Guest

Preview Tool

Cisco Bug: CSCun82386 - Cisco Prime Network Registrar vulnerable to Heartbleed

Last Modified

Aug 06, 2018

Products (1)

  • Cisco Network Registrar

Known Affected Releases

8.1(1) 8.1(2) 8.1(2.1) 8.1(3) 8.2 8.2(0.1) 8.3

Description (partial)

Symptom:
Cisco Prime Network Registrar includes a version of openssl that is affected by the vulnerability identified by the Common Vulnerability and Exposures (CVE) ID CVE-2014-0160.</p>

This bug has been opened to address the potential impact on this product.</p>

Conditions:
The following versions are affected: 8.1.1, 8.1.2, 8.1.2.1, 8.1.3 and 8.2, 8.2.0.1</p>

First fixed releases: 8.2.0.2 - available on 04/16/2014; 8.1.3.1 - available on 5/2/2014.

This vulnerability only affects the management interfaces of the product:
Web UI, web services, Java SDK, communication between clusters, all when TLS/HTTPS is being used.</p>

By default none of these interfaces use TLS/HTTPS, but it may be enabled.</p>

Potentially vulnerable data: CPNR admin names and passwords, password hashes, any CPNR server configuration data that may have been in transit.</p>

Mitigations:</p>

Since the management interfaces (which are the vulnerable parts) of the product is generally not exposed to the Internet, but mostly internally, if possible use the system firewall to limit the number of systems that have access to the CPNR servers' ports 1234 and 8443 on a local cluster, 1244 and 8453 on a regional cluster.</p>
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.