Guest

Preview Tool

Cisco Bug: CSCur27466 - WebUI in IOS-XE : evaluation of SSLv3 POODLE vulnerability

Last Modified

Feb 12, 2018

Products (21)

  • Cisco IOS
  • Cisco ASR 901-6CZ-F-D Router
  • Cisco ASR 901-6CZ-FS-D Router
  • Cisco ASR 901-4C-FT-D Router
  • Cisco ME 3600X-24TS-M Switch
  • Cisco ASR 901S-4SG-F-D Router
  • Cisco ASR 901S-2SG-F-AH Router
  • Cisco ASR 901-6CZ-F-A Router
  • Cisco ASR 901S-2SG-F-D Router
  • Cisco ASR 901-6CZ-FT-A Router
View all products in Bug Search Tool Login Required

Known Affected Releases

15.2(2)E 15.4(1)S 15.4(2)S n/a

Description (partial)

Symptom:
Cisco IOS XE includes a version of OpenSSL that is affected by the vulnerability identified by the Common Vulnerability and Exposures (CVE) ID CVE-2014-3566 aka the ssl protocol version "POODLE" vulnerability.

This bug has been opened to address the potential impact on this product.

Conditions:
Cisco IOS XE devices running any rebuild of release 3.11S, 3.12S, 3.13S or 3.14S and with the WebUI interface over HTTPS enabled.  No other versions of Cisco IOS XE are affected.

Devices with the WebUI interface enabled and using HTTPS as transport protocol will include the following configuration:

transport-map type persistent webui http-webui
 secure-server
ip http secure-server
transport type persistent webui input http-webui

Devices running IOS XE release 3.11S, 3.12S, 3.13S or 3.14S but WITHOUT the WebUI interface enabled, or with the WebUI interface enabled but NOT using HTTPS as transport protocol are NOT AFFECTED by this vulnerability.

Both the HTTPS server and the WebUI interface need to be enabled for a device to be vulnerable.

The WebUI configuration guide is available at 
http://www.cisco.com/c/en/us/td/docs/routers/asr1000/configuration/guide/chassis/asrswcfg/webui.html
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.