillance Media Server           CSCvx82708 VSM-7.14.3 (May
                                                               2021)
                                                               CE-10.3.2.x (May
    Cisco Webex Board (all models)                  CSCvy03325 2021)
                                                               CE-9.15.3.x (May
                                                               2021)
                                                               CE-10.3.2.x (May
    Cisco Webex DX70 and DX80                       CSCvy03325 2021)
                                                               CE-9.15.3.x (May
                                                               2021)
                                     Wireless
    Cisco WAP121 Wireless-N Access Point with       CSCvx82732 None planned
    Single Point Setup
    Cisco WAP321 Wireless-N Access Point with       CSCvx82732 None planned
    Single Point Setup
    Cisco WAP371 Wireless-AC/N Access Point with    CSCvx82730 None planned
    Single Point Setup
                            Cisco Cloud Hosted Services
    Cisco Cloud Network Automation Provisioner      CSCvx82591
    Cisco Smart Net Total Care - On-Premises        CSCvx82599 2.1.1 (May 2021)

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by these vulnerabilities.

    Cisco has confirmed that these vulnerabilities do not affect the following
    products:

    Endpoint Clients and Client Software

       Cisco AnyConnect - Network Access Manager
       Cisco AnyConnect Secure Mobility Client for Android
       Cisco AnyConnect Secure Mobility Client for Linux
       Cisco AnyConnect Secure Mobility Client for Mac OS X
       Cisco AnyConnect Secure Mobility Client for Windows
       Cisco AnyConnect Secure Mobility Client for iOS
       Cisco Jabber Guest
       Cisco Jabber Software Development Kit
       Cisco Jabber for Mac
       Cisco Jabber for Windows
       Cisco Webex Business Suite
       Cisco Webex Meetings Client - Hosted

    Meraki Products

       Cisco Meraki Go (all models)
       Cisco Meraki MG (all models)
       Cisco Meraki MR (all models)
       Cisco Meraki MS120 Series
       Cisco Meraki MS125 Series
       Cisco Meraki MS210 Series
       Cisco Meraki MS225 Series
       Cisco Meraki MS250 Series
       Cisco Meraki MS350 Series
       Cisco Meraki MS355 Series
       Cisco Meraki MS410 Series
       Cisco Meraki MS425 Series
       Cisco Meraki MS450 Series
       Cisco Meraki MT (all models)
       Cisco Meraki MV (all models)
       Cisco Meraki MX (all models)
       Cisco Meraki Z-Series (all models)

    Network Application, Service, and Acceleration

       Cisco Cloud Services Platform 2100
       Cisco Tetration Analytics
       Cisco Wide Area Application Services (WAAS)

    Network and Content Security Devices

       Cisco AMP Virtual Private Cloud Appliance
       Cisco Adaptive Security Appliance (ASA)
       Cisco Content Security Management Appliance (SMA)
       Cisco Email Security Appliance (ESA)
       Cisco Firepower 1000 Series
       Cisco Firepower 2100 Series
       Cisco Firepower Management Center
       Cisco Identity Services Engine (ISE)
       Cisco Umbrella Virtual Appliance

    Network Management and Provisioning

       Cisco ACI Multi-Site Orchestrator
       Cisco Application Policy Infrastructure Controller (APIC)
       Cisco Cyber Vision
       Cisco Data Center Network Manager (DCNM)
       Cisco FindIT Network Probe
       Cisco NetFlow Generation Appliance
       Cisco Network Analysis Module
       Cisco Network Services Orchestrator (NSO)
       Cisco Prime Access Registrar
       Cisco Prime Collaboration Assurance
       Cisco Prime Collaboration Deployment
       Cisco Prime Collaboration Provisioning
       Cisco Prime License Manager
       Cisco Prime Network Change and Configuration Management
       Cisco Prime Network Registrar Virtual Appliance
       Cisco Prime Network Registrar
       Cisco Prime Optical for Service Providers
       Cisco Prime Performance Manager
       Cisco Prime Service Catalog Virtual Appliance
       Cisco Telemetry Broker
       Cisco UCS Central Software
       Cisco WAN Automation Engine (WAE)

    Routing and Switching - Enterprise and Service Provider

       Cisco ACI Virtual Edge
       Cisco ASR 5000 Series Routers
       Cisco ASR 9000 Series Aggregated Services Router Virtualized Services
        Module
       Cisco Application Policy Infrastructure Controller (APIC) - Enterprise
        Module
       Cisco DNA Center
       Cisco MDS 9000 Series Multilayer Switches
       Cisco Network Assurance Engine
       Cisco Nexus 1000V Series Switches
       Cisco Nexus 5500 Platform Switches
       Cisco Nexus 5600 Platform Switches
       Cisco Nexus 6000 Series Switches
       Cisco Nexus 7000 Series Switches
       Cisco Nexus 9000 Series Fabric Switches in Application Centric
        Infrastructure (ACI) mode
       Cisco SD-WAN vEdge 1000 Series Routers
       Cisco SD-WAN vEdge 2000 Series Routers
       Cisco SD-WAN vEdge 5000 Series Routers
       Cisco SD-WAN vEdge Cloud Router Platform
       Cisco Stealthwatch Cloud
       Cisco Stealthwatch Endpoint Concentrator
       Cisco Stealthwatch Flow Collector NetFlow
       Cisco Stealthwatch Flow Collector sFlow
       Cisco Stealthwatch Flow Sensor
       Cisco Stealthwatch Management Console (SMC)
       Cisco Stealthwatch UDP Director

    Routing and Switching - Small Business

       Cisco 220 Series Smart Plus (SF220 and SG220) Switches
       Cisco 500 Series Stackable (SF500 and SG500) Managed Switches
       Cisco FindIT Network Manager
       Cisco RV132W ADSL2+ Wireless-N VPN Router
       Cisco RV134W VDSL2 Wireless-AC VPN Router
       Cisco RV160 VPN Router
       Cisco RV160W Wireless-AC VPN Router
       Cisco RV260, RV260P, and RV260W VPN Routers
       Cisco RV340W Dual WAN Gigabit Wireless-AC VPN Router
       Cisco Small Business 300 Series (SF300 and SG300)
       Cisco WAP125 Wireless-AC Dual Band Desktop Access Point with PoE
       Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE
       Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
       Cisco WAP571 Wireless-AC/N Premium Dual Radio Access Point with PoE
       Cisco WAP571E Wireless-AC/N Premium Dual Radio Outdoor Access Point
       Cisco WRP500 Wireless-AC Broadband Router

    Unified Computing

       Cisco Common Services Platform Collector
       Cisco Enterprise NFV Infrastructure Software (NFVIS)
       Cisco HyperFlex System
       Cisco UCS 6200 Series Fabric Interconnects
       Cisco UCS 6300 Series Fabric Interconnects
       Cisco UCS 6400 Series Fabric Interconnects
       Cisco UCS Director
       Cisco UCS E-Series Servers
       Cisco UCS Manager

    Voice and Unified Communications Devices

       Cisco ATA 191 Analog Telephone Adapter
       Cisco Agent Desktop for Cisco Unified Contact Center Express
       Cisco Business Edition 4000
       Cisco Emergency Responder
       Cisco Finesse
       Cisco Hosted Collaboration Mediation Fulfillment
       Cisco IP DECT 110 Repeater with Multiplatform Firmware
       Cisco IP DECT 210 Multi-Cell Base-Station
       Cisco IP DECT 6800 Series
       Cisco IP DECT 6823 with Multiplatform Firmware
       Cisco IP DECT Phone RPT-110 Repeater
       Cisco IP Phone 7800 Series
       Cisco MediaSense
       Cisco Paging Server (InformaCast)
       Cisco Paging Server
       Cisco SPA51x IP Phones
       Cisco SPA8800 IP Telephony Gateway
       Cisco Small Business SPA300 Series IP Phones
       Cisco Small Business SPA500 Series IP Phones
       Cisco Unified Attendant Console Advanced
       Cisco Unified Attendant Console Business Edition
       Cisco Unified Attendant Console Department Edition
       Cisco Unified Attendant Console Enterprise Edition
       Cisco Unified Attendant Console Premium Edition
       Cisco Unified Attendant Console Standard
       Cisco Unified Communications Domain Manager
       Cisco Unified Communications Manager / Cisco Unified Communications
        Manager Session Management Edition
       Cisco Unified Communications Manager IM &Presence Service (formerly
        CUPS)
       Cisco Unified Contact Center Express
       Cisco Unified IP Conference Phone 8831
       Cisco Unified IP Phone 3905
       Cisco Unified IP Phone 6901
       Cisco Unified IP Phone 6911
       Cisco Unified IP Phone 7937
       Cisco Unified IP Phone 8945
       Cisco Unified IP Phone 8965
       Cisco Unified Intelligence Center
       Cisco Unified SIP Proxy Software
       Cisco Unity Connection
       Cisco Unity Express
       Cisco Virtualized Voice Browser
       Cisco Webex Share

