Guest

Preview Tool

Cisco Bug: CSCun26625 - Upgrade CiscoSSL libraries to version 4.2

Last Modified

Dec 29, 2019

Products (1)

  • Cisco Webex Desk Series

Known Affected Releases

10.1(1) 10.2(1)

Description (partial)

Symptom:
Cisco DX600 series contains a version of OpenSSL that is affected by the vulnerabilities identified by the
following Common Vulnerability and Exposures (CVE) IDs:

CVE-2013-4353: The ssl3_take_mac function in ssl/s3_both.c in OpenSSL 1.0.1 before 1.0.1f allows remote TLS
servers to cause a denial of service (NULL pointer dereference and application crash) via a crafted Next
Protocol Negotiation record in a TLS handshake.  This has been classified by the vendor as having a CVSS v2
Base Score of 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVE-2013-6449: The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2 obtains a certain
version number from an incorrect data structure, which allows remote attackers to cause a denial of service
(daemon crash) via crafted traffic from a TLS 1.2 client.  This has been classified by the vendor as having a
CVSS v2 Base Score of 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVE-2013-6450: The DTLS retransmission implementation in OpenSSL 1.0.0 before 1.0.0l and 1.0.1 before 1.0.1f
does not properly maintain data structures for digest and encryption contexts, which might allow
man-in-the-middle attackers to trigger the use of a different context and cause a denial of service
(application crash) by interfering with packet delivery, related to ssl/d1_both.c and ssl/t1_enc.c.  This has
been classified as having a CVSS v2 Base Score of 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A)

This bug was opened to address the potential impact on this product.

Conditions:
Device with default configuration, runing versions prior to this issue to be fixed.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.