Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service condition or perform a man-in-the-middle attack. On January 8, 2015, the OpenSSL Project released a security advisory detailing eight distinct vulnerabilities. The vulnerabilities are referenced in this document as follows:
- CVE-2014-3571: OpenSSL DTLS Message Processing Denial of Service Vulnerability
- CVE-2015-0206: OpenSSL dtls1_buffer_record Function DTLS Message Processing Denial of Service Vulnerability
- CVE-2014-3569: OpenSSL no-ssl3 Option NULL Pointer Dereference Vulnerability
- CVE-2014-3572: OpenSSL Elliptic Curve Cryptographic Downgrade Vulnerability
- CVE-2015-0204: OpenSSL RSA Temporary Key Cryptographic Downgrade Vulnerability
- CVE-2015-0205: OpenSSL Diffie-Hellman Certificate Validation Authentication Bypass Vulnerability
- CVE-2014-8275: OpenSSL Certificate Fingerprint Validation Vulnerability
- CVE-2014-3570: OpenSSL BN_sql Function Incorrect Mathematical Results Issue
Cisco will release software updates that address these vulnerabilities.

Workarounds that mitigate these vulnerabilities may be available.

This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150310-ssl

Affected Products

Vulnerable Products

The following Cisco products have been confirmed to be impacted by one or more of the vulnerabilities contained in the January 8, 2015, OpenSSL Project security advisory:

Product	Defect	Fixed releases availability
Collaboration and Social Media
Cisco WebEx Meetings Server versions 1.x	CSCus42712	2.5MR2
Cisco WebEx Meetings Server versions 2.x	CSCus42712	2.5MR2
Cisco Webex Social	CSCus42817	No further releases are planned.
Endpoint Clients and Client Software
Cisco Agent for OpenFlow	CSCus42902
Cisco AnyConnect Secure Mobility Client for Android	CSCus42726	4.0.01233 (Android)
Cisco AnyConnect Secure Mobility Client for Apple iOS	CSCus42726	3.0.12240 (Apple iOS)
Cisco AnyConnect Secure Mobility Client for desktop platforms	CSCus42726	3.1.07021
Cisco Jabber Software Development Kit	CSCus42945	11.0(0) (26-Aug-2015)
Cisco Jabber Video for TelePresence (Movi)	CSCus42871	4.9 (March 2015)
Cisco Jabber Voice for Android	CSCus42947	10.6(1)
Cisco Jabber for Android	CSCus42952	10.6.1
Cisco Jabber for Mac	CSCus42939	10.6(1) (Available) 11.0 (July 2014)
Cisco Jabber for Windows	CSCut82321	11.0(0) 10.6(1)
Cisco Jabber for iOS	CSCus42953	10.6.2
Cisco WebEx Connect Client for Windows	CSCus42966	No further releases scheduled. Advise migration to Cisco Jabber.
Cisco WebEx Meetings for Android	CSCus42742	7.0 (Android)
Cisco WebEx Meetings for WP8	CSCus42941	1.0.1k (Available)
Network Application, Service, and Acceleration
Cisco ACE30 Application Control Engine Module	CSCus42709
Cisco Wide Area Application Services (WAAS)	CSCus42766	5.1.1i (27-May-2015) 6.0.0 (10-Jun-2015)
Network and Content Security Devices
Cisco ASA CX Context-Aware Security	CSCus42804	9.3.3.1-13 (July 2015)
Cisco Adaptive Security Appliance (ASA) Software	CSCus42901	9.2(3.1) 9.1(5.106) 9.0(4.29) 8.4(7.26)
Cisco Content Security Management Appliance (SMA)	CSCus44454	9.1.2 (15-Jun-2015)
Cisco Email Security Appliance (ESA)	CSCus42818	10.0 (Oct 2015)
Cisco FireSIGHT System Software	CSCus77211	5.4.0.2 5.4.1.1
Cisco IPS	CSCus42768	Cisco IPS 7.1.10 (29-May-2015) Cisco IPS 7.3.4 (TBD)
Cisco Identity Services Engine (ISE)	CSCus42710	1.4 (April 2015) 1.5 (October 2015)
Cisco IronPort Encryption Appliance (IEA)	CSCus44478
Cisco NAC Appliance (Clean Access Server)	CSCus42836	Patch file is available for vulnerable versions.
Cisco NAC Guest Server	CSCus42834	No further releases are planned.
Cisco NAC Manager (Clean Access Manager)	CSCus42840	Patch file is available for vulnerable versions.
Cisco Physical Access Gateway	CSCus43000	1.5.3 (21-May-2015)
Cisco Secure Access Control Server (ACS)	CSCus42781	5.6 (31-Jul-2015) 5.7 (14-Aug-2015)
Cisco Virtual Security Gateway for Microsoft Hyper-V	CSCus43003	5.2(1)SV3(1.4) (May 2015)
Cisco Virtual Security Gateway for VMware	CSCus43003	5.2(1)SV3(1.4) (May 2015)
Cisco Web Security Appliance (WSA)	CSCus42705	9.0.0 (30-Apr-2015)
Network Management and Provisioning
Cisco Application Networking Manager	CSCus42821	5.2.6
Cisco Intelligent Automation for Cloud	CSCus42852	4.3 (July 2015)
Cisco MATE Design	CSCus42772	WAE 6.1.1 (31-Mar-2015) MATE 6.0.5 (10-Mar-2015)
Cisco MATE Live	CSCus42772	WAE 6.1.1 (31-Mar-2015) MATE 6.0.5 (10-Mar-2015)
Cisco MATE collector	CSCus42772	WAE 6.1.1 (31-Mar-2015) MATE 6.0.5 (10-Mar-2015)
Cisco Netflow Collection Agent	CSCus42819	1.0.3 (May 2015)
Cisco Packet Tracer	CSCus47080	6.2
Cisco Policy Suite (QPS)	CSCus42789
Cisco Prime Access Registrar	CSCus42968	7.0.0 (Available) 6.1.3 (Release TBD)
Cisco Prime Collaboration Assurance	CSCus42924	No release planned.
Cisco Prime Collaboration Deployment	CSCus42954	11.0
Cisco Prime Collaboration Provisioning 10.5	CSCus42816	11.0 (29-May-2015)
Cisco Prime Data Center Network Manager (DCNM)	CSCus42763	DCNM 7.1(2) (Late April 2015)
Cisco Prime IP Express	CSCus42967	8.3 (Available)
Cisco Prime Infrastructure	CSCus42748	3.0
Cisco Prime LAN Management Solution	CSCus42883	4.2.5(3) (30-Jun-2015)
Cisco Prime License Manager	CSCus42699	11.0 (mid-April 2015)
Cisco Prime Network Analysis Module (NAM)	CSCus42792	006.002 (1-Jun-2015)
Cisco Prime Network Registrar (CPNR)	CSCus42701	8.3 (Available) 8.2.3 (31-May-2015) 8.1.3.3 (30-Apr-2015) Virtual Appliance 7.3.2.5 (22-Apr-2015)
Cisco Prime Network Services Controller	CSCus42739	3.5.1x (April 2015) Note: PNSC will be no longer be released individually and instead will be part Intercloud Fabric (ICF) 2.2.1x.
Cisco Prime Network	CSCus42882
Cisco Prime Optical for SPs	CSCus42879	10.3.0.0.193 (Available) 10.0.0.1.2 (Available
Cisco Prime Performance Manager for SPs	CSCus42880	1.6 SP1
Cisco Prime Security Manager	CSCus42841
Cisco Security Manager	CSCus42723	4.9 (Aug 2015) 4.7 SP1CP1 (Available)
Cisco Show and Share (SnS)	CSCus42800	5.3.x (20-May-2015) 5.5 (20-May-2015) 5.6 (20-May-2015) 5.6.1 (20-Aug-2015)
Local Collector Appliance (LCA)	CSCus42873	2.2.8
Routing and Switching - Enterprise and Service Provider
Cisco 910 Industrial Router	CSCus45971	1.2.1RB1 (15-May-2015)
Cisco ASR 5000 Series	CSCus42812	20.0.0 (Available)
Cisco Application Policy Infrastructure Controller	CSCus42749	1.0(3f) 1.1(1j)
Cisco Connected Grid Routers (CGR)	CSCus43029	No further releases scheduled (End of Life). Customers are encouraged to upgrade to a supported Cisco IOS Software release.
Cisco IOS Software and Cisco IOS-XE Software	CSCus61884	15.5(03)S
Cisco IOS XR Software	CSCus42773
Cisco IOS-XE (WebUI feature only)	CSCut32908
Cisco MDS 9000 Series Multilayer Switches	CSCus42713	7.2 (29-May-2015) 7.3 (3-Jul-2015)
Cisco Mobile Wireless Transport Manager	CSCus42993	6.1.7
Cisco Nexus 1000V Intercloud	CSCus42717	2.2.1 (Available)
Cisco Nexus 1000V Series Switches	CSCut14256	5.2(1)SV3(1.4) (May 2015)
Cisco Nexus 3X00 Series Switches	CSCus43046
Cisco Nexus 4000 Series Switches	CSCus42972	4.1(2)E1(1o) (15-May-2015)
Cisco Nexus 5000 Series Switches	CSCus42713	7.2 (29-May-2015) 7.3 (3-Jul-2015)
Cisco Nexus 6000 Series Switches	CSCus42713	7.2 (29-May-2015) 7.3 (3-Jul-2015)
Cisco Nexus 7000 Series Switches	CSCus42713	7.2 (29-May-2015) 7.3 (3-Jul-2015)
Cisco Nexus 9000 Series Switches	CSCus42784	7.0(3)I2(1) (Available)
Cisco ONS 15400 Series	CSCus42787	10.51 (20-Nov-2015)
Cisco OnePK All-in-One VM	CSCus42732	Admin to update package via CLI
Routing and Switching - Small Business
Cisco WAG310G Residential Gateway	CSCus43007
Unified Computing
Cisco UCS C-Series (Standalone Rack) Servers	CSCus42715	2.0.4 (Apr 2015)
Cisco UCS Central	CSCus42724	1.3 (March 2015)
Cisco UCS Invicta Series Solid State Systems	CSCus42989	5.0.1.2b (April 2015)
Cisco Unified Computing System B-Series (Blade) Servers	CSCus61833	2.2(4a) (Available) 2.2(5a) (22-May-2015) 3.1(1a) (TBD)
Voice and Unified Communications Devices
Cisco ATA 187 Analog Telephone Adaptor	CSCus42814	Fix release due March 2016
Cisco ATA 190 Series Analog Telephone Adapter	CSCus42791	1.2.1 (30-Jun-2015)
Cisco Agent Desktop	CSCus42910	10.0(2)
Cisco Computer Telephony Integration Object Server (CTIOS)	CSCut45829	11.0 (30-Apr-2015)
Cisco DX Series IP Phones	CSCut08817	10.2.4 (5-Jun-2015)
Cisco Emergency Responder	CSCus42904	11.0
Cisco Finesse	CSCus42853
Cisco Hosted Collaboration Mediation Fulfillment	CSCus42794	10.6.1
Cisco IP Interoperability and Collaboration System (IPICS)	CSCus43020	4.9(2) (July 2015)
Cisco IP Phone 8800 Series	CSCuw30989	11.0
Cisco MediaSense	CSCus42906	11.0(1) (Release Date TBD)
Cisco MeetingPlace	CSCus42786	8.6 Maintenance Release (15-Jun-2015)
Cisco Paging Server (Informacast)	CSCus42905	11.0.1 (May 2015)
Cisco Paging Server	CSCus42905	11.0.1 (May 2015)
Cisco SPA112 2-Port Phone Adapter	CSCus42824	1.3.7 (31-Dec-2015)
Cisco SPA122 ATA with Router	CSCus42824	1.3.7 (31-Dec-2015)
Cisco SPA232D Multi-Line DECT ATA	CSCus42824	1.3.7 (31-Dec-2015)
Cisco SocialMiner	CSCus42851	11.0(1) (30-Aug-2015)
Cisco Unified 6900 series IP Phones	CSCus42734	9.4(1)ES12 (11 Nov 2015)
Cisco Unified 7800 series IP Phones	CSCus42707	10.4.1 (August 2015)
Cisco Unified 8945 IP Phone	CSCus42735	9.4(2)2SR2 (11-Dec-2015)
Cisco Unified 8961 IP Phone	CSCus42706	9.4(2)SR2 (Release Date TBD)
Cisco Unified 9951 IP Phone	CSCus42706	9.4(2)SR2 (Release Date TBD)
Cisco Unified 9971 IP Phone	CSCus42706	9.4(2)SR2 (Release Date TBD)
Cisco Unified Attendant Console (all editions)	CSCus42803	11.0.1 (Sep 2015)
Cisco Unified Attendant Console Standard	CSCus42959	Patch files are available for vulnerable releases.
Cisco Unified Communication Manager IM and Presence Service (CUPS)	CSCus42751	11.0 (Available)
Cisco Unified Communications Domain Manager	CSCus42711	10.1(2)
Cisco Unified Communications Manager (UCM)	CSCus60116	10.5.2 (Available) 10.5.2 SU2 (Available) 9.1.2 SU3 (TBD) 8.6.2 (TBD)
Cisco Unified Communications Manager Session Management Edition (SME)	CSCus60116	10.5.2 (Available) 10.5.2 SU2 (Available) 9.1.2 SU3 (TBD) 8.6.2 (TBD)
Cisco Unified Contact Center Enterprise	CSCut45829	11.0 (30-Apr-2015)
Cisco Unified Contact Center Express	CSCus42785	11.0(1) (June 2015)
Cisco Unified IP Conference Phone 8831	CSCus42757
Cisco Unified IP Conference Station 7937G	CSCus42758	10.3.2 (Sep 2015)
Cisco Unified IP Phone 7900 Series	CSCus42733	9.4(2)SR2 (11-Nov-2015)
Cisco Unified Intelligence Center	CSCus42908
Cisco Unified Intelligent Contact Management Enterprise	CSCut45829	11.0 (30-Apr-2015)
Cisco Unified Sip Proxy	CSCus42917
Cisco Unified Workforce Optimization	CSCus42996	10.5 SR6 11.0
Cisco Unity Connection (UC)	CSCus42900	11.0(0.72)
Cisco Virtualization Experience Media Engine	CSCus42958	Windows 10.6.0.10706 (Available) Windows 10.6.0.10730 (Available) Linux 10.6.0-203 (Available) Linux 10.6.0-221 (Available)
Video, Streaming, TelePresence, and Transcoding Devices
Cisco AnyRes Live (CAL)	CSCus42909	9.5.0
Cisco D9036 Modular Encoding Platform	CSCus42887	V02.03.30
Cisco Edge 300 Digital Media Player	CSCus42801	1.6RB2 (Available)
Cisco Edge 340 Digital Media Player	CSCus43052	Patch file available for vulnerable releases. (4-Apr-2015)
Cisco Enterprise Content Delivery System (ECDS)	CSCum57065	2.6.4 (mid-May 2015)
Cisco Expressway Series	CSCus42702	X8.5.1
Cisco Internet Streamer CDS	CSCus42921	VDS-IS 3.3.1 (30-Jun-2015) VDS-IS 4.2.0 (31-Jul-2015)
Cisco Model D9485 DAVIC QPSK	CSCus43043	1.2.19
Cisco TelePresence 1310	CSCus42737	1.10.11 (30-Apr-2015) 6.1.8 (30-Apr-2015)
Cisco TelePresence Advanced Media Gateway Series	CSCus42833	1.1(1.40) (Available)
Cisco TelePresence Conductor	CSCus42987	XC3.0.1
Cisco TelePresence Content Server (TCS)	CSCus42976	6.2
Cisco TelePresence EX Series	CSCus42827	7.3.1
Cisco TelePresence ISDN GW 3241	CSCus42753	2.2 Maintenance Release (mid May 2015)
Cisco TelePresence ISDN GW MSE 8321	CSCus42753	2.2 Maintenance Release (mid May 2015)
Cisco TelePresence ISDN Link	CSCus42828	1.1.5 (June 2015)
Cisco TelePresence MCU (8510, 8420, 4200, 4500 and 5300)	CSCus42831	4.5 Maintenance Release (July 2015)
Cisco TelePresence MX Series	CSCus42827	7.3.1
Cisco TelePresence Profile Series	CSCus42827	7.3.1
Cisco TelePresence SX Series	CSCus42827	7.3.1
Cisco TelePresence Serial Gateway Series	CSCus42754	1.0(1.42)
Cisco TelePresence Server 8710, 7010	CSCus42752	4.1 (Mar 2015)
Cisco TelePresence Server on Multiparty Media 310, 320	CSCus42752	4.1 (Mar 2015)
Cisco TelePresence Server on Virtual Machine	CSCus42752	4.1 (Mar 2015)
Cisco TelePresence Supervisor MSE 8050	CSCus42755	2.3(1.38)
Cisco TelePresence System 1000	CSCus42737	1.10.11 (30-Apr-2015) 6.1.8 (30-Apr-2015)
Cisco TelePresence System 1100	CSCus42737	1.10.11 (30-Apr-2015) 6.1.8 (30-Apr-2015)
Cisco TelePresence System 1300	CSCus42737	1.10.11 (30-Apr-2015) 6.1.8 (30-Apr-2015)
Cisco TelePresence System 3000 Series	CSCus42737	1.10.11 (30-Apr-2015) 6.1.8 (30-Apr-2015)
Cisco TelePresence System 500-32	CSCus42737	1.10.11 (30-Apr-2015) 6.1.8 (30-Apr-2015)
Cisco TelePresence System 500-37	CSCus42737	1.10.11 (30-Apr-2015) 6.1.8 (30-Apr-2015)
Cisco TelePresence TE Software (for E20 - EoL)	CSCus42829	4.1.6
Cisco TelePresence TX 9000 Series	CSCus42737	1.10.11 (30-Apr-2015) 6.1.8 (30-Apr-2015)
Cisco TelePresence Video Communication Server (VCS)	CSCus42702	X8.5.1
Cisco Telepresence Integrator C Series	CSCus42827	7.3.1
Cisco VDS Service Broker	CSCus43022
Cisco Video Surveillance 3000 Series IP Cameras	CSCus42721	2.7 (30-Jul-2015)
Cisco Video Surveillance 4000 Series High-Definition IP Cameras	CSCus42983	2.4.6 (30-Jul-2015)
Cisco Video Surveillance 4300E/4500E High-Definition IP Cameras	CSCus42982	3.2.7 (30-Jul-2015)
Cisco Video Surveillance 6000 Series IP Cameras	CSCus42721	2.7 (30-Jul-2015)
Cisco Video Surveillance 7000 Series IP Cameras	CSCus42721	2.7 (30-Jul-2015)
Cisco Video Surveillance Media Server	CSCus43015	7.7
Cisco Video Surveillance Operations Manager	CSCus43016	7.7.0 (15-Aug-2015)
Cisco Video Surveillance PTZ IP Cameras	CSCus42721	2.7 (30-Jul-2015)
Cisco Videoscape Control Suite	CSCus43009	3.6 (Available)
Cloud Object Store (COS)	CSCus43014	2.1.2 (Available) 3.0.0 (27-May-2015)
Media Services Interface	CSCus43013	No further releases planned.
Tandberg Codian ISDN GW 3210/3220/3240	CSCus42753	2.2 Maintenance Release (mid May 2015)
Tandberg Codian MSE 8320 model	CSCus42753	2.2 Maintenance Release (mid May 2015)
Wireless
Cisco IOS Access Points	CSCus42764	15.5(03)S (Available)
Cisco Mobility Services Engine (MSE)	CSCus42729	8.0.110.002
Cisco Wireless Lan Controller (WLC)	CSCus42727	7.0.252.0 (Available) 7.4.140.0 (Available) 8.1.102.0 (Available) 8.0.120.0 (June 2015) 7.6.130.26 (Contact Cisco TAC for this version)
Cisco Hosted Services
Cisco Common Services Platform Collector	CSCus95785
Cisco Network Configuration and Change Management Service	CSCus42860	1.5 (Available)
Cisco Proactive Network Operations Center	CSCus42796
Cisco Universal Small Cell 5000 Series running V3.4.2.x software	CSCus42775	3.5.11.11 3.4.5.7
Cisco Universal Small Cell 7000 Series running V3.4.2.x software	CSCus42775	3.5.11.11 3.4.5.7
Network Performance Analytics (NPA)	CSCus42893	1.11.3 (30-Aug-2015)

Products Confirmed Not Vulnerable

The following Cisco products have been analyzed and are not affected by any of the listed vulnerabilities:

Collaboration and Social Media

Cisco WebEx Node for MCS

Endpoint Clients and Client Software

Cisco IP Communicator
Cisco NAC Agent for Mac
Cisco NAC Agent for Web
Cisco NAC Agent for Windows
Cisco UC Integration for Microsoft Lync
Cisco Unified Personal Communicator
Cisco Unified Video Advantage
Cisco WebEx Meetings (client)
Cisco WebEx Meetings for BlackBerry
Cisco WebEx Productivity Tools
Cisco Webex App for iOS

Network Application, Service, and Acceleration

Cisco Application and Content Networking System (ACNS)
Cisco Extensible Network Controller (XNC)

Network and Content Security Devices

Cisco Adaptive Security Device Manager
Cisco Physical Access Manager

Network Management and Provisioning

Cisco Configuration Professional
Cisco Connected Grid Device Manager
Cisco Connected Grid Network Management System
Cisco Discovery Service
Cisco Insight Reporter
Cisco Linear Stream Manager
Cisco Multicast Manager
Cisco Prime Analytics
Cisco Prime Cable Provisioning
Cisco Prime Central for SPs
Cisco Prime Home
Cisco SON Suite
Cisco Unified Provisioning Manager (CUPM)
CiscoWorks Network Compliance Manager
Digital Media Manager 5.4

Routing and Switching - Enterprise and Service Provider

Cisco Broadband Access Center Telco Wireless
Cisco Prime Provisioning for SPs
Cisco Service Control Operating System

Routing and Switching - Small Business

Cisco VEN401 Wireless Access Point
Cisco VEN501 Wireless Access Point

Voice and Unified Communications Devices

Cisco Desktop Collaboration Experience DX650
Cisco Packaged Contact Center Enterprise
Cisco Remote Silent Monitoring
Cisco SPA8000 8-port IP Telephony Gateway
Cisco SPA8800 IP Telephony Gateway with 4 FXS and 4 FXO Ports
Cisco Unified Communications Domain Manager
Cisco Unified 3900 series IP Phones
Cisco Unified Client Services Framework
Cisco Unified Communications Sizing Tool
Cisco Unified Communications Widgets Click To Call
Cisco Unified E-Mail Interaction Manager
Cisco Unified Integration for IBM Sametime
Cisco Unified Web Interaction Manager
Cisco Virtual PGW 2200 Softswitch
Cisco Voice Portal (CVP)
xony VIM/CCDM/CCMP

Video, Streaming, TelePresence, and Transcoding Devices

Cisco AnyRes VOD (CAV)
Cisco D9034-S Encoder
Cisco D9054 HDTV Encoder
Cisco D9804 Multiple Transport Receiver
Cisco D9824 Advanced Multi Decryption Receiver
Cisco D9854/D9854-I Advanced Program Receiver
Cisco D9858 Advanced Receiver Transcoder
Cisco D9859 Advanced Receiver Transcoder
Cisco D9865 Satellite Receiver
Cisco DCM Series 9900-Digital Content Manager
Cisco Digital Media Players
Cisco TelePresence Exchange System (CTX)
Cisco TelePresence Management Suite (TMS)
Cisco TelePresence Management Suite Analytics Extension (TMSAE)
Cisco TelePresence Management Suite Extension (TMSXE)
Cisco TelePresence Management Suite Extension for IBM
Cisco TelePresence Management Suite Provisioning Extension

Wireless

Cisco Wireless Location Appliance

Cisco Hosted Services

Cisco Connected Analytics For Collaboration
Cisco Install Base Management (IBM)
Cisco Registered Envelope Service (CRES)
Cisco Services Platform Collector (CSPC)
Cisco SmartConnection
Cisco SmartReports
Cisco WebEx WebOffice & Workspace
Cisco Webex Messenger Service
Connected Analytics for Network Deployment (CAND)
Services Analytic Platform
Webex Meeting Center

No other Cisco products are currently known to be affected by these vulnerabilities.

Details

The OpenSSL Project disclosed eight vulnerabilities on January 8, 2015. One or more of these vulnerabilities affect both client and server installations of OpenSSL. The vulnerability names and the associated Common Vulnerabilities and Exposures (CVE) IDs are as follows.

The impact of these vulnerabilities on Cisco products may vary depending on the affected product.

For Cisco products, please refer to the information provided in the Cisco bug IDs listed in the Affected Products section of this document. Additional information and detailed instructions are available in the Cisco installation, configuration, and maintenance guides for each product. If additional clarification or advice is needed, please contact your support organization.

OpenSSL DTLS Message Processing Denial of Service Vulnerability

A vulnerability in OpenSSL could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.

The vulnerability is due to improper processing of network messages. An attacker could exploit this vulnerability by sending malicious network messages to a targeted system.

This vulnerability has been assigned CVE ID CVE-2014-3571.

OpenSSL dtls1_buffer_record Function DTLS Message Processing Denial of Service Vulnerability

OpenSSL contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.

The vulnerability is due to an error condition that occurs when the affected software processes crafted Datagram Transport Layer Security (DTLS) packets. An unauthenticated, remote attacker could exploit this vulnerability by sending crafted DTLS packets to an affected OpenSSL-based server. An exploit could allow the attacker to consume excessive memory resources, resulting in a DoS condition.

This vulnerability has been assigned CVE ID CVE-2015-0206.

OpenSSL no-ssl3 Option NULL Pointer Dereference Vulnerability

A vulnerability in OpenSSL could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a targeted system.

The vulnerability is due to improper implementation of the OpenSSL build configuration. An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted SSL 3.0 handshake request to the targeted client. Processing the request could cause the affected software to terminate abnormally, leading to a DoS condition.

This vulnerability has been assigned CVE ID CVE-2014-3569.

OpenSSL Elliptic Curve Cryptographic Downgrade Vulnerability

A vulnerability in OpenSSL could allow an unauthenticated, remote attacker to conduct downgrade attacks.

The vulnerability is due to insecure implementation of ephemeral Elliptic Curve Diffie-Hellman (ECDH) ciphersuites by the affected software. An unauthenticated, remote attacker could exploit this vulnerability by transmitting crafted handshake requests to the targeted client system. When processed, the requests could allow the attacker to downgrade the server to use the weaker encryption protocol, which could allow the attacker to obtain sensitive information from the system.

This vulnerability has been assigned CVE ID CVE-2014-3572.

OpenSSL RSA Temporary Key Cryptographic Downgrade Vulnerability

A vulnerability in OpenSSL could allow an unauthenticated, remote attacker to bypass security restrictions.

The vulnerability is due to improper handling of an RSA temporary key. An attacker with a privileged network position could exploit the vulnerability by returning a weak temporary RSA key to a system using an application that uses the vulnerable OpenSSL library. When processed, the insecure temporary key could result in reduced cryptographic protections, which could allow the attacker to bypass security protections.

This vulnerability has been assigned CVE ID CVE-2015-0204.

