Guest

Preview Tool

Cisco Bug: CSCup24112 - Multiple Vulnerabilities in OpenSSL - June 2014

Last Modified

Dec 13, 2019

Products (1)

  • Network Level Service

Known Affected Releases

3.5(2.0)

Description (partial)

Symptom:
The following Cisco products

Smart Call Home 

include a version of openssl that is affected by the vulnerabilities identified by the Common Vulnerability and Exposures (CVE) IDs:

CVE-2014-0195 - DTLS invalid fragment vulnerability
CVE-2014-0221 - DTLS recursion flaw
CVE-2014-0224 - SSL/TLS MITM vulnerability

**PLEASE NOTE : Smart Call Home application is not impacted directly. Its Indirectly impacted due to these vulnerabilities as it leverages the CCIX infrastructure.

This bug has been opened to address the potential impact on this product.

Conditions:
Smart Call Home product (as many other products in Cisco) leverages CCIX infrastructure for deploying the external and Internal JVMs. 

CCIX Reverse Proxies are used to front the HTTPs requests (https://tools.cisco.com and https://wwwin-tools.cisco.com/ ) to Smart call home.

HTTPS applications hosting in CCIX platform, the SSL is offloaded on the ACE device. According to PSIRT, Cisco ACE A5 code is affected by June5 OpenSSL bug and the fix is due in July. 

Please see the bug description tracking the issue and fix on ACE A5:
https://tools.cisco.com/bugsearch/bug/CSCup22544 

please check the response from CCIX Team : http://wwwin.cisco.com/cgi-bin/it/sc/core/remedy/cquery.pl?case=INC000030354008

Smart Call Home also uses devices as its clients. Devices use "call home" feature to invoke the Smart Call Home Application deployed on CCIX infrastructure. 

These Devices which have the open ssl / cisco ssl clients may be vulnerable as well. 
Bugs for instance CSCup22590 are tracked to address the issues in IOS/IOSd.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.