Preview Tool

Cisco Bug: CSCun26625 - Upgrade CiscoSSL libraries to version 4.2

Last Modified

Dec 29, 2019

Products (1)

  • Cisco Webex Desk Series

Known Affected Releases

10.1(1) 10.2(1)

Description (partial)

Cisco DX600 series contains a version of OpenSSL that is affected by the vulnerabilities identified by the
following Common Vulnerability and Exposures (CVE) IDs:

CVE-2013-4353: The ssl3_take_mac function in ssl/s3_both.c in OpenSSL 1.0.1 before 1.0.1f allows remote TLS
servers to cause a denial of service (NULL pointer dereference and application crash) via a crafted Next
Protocol Negotiation record in a TLS handshake.  This has been classified by the vendor as having a CVSS v2
Base Score of 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVE-2013-6449: The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2 obtains a certain
version number from an incorrect data structure, which allows remote attackers to cause a denial of service
(daemon crash) via crafted traffic from a TLS 1.2 client.  This has been classified by the vendor as having a
CVSS v2 Base Score of 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVE-2013-6450: The DTLS retransmission implementation in OpenSSL 1.0.0 before 1.0.0l and 1.0.1 before 1.0.1f
does not properly maintain data structures for digest and encryption contexts, which might allow
man-in-the-middle attackers to trigger the use of a different context and cause a denial of service
(application crash) by interfering with packet delivery, related to ssl/d1_both.c and ssl/t1_enc.c.  This has
been classified as having a CVSS v2 Base Score of 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A)

This bug was opened to address the potential impact on this product.

Device with default configuration, runing versions prior to this issue to be fixed.
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.