Cisco Bug: CSCun26625 - Upgrade CiscoSSL libraries to version 4.2
Dec 29, 2019
- Cisco Webex Desk Series
Known Affected Releases
Symptom: Cisco DX600 series contains a version of OpenSSL that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2013-4353: The ssl3_take_mac function in ssl/s3_both.c in OpenSSL 1.0.1 before 1.0.1f allows remote TLS servers to cause a denial of service (NULL pointer dereference and application crash) via a crafted Next Protocol Negotiation record in a TLS handshake. This has been classified by the vendor as having a CVSS v2 Base Score of 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) CVE-2013-6449: The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2 obtains a certain version number from an incorrect data structure, which allows remote attackers to cause a denial of service (daemon crash) via crafted traffic from a TLS 1.2 client. This has been classified by the vendor as having a CVSS v2 Base Score of 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) CVE-2013-6450: The DTLS retransmission implementation in OpenSSL 1.0.0 before 1.0.0l and 1.0.1 before 1.0.1f does not properly maintain data structures for digest and encryption contexts, which might allow man-in-the-middle attackers to trigger the use of a different context and cause a denial of service (application crash) by interfering with packet delivery, related to ssl/d1_both.c and ssl/t1_enc.c. This has been classified as having a CVSS v2 Base Score of 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A) This bug was opened to address the potential impact on this product. Conditions: Device with default configuration, runing versions prior to this issue to be fixed.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases