Cisco Bug: CSCup24112 - Multiple Vulnerabilities in OpenSSL - June 2014
Dec 13, 2019
- Network Level Service
Known Affected Releases
Symptom: The following Cisco products Smart Call Home include a version of openssl that is affected by the vulnerabilities identified by the Common Vulnerability and Exposures (CVE) IDs: CVE-2014-0195 - DTLS invalid fragment vulnerability CVE-2014-0221 - DTLS recursion flaw CVE-2014-0224 - SSL/TLS MITM vulnerability **PLEASE NOTE : Smart Call Home application is not impacted directly. Its Indirectly impacted due to these vulnerabilities as it leverages the CCIX infrastructure. This bug has been opened to address the potential impact on this product. Conditions: Smart Call Home product (as many other products in Cisco) leverages CCIX infrastructure for deploying the external and Internal JVMs. CCIX Reverse Proxies are used to front the HTTPs requests (https://tools.cisco.com and https://wwwin-tools.cisco.com/ ) to Smart call home. HTTPS applications hosting in CCIX platform, the SSL is offloaded on the ACE device. According to PSIRT, Cisco ACE A5 code is affected by June5 OpenSSL bug and the fix is due in July. Please see the bug description tracking the issue and fix on ACE A5: https://tools.cisco.com/bugsearch/bug/CSCup22544 please check the response from CCIX Team : http://wwwin.cisco.com/cgi-bin/it/sc/core/remedy/cquery.pl?case=INC000030354008 Smart Call Home also uses devices as its clients. Devices use "call home" feature to invoke the Smart Call Home Application deployed on CCIX infrastructure. These Devices which have the open ssl / cisco ssl clients may be vulnerable as well. Bugs for instance CSCup22590 are tracked to address the issues in IOS/IOSd.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases