cisco-sa-openssl-w9sdcc2a
Vulnerability from csaf_cisco
Published
2022-10-28 16:00
Modified
2022-11-23 20:23
Summary
Vulnerabilities in OpenSSL Affecting Cisco Products: November 2022
Notes
Summary
On November 1, 2022, the OpenSSL Project announced the following vulnerabilities:
CVE-2022-3602 - X.509 Email Address 4-byte Buffer Overflow
CVE-2022-3786 - X.509 Email Address Variable Length Buffer Overflow
For a description of these vulnerabilities, see OpenSSL Security Advisory [Nov 1 2022] ["https://www.openssl.org/news/secadv/20221101.txt"].
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-W9sdCc2a ["https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-W9sdCc2a"]
Affected Products
Cisco investigated its product line to determine which products and cloud services may be affected by these vulnerabilities. OpenSSL 3.x is not widely used in Cisco products and cloud offers, and only products that may contain the affected software are listed in this advisory. If a product or cloud offer is not explicitly listed in this advisory, it is not vulnerable.
Vulnerable Products
The following table lists Cisco products that are affected by one or more of the vulnerabilities that are described in this advisory. If a future release date is indicated for software, the date provided represents an estimate based on all information known to Cisco as of the Last Updated date at the top of the advisory. Availability dates are subject to change based on a number of factors, including satisfactory testing results and delivery of other priority features and fixes. If no version or date is listed for an affected component (indicated by a blank field and/or an advisory designation of Interim), Cisco is continuing to evaluate the fix and will update the advisory as additional information becomes available. After the advisory is marked Final, customers should refer to the associated Cisco bug(s) for further details.
Product Cisco Bug ID Fixed Release Availability ["https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes"] Endpoint Clients and Client Software Operational Insights Collector CSCwd44110 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwd44110"] ScienceLogic Application Software 3.0.1 (Nov 2022)
HPNA Application Software 2.0.1 (Nov 2022)
APIC Application Software 3.0.1 (Nov 2022)
SolarWinds Application Software 3.0.1 (Nov 2022)
Syslog Collector 2.0.1 (Nov 2022) Network Management and Provisioning IoT Field Network Director, formerly Connected Grid Network Management System CSCwd44112 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwd44112"] 4.8.1 (Available)
4.9.0 (Available)
5.0.0 (May 2023)
Products Confirmed Not Vulnerable
Only products that may contain the affected software are listed in this advisory. If a product or cloud offer is not explicitly listed in this advisory, it is not vulnerable.
Cisco has confirmed that this vulnerability does not affect the following Cisco products:
Network and Content Security Devices
Identity Services Engine (ISE)
Secure Network Analytics, formerly Stealthwatch
Network Management and Provisioning
Application Policy Infrastructure Controller (APIC)
Cisco Container Platform
Data Center Network Manager (DCNM)
Elastic Services Controller (ESC)
Evolved Programmable Network Manager
Nexus Dashboard, formerly Application Services Engine
Prime Infrastructure
Routing and Switching - Enterprise and Service Provider
SD-WAN vAnalytics
SD-WAN vManage
Ultra Cloud Core - Network Respository Function
Ultra Cloud Core - Policy Control Function
Ultra Cloud Core - Redundancy Configuration Manager
Ultra Cloud Core - Subscriber Microservices Infrastructure
Ultra Cloud Core - User Plane Function
Unified Computing
HyperFlex System
UCS Blade Server - Integrated Management Controller
UCS Manager
Cisco Cloud Offerings
Cisco investigated its cloud offers to determine which products may be affected by these vulnerabilities. The following table lists Cisco cloud offers that are under investigation. Only cloud offers known to possibly be affected are listed. If a cloud offer is not explicitly listed in this advisory, it is not vulnerable.
Product Disposition AppDynamics Not affected CX Cloud Not affected Duo Not affected Intersight Not affected Meraki Not affected SD-WAN Not affected SecureX Not affected ThousandEyes Not affected Umbrella Not affected Unified Communications Manager Cloud Not affected Webex Calling Not affected Webex Cloud-Connected UC Not affected Webex Contact Center Not affected Webex Teams Not affected
Workarounds
Any workarounds for a specific Cisco product or service will be documented in the relevant Cisco bugs, which are identified in the Vulnerable Products ["#vp"] section of this advisory.
Fixed Software
For information about fixed software releases ["https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes"], consult the Cisco bugs identified in the Vulnerable Products ["#vp"] section of this advisory.
When considering software upgrades ["https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes"], customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories ["https://www.cisco.com/go/psirt"] page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Vulnerability Policy
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy ["https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Exploitation and Public Announcements
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any malicious use of the vulnerabilities that are described in this advisory.
Source
These vulnerabilities were publicly disclosed by the OpenSSL Software Foundation on November 1, 2022.
Legal Disclaimer
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.
{
"document": {
"acknowledgments": [
{
"summary": "These vulnerabilities were publicly disclosed by the OpenSSL Software Foundation on November 1, 2022."