    Video, Streaming, TelePresence, and Transcoding Devices

       Cisco Expressway Series
       Cisco Meeting Management
       Cisco TelePresence Video Communication Server (VCS)
       Cisco Video Surveillance 8000 Series IP Cameras

    Wireless

       Cisco ASA 5506W-X with FirePOWER Services
       Cisco Aironet 1560 Series Access Points
       Cisco Aironet 1810 Series OfficeExtend Access Points
       Cisco Aironet 1810w Series Access Points
       Cisco Aironet 1815 Series Access Points
       Cisco Aironet 1830 Series Access Points
       Cisco Aironet 1850 Series Access Points
       Cisco Aironet 2800 Series Access Points
       Cisco Aironet 3800 Series Access Points
       Cisco Aironet 4800 Access Points
       Cisco Aironet Access Points - Running Cisco IOS Software
       Cisco Catalyst 9100 Access Points
       Cisco Wireless LAN Controller

    Cisco Cloud Hosted Services

       Cisco Business Video Services Automation Software
       Cisco CX Cloud Agent Software
       Cisco Cloud Email Security
       Cisco Cloud Web Security
       Cisco Registered Envelope Service
       Cisco Services Provisioning Platform
       Cisco Unified Communications Manager Cloud
       Cisco Universal Small Cell CloudBase Factory Recovery Root File System
        - Releases 2.99.4 and later
       Cisco Webex Centers - Meeting Center, Training Center, Event Center,
        Support Center
       Cisco Webex Meeting Server - Multimedia Platform
       Cisco Webex Network-Based Recording (NBR) Management

Details

  o OpenSSL Certificate Validation Vulnerability

    OpenSSL contains a vulnerability that could allow an attacker to use a
    valid non-certificate authority (CA) certificate to act as a CA and sign a
    certificate for an arbitrary organization, user, or device.

    The vulnerability is due to a bypassed check in the validation logic of
    X.509 certificate chains, resulting in the affected system accepting as
    valid certificates signed by a non-CA certificate or certificate chain. An
    attacker can exploit this vulnerability by using any valid certificate or
    certificate chain to sign a crafted certificate. A successful exploit could
    allow the attacker to conduct a main-in-the-middle (MiTM) attack and obtain
    sensitive information (or misreport information) or impersonate an
    organization, user, or device. Exploitation of this vulnerability could
    also allow attackers to access networks or assets that are protected by
    certificate authentication.

    This vulnerability has been assigned the following CVE ID:

       CVE-2021-3450

    OpenSSL NULL Pointer Dereference Denial of Service Vulnerability

    OpenSSL contains a vulnerability that could allow an attacker to cause a
    denial of service (DoS) condition on a targeted system.

    The vulnerability exists because the affected software incorrectly handles
    memory structures, leading to a NULL pointer dereference. An attacker could
    exploit the vulnerability by submitting crafted Transport Layer Security
    (TLS) packets to an interface of an affected device. A successful exploit
    could allow the attacker to cause a crash of the TLS server process which
    could result in a DoS condition on the targeted device.

    Note: Only servers that are processing incoming TLSv1.2 packets are
    affected by this vulnerability.

    This vulnerability has been assigned the following CVE ID:

       CVE-2021-3449

Workarounds

  o Any workarounds will be documented in the product-specific Cisco bugs,
    which are identified in the Vulnerable Products section of this advisory.

Fixed Software

  o For information about fixed software releases , consult the Cisco bugs
    identified in the Vulnerable Products section of this advisory.

