Guest

Preview Tool

Cisco Bug: CSCur27466 - WebUI in IOS-XE : evaluation of SSLv3 POODLE vulnerability

Last Modified

Sep 14, 2019

Products (21)

  • Cisco IOS
  • Cisco ASR 901-6CZ-F-D Router
  • Cisco ASR 901-6CZ-FS-D Router
  • Cisco ASR 901-4C-FT-D Router
  • Cisco ME 3600X-24TS-M Switch
  • Cisco ASR 901S-4SG-F-D Router
  • Cisco ASR 901S-2SG-F-AH Router
  • Cisco ASR 901-6CZ-F-A Router
  • Cisco ASR 901S-2SG-F-D Router
  • Cisco ASR 901-6CZ-FT-A Router
View all products in Bug Search Tool Login Required

Known Affected Releases

15.2(2)E 15.4(1)S 15.4(2)S n/a

Description (partial)

Symptom:
Cisco IOS XE includes a version of OpenSSL that is affected by the vulnerability identified by the Common Vulnerability and Exposures (CVE) ID CVE-2014-3566 aka the ssl protocol version "POODLE" vulnerability.

This bug has been opened to address the potential impact on this product.

Conditions:
Cisco IOS XE devices running any rebuild of release 3.11S, 3.12S, 3.13S or 3.14S and with the WebUI interface over HTTPS enabled.  No other versions of Cisco IOS XE are affected.

Devices with the WebUI interface enabled and using HTTPS as transport protocol will include the following configuration:

transport-map type persistent webui http-webui
 secure-server
ip http secure-server
transport type persistent webui input http-webui

Devices running IOS XE release 3.11S, 3.12S, 3.13S or 3.14S but WITHOUT the WebUI interface enabled, or with the WebUI interface enabled but NOT using HTTPS as transport protocol are NOT AFFECTED by this vulnerability.

Both the HTTPS server and the WebUI interface need to be enabled for a device to be vulnerable.

The WebUI configuration guide is available at 
http://www.cisco.com/c/en/us/td/docs/routers/asr1000/configuration/guide/chassis/asrswcfg/webui.html

Related Community Discussions

IOS-XE version numbers (specifically as they relate to Security Advisories)
I am working through all the recent security advisories and I am having a little trouble discerning between the IOS-XE version numbers and the other numbers on the page. For example in the following: https://tools.cisco.com/bugsearch/bug/<key>CSCur27466</key> it states that &quot;3.6.xE Not Vulnerable&quot; but if you read further down the page to the details section it then states  Known Affected Releases: (4) 15.2(2)E 15.4(1)S 15.4(2)S   I am under the impression that 3.6.xE and 15.2(2)E are the same software and the ...
Latest activity: Mar 08, 2019
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.