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"notes": [
{
"category": "summary",
"text": "On November 1, 2022, the OpenSSL Project announced the following vulnerabilities:\r\n\r\nCVE-2022-3602 - X.509 Email Address 4-byte Buffer Overflow\r\nCVE-2022-3786 - X.509 Email Address Variable Length Buffer Overflow\r\n\r\nFor a description of these vulnerabilities, see OpenSSL Security Advisory [Nov 1 2022] [\"https://www.openssl.org/news/secadv/20221101.txt\"].\r\n\r\nThis advisory is available at the following link:\r\nhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-W9sdCc2a [\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-W9sdCc2a\"]",
"title": "Summary"
},
{
"category": "general",
"text": "Cisco investigated its product line to determine which products and cloud services may be affected by these vulnerabilities. OpenSSL 3.x is not widely used in Cisco products and cloud offers, and only products that may contain the affected software are listed in this advisory. If a product or cloud offer is not explicitly listed in this advisory, it is not vulnerable.",
"title": "Affected Products"
},
{
"category": "general",
"text": "The following table lists Cisco products that are affected by one or more of the vulnerabilities that are described in this advisory. If a future release date is indicated for software, the date provided represents an estimate based on all information known to Cisco as of the Last Updated date at the top of the advisory. Availability dates are subject to change based on a number of factors, including satisfactory testing results and delivery of other priority features and fixes. If no version or date is listed for an affected component (indicated by a blank field and/or an advisory designation of Interim), Cisco is continuing to evaluate the fix and will update the advisory as additional information becomes available. After the advisory is marked Final, customers should refer to the associated Cisco bug(s) for further details.\r\n Product Cisco Bug ID Fixed Release Availability [\"https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes\"] Endpoint Clients and Client Software Operational Insights Collector CSCwd44110 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwd44110\"] ScienceLogic Application Software 3.0.1 (Nov 2022)\r\nHPNA Application Software 2.0.1 (Nov 2022)\r\nAPIC Application Software 3.0.1 (Nov 2022)\r\nSolarWinds Application Software 3.0.1 (Nov 2022)\r\nSyslog Collector 2.0.1 (Nov 2022) Network Management and Provisioning IoT Field Network Director, formerly Connected Grid Network Management System CSCwd44112 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwd44112\"] 4.8.1 (Available)\r\n4.9.0 (Available)\r\n5.0.0 (May 2023)",
"title": "Vulnerable Products"
},
{
"category": "general",
"text": "Only products that may contain the affected software are listed in this advisory. If a product or cloud offer is not explicitly listed in this advisory, it is not vulnerable.\r\n\r\nCisco has confirmed that this vulnerability does not affect the following Cisco products:\r\n\r\nNetwork and Content Security Devices\r\n\r\nIdentity Services Engine (ISE)\r\nSecure Network Analytics, formerly Stealthwatch\r\n\r\nNetwork Management and Provisioning\r\n\r\nApplication Policy Infrastructure Controller (APIC)\r\nCisco Container Platform\r\nData Center Network Manager (DCNM)\r\nElastic Services Controller (ESC)\r\nEvolved Programmable Network Manager\r\nNexus Dashboard, formerly Application Services Engine\r\nPrime Infrastructure\r\n\r\nRouting and Switching - Enterprise and Service Provider\r\n\r\nSD-WAN vAnalytics\r\nSD-WAN vManage\r\nUltra Cloud Core - Network Respository Function\r\nUltra Cloud Core - Policy Control Function\r\nUltra Cloud Core - Redundancy Configuration Manager\r\nUltra Cloud Core - Subscriber Microservices Infrastructure\r\nUltra Cloud Core - User Plane Function\r\n\r\nUnified Computing\r\n\r\nHyperFlex System\r\nUCS Blade Server - Integrated Management Controller\r\nUCS Manager\r\n Cisco Cloud Offerings\r\n\r\nCisco investigated its cloud offers to determine which products may be affected by these vulnerabilities. The following table lists Cisco cloud offers that are under investigation. Only cloud offers known to possibly be affected are listed. If a cloud offer is not explicitly listed in this advisory, it is not vulnerable.\r\n\r\n Product Disposition AppDynamics Not affected CX Cloud Not affected Duo Not affected Intersight Not affected Meraki Not affected SD-WAN Not affected SecureX Not affected ThousandEyes Not affected Umbrella Not affected Unified Communications Manager Cloud Not affected Webex Calling Not affected Webex Cloud-Connected UC Not affected Webex Contact Center Not affected Webex Teams Not affected",
"title": "Products Confirmed Not Vulnerable"
},
{
"category": "general",
"text": "Any workarounds for a specific Cisco product or service will be documented in the relevant Cisco bugs, which are identified in the Vulnerable Products [\"#vp\"] section of this advisory.",
"title": "Workarounds"
},
{
"category": "general",
"text": "For information about fixed software releases [\"https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes\"], consult the Cisco bugs identified in the Vulnerable Products [\"#vp\"] section of this advisory.\r\n\r\nWhen considering software upgrades [\"https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes\"], customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories [\"https://www.cisco.com/go/psirt\"] page, to determine exposure and a complete upgrade solution.\r\n\r\nIn all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.",