    When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories page , to determine exposure and a complete
    upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

Exploitation and Public Announcements

  o On March 25, 2021, the OpenSSL Project released OpenSSL Security Advisory
    [25 March 2021] detailing these vulnerabilities.

    The Cisco Product Security Incident Response Team (PSIRT) is aware that
    proof-of-concept exploit code is available for the vulnerability that is
    described in this advisory and identified by CVE-2021-3449. Cisco PSIRT is
    not aware of any malicious use of this vulnerability (CVE-2021-3449).

    Cisco PSIRT is not aware of exploit code for or any malicious use of the
    vulnerability identified by CVE-2021-3450.

Source

  o These vulnerabilities were publicly disclosed by the OpenSSL Software
    Foundation on March 25, 2021.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd

Revision History

  o +---------+-----------------------+---------------+---------+-------------+
    | Version |      Description      |    Section    | Status  |    Date     |
    +---------+-----------------------+---------------+---------+-------------+
    |         | Updated the fixed     |               |         |             |
    |         | release availability  |               |         |             |
    |         | information for Cisco | Vulnerable    |         |             |
    | 1.20    | IOS and IOS XE        | Products      | Final   | 2021-SEP-10 |
    |         | Software. Removed a   |               |         |             |
    |         | duplicate entry for   |               |         |             |
    |         | Webex Room Phone.     |               |         |             |
    +---------+-----------------------+---------------+---------+-------------+
    | 1.19    | Updated Webex Room    | Vulnerable    | Final   | 2021-AUG-30 |
    |         | Phone fixed release.  | Products      |         |             |
    +---------+-----------------------+---------------+---------+-------------+
    |         | Updated the advisory  |               |         |             |
    |         | throughout to reflect |               |         |             |
    |         | that the              | Header,       |         |             |
    |         | investigation is      | Summary,      |         |             |
    |         | complete. The fix     | Affected      |         |             |
    | 1.18    | availability          | Products, and | Final   | 2021-JUL-06 |
    |         | information and the   | Vulnerable    |         |             |
    |         | lists of vulnerable   | Products      |         |             |
    |         | and not vulnerable    |               |         |             |
    |         | products did not      |               |         |             |
    |         | change.               |               |         |             |
    +---------+-----------------------+---------------+---------+-------------+
    |         | Removed the Cisco bug |               |         |             |
    | 1.17    | IDs from the advisory | Header        | Interim | 2021-MAY-10 |
    |         | header.               |               |         |             |
    +---------+-----------------------+---------------+---------+-------------+
    |         | Updated the lists of  |               |         |             |
    |         | products vulnerable,  |               |         |             |
    |         | and not vulnerable.   |               |         |             |
    |         | Note that upon        |               |         |             |
    |         | further investigation | Affected      |         |             |
    |         | Cisco has confirmed   | Products,     |         |             |
    |         | that Cisco Meraki     | Vulnerable    |         |             |
    | 1.16    | MS390 is affected by  | Products, and | Interim | 2021-MAY-07 |
    |         | the vulnerability     | Products      |         |             |
    |         | identified by the CVE | Confirmed Not |         |             |
    |         | ID CVE-2021-3449. It  | Vulnerable    |         |             |
    |         | was incorrectly       |               |         |             |
    |         | listed as not         |               |         |             |
    |         | vulnerable in a       |               |         |             |
    |         | previous version of   |               |         |             |
    |         | the advisory.         |               |         |             |
    +---------+-----------------------+---------------+---------+-------------+
    |         | Updated the lists of  |               |         |             |
    |         | vulnerable products   |               |         |             |
    |         | and products          |               |         |             |
    |         | confirmed not         |               |         |             |
    |         | vulnerable. Upon      | Affected      |         |             |
    |         | further               | Products,     |         |             |
    |         | investigation, Cisco  | Vulnerable    |         |             |
    | 1.15    | has confirmed that    | Products, and | Interim | 2021-APR-27 |
    |         | Cisco SD-WAN vEdge    | Products      |         |             |
    |         | 1000, 2000, and 5000  | Confirmed Not |         |             |
    |         | Series Routers and    | Vulnerable    |         |             |
    |         | Cisco SD-WAN vEdge    |               |         |             |
    |         | Cloud Router Platform |               |         |             |
    |         | are not affected by   |               |         |             |
    |         | these                 |               |         |             |
    |         | vulnerabilities.      |               |         |             |
    +---------+-----------------------+---------------+---------+-------------+
    |         | Updated the lists of  |               |         |             |
    |         | products vulnerable,  |               |         |             |
    |         | and not vulnerable.   | Affected      |         |             |
    |         | Note that upon        | Products,     |         |             |
    |         | further               | Vulnerable    |         |             |
    | 1.14    | investigation, Cisco  | Products, and | Interim | 2021-APR-22 |
    |         | has confirmed that    | Products      |         |             |
    |         | Cisco FindIT Network  | Confirmed Not |         |             |
    |         | Probe is not affected | Vulnerable    |         |             |
    |         | by these              |               |         |             |
    |         | vulnerabilities.      |               |         |             |
