Cisco Bug: CSCur07312 - Cisco ACE (ACE10 and ACE20) CVE-2014-6271 and CVE-2014-7169
Jan 31, 2017
- Cisco ACE Application Control Engine Module
Known Affected Releases
Symptom: The ACE ACE10, ACE20 and 4710 running software prior to A4.x include a version of bash that is affected by the vulnerabilities identified by the Common Vulnerability and Exposures (CVE) IDs: CVE-2014-6271 CVE-2014-6277 CVE-2014-6278 CVE-2014-7169 CVE-2014-7186 CVE-2014-7187 This bug has been opened to address the potential impact on this product. ACE10, ACE30 modules and ACE4710 appliance running code prior to A4.x have been tested and each found to have vulnerability to one attack vector. Understand that attack works only by the vector of accessing the management interface on the ACE via ssh using a pre-existing valid login credential (with any level of access rights). Testing via VIP thru ssh/HTTP/HTTPs load balancing shows no vulnerability and since ACE does not execute any CGI scripting via VIP that vector also is not vulnerable. Conditions: Exposure is not configuration dependant.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases