Guest

Preview Tool

Cisco Bug: CSCur23709 - ASA : evaluation of SSLv3 POODLE vulnerability

Last Modified

Sep 23, 2018

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

8.2(1) 8.3(1) 8.4(1) 8.5(1) 8.6(1) 8.7(1) 9.0 9.0(1) 9.1(1) 9.2(1) 9.4(1) 99.1

Description (partial)

Symptom:
The Cisco ASA (Adaptive Security Appliance) includes a version of OpenSSL that is affected by the vulnerabilities identified by the Common Vulnerability and Exposures (CVE) IDs:

CVE-2014-3566

Conditions:
The default SSL configuration on all ASA software trains enables SSLv3. Due to bug CSCug51375, the ASA is unable to disable SSLv3 on most ASA versions.

To see the SSL configuration:

show run all ssl

Default configuration of the ASA:

ssl client-version any
ssl server-version any

The following non-default configuration values also enable SSLv3:

ssl client-version sslv3-only
ssl client-version sslv3       
ssl server-version sslv3-only
ssl server-version sslv3

Some of the previously listed options are not available on older ASA software releases.

Related Community Discussions

<key>CSCur23709</key> - ASA Fixed releases for POODLE
The POODLE vulnerability for ASA is described in bug  <key>CSCur23709</key>. The list of fixed releases for bug <key>CSCur23709</key> lists 9.0(4.201). When will it be generally available? I don't see it on the ASA5525 Interim Releases page. Also, Bug <key>CSCur23709</key> refers to a fix for CSCug51375 as being available for releases 9.1.2 and later but I can find no reference to it in any of the Interim Release notes. Finally, there is no indication of when a fixed release might be available. Can anyone comment?
Latest activity: Oct 27, 2015
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.