    +---------+-----------------------+---------------+---------+-------------+
    |         | Updated the list of   |               |         |             |
    |         | vulnerable products.  | Header and    |         |             |
    | 1.13    | Removed the Cisco Bug | Vulnerable    | Interim | 2021-APR-21 |
    |         | ID CSCvx82788 and the | Products      |         |             |
    |         | CVSS score from the   |               |         |             |
    |         | advisory header.      |               |         |             |
    +---------+-----------------------+---------------+---------+-------------+
    |         | Updated the lists of  |               |         |             |
    |         | products under        |               |         |             |
    |         | investigation,        |               |         |             |
    |         | vulnerable, and not   | Affected      |         |             |
    |         | vulnerable. Note that | Products,     |         |             |
    |         | upon further          | Vulnerable    |         |             |
    | 1.12    | investigation, Cisco  | Products, and | Interim | 2021-APR-20 |
    |         | has confirmed that    | Products      |         |             |
    |         | Cisco Network         | Confirmed Not |         |             |
    |         | Services Orchestrator | Vulnerable    |         |             |
    |         | (NSO) is not affected |               |         |             |
    |         | by these              |               |         |             |
    |         | vulnerabilities.      |               |         |             |
    +---------+-----------------------+---------------+---------+-------------+
    |         | Updated the lists of  |               |         |             |
    |         | products under        |               |         |             |
    |         | investigation,        |               |         |             |
    |         | vulnerable, and not   | Affected      |         |             |
    |         | vulnerable. Updated   | Products,     |         |             |
    |         | fixed release         | Vulnerable    |         |             |
    | 1.11    | availability for      | Products, and | Interim | 2021-APR-15 |
    |         | Cisco IOS XR          | Products      |         |             |
    |         | Software, Cisco       | Confirmed Not |         |             |
    |         | Firepower 4100        | Vulnerable    |         |             |
    |         | Series, Cisco         |               |         |             |
    |         | Firepower 9300        |               |         |             |
    |         | Security Appliances.  |               |         |             |
    +---------+-----------------------+---------------+---------+-------------+
    |         | Updated the lists of  |               |         |             |
    |         | products under        |               |         |             |
    |         | investigation,        |               |         |             |
    |         | vulnerable, and not   | Affected      |         |             |
    |         | vulnerable. Note that | Products,     |         |             |
    |         | upon further          | Vulnerable    |         |             |
    | 1.10    | investigation Cisco   | Products, and | Interim | 2021-APR-14 |
    |         | has confirmed that    | Products      |         |             |
    |         | Cisco Application     | Confirmed Not |         |             |
    |         | Policy Infrastructure | Vulnerable    |         |             |
    |         | Controller (APIC) -   |               |         |             |
    |         | Enterprise Module is  |               |         |             |
    |         | not affected by these |               |         |             |
    |         | vulnerabilities.      |               |         |             |
    +---------+-----------------------+---------------+---------+-------------+
    |         | Updated the lists of  |               |         |             |
    |         | products under        |               |         |             |
    |         | investigation,        |               |         |             |
    |         | vulnerable, and not   |               |         |             |
    |         | vulnerable. Update    |               |         |             |
    |         | fixed release         |               |         |             |
    |         | availability          |               |         |             |
    |         | information for Cisco |               |         |             |
    |         | Computer Telephony    |               |         |             |
    |         | Integration Object    |               |         |             |
    |         | Server (CTIOS), Cisco | Affected      |         |             |
    |         | Unified Contact       | Products,     |         |             |
    |         | Center Enterprise,    | Vulnerable    |         |             |
    | 1.9     | and Cisco Unified     | Products, and | Interim | 2021-APR-12 |
    |         | Intelligent Contact   | Products      |         |             |
    |         | Management            | Confirmed Not |         |             |
    |         | Enterprise. Note that | Vulnerable    |         |             |
    |         | upon further          |               |         |             |
    |         | investigation Cisco   |               |         |             |
    |         | has confirmed that    |               |         |             |
    |         | Cisco Webex Share,    |               |         |             |
    |         | Cisco DNA Center,     |               |         |             |
    |         | Cisco Jabber for Mac, |               |         |             |
    |         | Cisco Jabber for      |               |         |             |
    |         | Windows, and Cisco    |               |         |             |
    |         | Cyber Vision are not  |               |         |             |
    |         | affected by these     |               |         |             |
    |         | vulnerabilities.      |               |         |             |
    +---------+-----------------------+---------------+---------+-------------+
    |         |                       | Affected      |         |             |
    |         | Updated the lists of  | Products,     |         |             |
    |         | products under        | Vulnerable    |         |             |
    | 1.8     | investigation,        | Products, and | Interim | 2021-APR-08 |
    |         | vulnerable, and not   | Products      |         |             |
    |         | vulnerable.           | Confirmed Not |         |             |