"title": "Fixed Software"
},
{
"category": "general",
"text": "To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy [\"https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html\"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.",
"title": "Vulnerability Policy"
},
{
"category": "general",
"text": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any malicious use of the vulnerabilities that are described in this advisory.",
"title": "Exploitation and Public Announcements"
},
{
"category": "general",
"text": "These vulnerabilities were publicly disclosed by the OpenSSL Software Foundation on November 1, 2022.",
"title": "Source"
},
{
"category": "legal_disclaimer",
"text": "THIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.\r\n\r\nA standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.",
"title": "Legal Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "Emergency Support:\r\n+1 877 228 7302 (toll-free within North America)\r\n+1 408 525 6532 (International direct-dial)\r\nNon-emergency Support:\r\nEmail: psirt@cisco.com\r\nSupport requests that are received via e-mail are typically acknowledged within 48 hours.",
"issuing_authority": "Cisco product security incident response is the responsibility of the Cisco Product Security Incident Response Team (PSIRT). The Cisco PSIRT is a dedicated, global team that manages the receipt, investigation, and public reporting of security vulnerability information that is related to Cisco products and networks. The on-call Cisco PSIRT works 24x7 with Cisco customers, independent security researchers, consultants, industry organizations, and other vendors to identify possible security issues with Cisco products and networks.\r\nMore information can be found in Cisco Security Vulnerability Policy available at https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html",
"name": "Cisco",
"namespace": "https://wwww.cisco.com"
},
"references": [
{
"category": "self",
"summary": "Vulnerabilities in OpenSSL Affecting Cisco Products: November 2022",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-W9sdCc2a"
},
{
"category": "external",
"summary": "Cisco Security Vulnerability Policy",
"url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"
},
{
"category": "external",
"summary": "OpenSSL Security Advisory [Nov 1 2022]",
"url": "https://www.openssl.org/news/secadv/20221101.txt"
},
{
"category": "external",
"summary": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-W9sdCc2a",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-W9sdCc2a"
},
{
"category": "external",
"summary": "Fixed Release Availability",
"url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes"
},
{
"category": "external",
"summary": "CSCwd44110",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwd44110"
},
{
"category": "external",
"summary": "CSCwd44112",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwd44112"
},
{
"category": "external",
"summary": "fixed software releases",
"url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes"
},
{
"category": "external",
"summary": "considering software upgrades",
"url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes"
},
{
"category": "external",
"summary": "Cisco\u0026nbsp;Security Advisories",
"url": "https://www.cisco.com/go/psirt"
},
{
"category": "external",
"summary": "Security Vulnerability Policy",
"url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"
}
],
"title": "Vulnerabilities in OpenSSL Affecting Cisco Products: November 2022",
"tracking": {
"current_release_date": "2022-11-23T20:23:17+00:00",
"generator": {
"date": "2022-11-23T20:23:22+00:00",
"engine": {
"name": "TVCE"
}
},
"id": "cisco-sa-openssl-W9sdCc2a",
"initial_release_date": "2022-10-28T16:00:00+00:00",
"revision_history": [
{
"date": "2022-10-28T21:40:41+00:00",
"number": "1.0.0",
"summary": "Initial public release."
},
{
"date": "2022-11-01T20:23:02+00:00",
"number": "1.1.0",
"summary": "Update with OpenSSL public announcement."
},
{
"date": "2022-11-02T19:26:36+00:00",
"number": "1.2.0",
"summary": "Update products under investigation and products confirmed not vulnerable."
},
{
"date": "2022-11-03T20:12:42+00:00",
"number": "1.3.0",
"summary": "Update products under investigation, vulnerable products, and products confirmed not vulnerable."
},
{
"date": "2022-11-04T18:40:16+00:00",
"number": "1.4.0",
"summary": "Update affected products and disposition of cloud offers."
},
{
"date": "2022-11-08T20:57:38+00:00",
"number": "1.5.0",
"summary": "Update summary, affected products, and disposition of cloud offers."
},
{
"date": "2022-11-23T20:23:17+00:00",
"number": "1.6.0",
"summary": "Updated vulnerable products and products confirmed not vulnerable."
}
],
"status": "final",
"version": "1.6.0"
}
},
"vulnerabilities": [
{
"cve": "CVE-2022-3602",
"notes": [
{
"category": "general",
"text": "No additional information for this vulneraiblity is currently avaialbe.",
"title": "No Notes"
}
],
"remediations": [
{
"category": "none_available",
"details": "No remediation is available at this time."
}
],
"title": "X.509 Email Address 4-byte Buffer Overflow, Other Vulnerability"
},
{
"cve": "CVE-2022-3786",
"notes": [
{
"category": "general",
"text": "No additional information for this vulneraiblity is currently avaialbe.",
"title": "No Notes"
}
],
"remediations": [
{
"category": "none_available",
"details": "No remediation is available at this time."
}
],
"title": "X.509 Email Address Variable Length Buffer Overflow, Other Vulnerability"
}
]
}
Loading...