Guest

Preview Tool

Cisco Bug: CSCur33929 - UCS C-series Server : evaluation of SSLv3 POODLE vulnerability

Last Modified

Feb 20, 2018

Products (1)

  • Cisco Unified Computing System

Known Affected Releases

2.0(4b)C

Description (partial)

Cisco C Series support SSLv3 at server side. It is impacted by latest Security Vulnerability CVE-­2014­-3566 a.k.a POODLE. This can be used to orchestrate a man in the middle attack and make the CIMC secrets vulnerable.

Symptom:
The following Cisco products

Cisco C Series Integrated Management Controller (Cisco IMC)

have been investigated to determine the applicability of the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs:

CVE-­2014­-3566

Cisco has analyzed this vulnerability and concluded that listed products are impacted.

Conditions:
This is a man in the middle attack. The client needs to initiate a connection to the Server using SSLv3.

Related Community Discussions

CIMCでのSSL3.0無効化の可否について
いつもお世話になっております。 UCS C-series Server : evaluation of SSLv3 POODLE vulnerability https://tools.cisco.com/bugsearch/bug/<key>CSCur33929</key> 上記のSSL3.0の脆弱性の問題に関してですが、 Workaroundが「Disable SSLv3 on the client side (browser)」 となっており、StatusがFixedとなっている事を確認しました。 これは、CIMC内のWebサービス側でSSL3.0からのアクセスは無効化し、 TLS1.xからのアクセスのみを許可するような設定は、 今現在ないし今後も機能拡張予定はない、という事でよろしいでしょうか。 インストールガイドやセットアップガイドを見る限り、 特に設定が出来そうな個所は見当たりませんでしたは、 念のため確認をしている次第です。 以上、よろしくお願いいたします。
Latest activity: Dec 09, 2014
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.