    |         |                       | Vulnerable    |         |             |
    +---------+-----------------------+---------------+---------+-------------+
    |         |                       | Affected      |         |             |
    |         | Updated the lists of  | Products,     |         |             |
    |         | products under        | Vulnerable    |         |             |
    | 1.7     | investigation,        | Products, and | Interim | 2021-APR-06 |
    |         | vulnerable, and not   | Products      |         |             |
    |         | vulnerable.           | Confirmed Not |         |             |
    |         |                       | Vulnerable    |         |             |
    +---------+-----------------------+---------------+---------+-------------+
    |         |                       | Affected      |         |             |
    |         | Updated the lists of  | Products,     |         |             |
    |         | products under        | Vulnerable    |         |             |
    |         | investigation,        | Products,     |         |             |
    | 1.6     | vulnerable, and not   | Products      | Interim | 2021-APR-05 |
    |         | vulnerable. Updated   | Confirmed Not |         |             |
    |         | the Revision History  | Vulnerable,   |         |             |
    |         | for version 1.3.      | and Revision  |         |             |
    |         |                       | History       |         |             |
    +---------+-----------------------+---------------+---------+-------------+
    |         | Updated the lists of  |               |         |             |
    |         | products under        |               |         |             |
    |         | investigation,        |               |         |             |
    |         | vulnerable, and not   |               |         |             |
    |         | vulnerable. Included  |               |         |             |
    |         | information about     |               |         |             |
    |         | publicly available    | Affected      |         |             |
    |         | code to exploit the   | Products,     |         |             |
    |         | vulnerability         | Vulnerable    |         |             |
    |         | identified by         | Products,     |         |             |
    |         | CVE-2021-3449. Note   | Products      |         |             |
    | 1.5     | that upon further     | Confirmed Not | Interim | 2021-APR-01 |
    |         | investigation Cisco   | Vulnerable,   |         |             |
    |         | has confirmed that    | and           |         |             |
    |         | Cisco Identity        | Exploitation  |         |             |
    |         | Services Engine (ISE) | and Public    |         |             |
    |         | is not affected by    | Announcements |         |             |
    |         | these                 |               |         |             |
    |         | vulnerabilities. It   |               |         |             |
    |         | was incorrectly       |               |         |             |
    |         | listed as vulnerable  |               |         |             |
    |         | in a previous version |               |         |             |
    |         | of the advisory.      |               |         |             |
    +---------+-----------------------+---------------+---------+-------------+
    |         |                       | Affected      |         |             |
    |         | Updated the lists of  | Products,     |         |             |
    |         | products under        | Vulnerable    |         |             |
    | 1.4     | investigation,        | Products, and | Interim | 2021-MAR-31 |
    |         | vulnerable, and not   | Products      |         |             |
    |         | vulnerable.           | Confirmed Not |         |             |
    |         |                       | Vulnerable    |         |             |
    +---------+-----------------------+---------------+---------+-------------+
    |         | Updated the lists of  |               |         |             |
    |         | products under        |               |         |             |
    |         | investigation,        |               |         |             |
    |         | vulnerable, and not   |               |         |             |
    |         | vulnerable. Changed   |               |         |             |
    |         | "missing check" to    | Affected      |         |             |
    |         | "bypassed check" in   | Products,     |         |             |
    |         | Details. Note that    | Vulnerable    |         |             |
    |         | upon further          | Products,     |         |             |
    | 1.3     | investigation Cisco   | Products      | Interim | 2021-MAR-30 |
    |         | has confirmed that    | Confirmed Not |         |             |
    |         | Cisco Meeting         | Vulnerable,   |         |             |
    |         | Management is not     | and Details   |         |             |
    |         | affected by these     |               |         |             |
    |         | vulnerabilities. It   |               |         |             |
    |         | was incorrectly       |               |         |             |
    |         | listed as vulnerable  |               |         |             |
    |         | in a previous version |               |         |             |
    |         | of the advisory.      |               |         |             |
    +---------+-----------------------+---------------+---------+-------------+
    |         |                       | Affected      |         |             |
    |         | Updated the lists of  | Products,     |         |             |
    |         | products under        | Vulnerable    |         |             |
    | 1.2     | investigation,        | Products, and | Interim | 2021-MAR-29 |
    |         | vulnerable, and not   | Products      |         |             |
    |         | vulnerable.           | Confirmed Not |         |             |
    |         |                       | Vulnerable    |         |             |
    +---------+-----------------------+---------------+---------+-------------+
    |         | Updated the lists of  | Vulnerable    |         |             |
    | 1.1     | products under        | Products      | Interim | 2021-MAR-26 |
    |         | investigation.        |               |         |             |
    +---------+-----------------------+---------------+---------+-------------+
    | 1.0     | Initial public        | -             | Interim | 2021-MAR-25 |
    |         | release.              |               |         |             |
    +---------+-----------------------+---------------+---------+-------------+

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYT7gduNLKJtyKPYoAQjwHQ//XEtZM+/BDozjvenkInSgcVzZI9DdN4qI
/lwYQ3qvaAmPRGDsh5RQLizR+uH4aVg3nA3hUbZWa4OSjLfl4kwpn2HrAV70PhXQ
zj2YmO2mXYU5174M8S8rILk5U3e9EKuaF81CL68Ah62EOX8f6cd2DIXhk5DANsx2
afRPW74iHDZ/vtROBUqqoU9yEEfqsMTIms277JOwmLF9IUf87hKLCGMsfkfY55Y6
m3mFRKV8uMAruHhBBUcZM85LZnK+4Sa0/QwYgrHYvuEBrhUWpTjFD9C4RT3yCXXN
Hsp6Uu+VSKy57iUv8fVX/iJ5K3tPWdjp+bs0jZfcSBC+pX0dhIpfgXt46PrXNhoS
zOtzDLPWOoYip5vUfJciDJay8mxqOBlpvtHt5sEWI3EB43+3ASFGgQACQ22Ki7LG
o41cJMMAM5vl+WmstVkOyLipF7h5hPR8OAJwBUMxpxrxmDQ+KeiHOjeOdyP/zKBQ
5bJXtFwO5moNKmkvpdcMXCiG/1xxbyP9n4j9rIPtJvQdKGJZ4o2+tB9JX+dJf+vu
16QvmsUYQFj3EteWSY/B0gc4HdXyoy98du8ycyh+2NdIZvUto9/MQqHkKSPIgmm4
1r586//V2zEe/LP48AjJGzM3xubLY9d7wtQYOy8IHHYpjOVsZ59JwmWg4fa5xVJf
kSH8ENKD3Y0=
=R2C+
-----END PGP SIGNATURE-----