OpenSSL Diffie-Hellman Certificate Validation Authentication Bypass Vulnerability

OpenSSL contains a vulnerability that could allow an unauthenticated, remote attacker to bypass certain security restrictions and access sensitive information on a targeted system.

The vulnerability is due to improper certificate verification by the affected software. An unauthenticated, remote attacker could exploit this vulnerability by transmitting a crafted Diffie-Hellman certificate without the certificate verify message to the affected server. The processing of such certificates could allow the attacker to bypass certain security restrictions and access sensitive information on the system.

This vulnerability has been assigned CVE ID CVE-2015-0205.

OpenSSL Certificate Fingerprint Validation Vulnerability

A vulnerability in OpenSSL could allow an unauthenticated, remote attacker to bypass fingerprint-based certificate validation mechanisms implemented by the affected software.

The vulnerability exists due to insufficient constraints applied on certificate data by the affected software. An attacker could exploit this vulnerability by including crafted data within a certificate's unsigned portion and submitting it to be processed by the affected software. If successful, an attacker could bypass the fingerprint-based certificate-blacklist protection mechanism implemented by the affected software.

This vulnerability has been assigned CVE ID CVE-2014-8275.

OpenSSL BN_sql Function Incorrect Mathematical Results Issue

An issue in OpenSSL could result in the calculation of incorrect mathematical results.

The issue is in the BN_sql function because the function does not properly calculate the square of a BIGNUM value. An unauthenticated, remote attacker could exploit this issue using an unspecified vector. Successful exploitation could cause the software to calculate incorrect results.

Reports suggest that no exploits are known and straightforward bug attacks fail because the attacker cannot control when the bug triggers and no private key material is involved.

This vulnerability has been assigned CVE ID CVE-2014-3570.

Workarounds

For potential workarounds on a specific Cisco product, refer to the Cisco bug ID, available from the Cisco Bug Search Tool.

Fixed Software

When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Notices archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.

In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Exploitation and Public Announcements

In early March 2015, CVE-2015-0204: OpenSSL RSA Temporary Key Cryptographic Downgrade Vulnerability, received media attention for research done into the factoring attack on RSA-EXPORT Keys (dubbed FREAK).

These vulnerabilities were publicly disclosed by the OpenSSL Project on January 5, 2015. Consistent with our security vulnerability disclosure policy, the Cisco PSIRT began disclosing the effect to Cisco products through public release notes, before increased public discussion of FREAK led to this security advisory.

Cisco Security Vulnerability Policy

To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

Action Links for This Advisory

Snort Rule 33686

Snort Rule 33687

Snort Rule 33688

Snort Rule 33689

Snort Rule 33690

Snort Rule 33691

Snort Rule 33692

Snort Rule 33693

Snort Rule 33694

Snort Rule 33695

Snort Rule 33696

Snort Rule 33697

Snort Rule 33698

Snort Rule 33699

Snort Rule 33700

Snort Rule 33701

Snort Rule 33702

Snort Rule 33703

Snort Rule 33777

Snort Rule 33778

Snort Rule 33779

Snort Rule 33780

Snort Rule 33781

Snort Rule 33782

Snort Rule 33783

Snort Rule 33784

Snort Rule 33785

Snort Rule 33786

Snort Rule 33787

Snort Rule 33788

Snort Rule 33789

Snort Rule 33790

Snort Rule 33791

Snort Rule 33792

Snort Rule 33793

Snort Rule 33794

Snort Rule 33795

Snort Rule 33796

Snort Rule 33797

Snort Rule 33798

Snort Rule 33799

Snort Rule 33800

Snort Rule 33801

Snort Rule 33802

Snort Rule 33803

Snort Rule 33804

Snort Rule 33805

Snort Rule 33806

Snort Rule 51356

Snort Rule 51357

Snort Rule 51358

Snort Rule 51359
Show All 52...

URL

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150310-ssl

Revision History

Version	Description	Section	Status	Date
1.17	Updated first fixed releases for the APIC from 1.1(0.625), 1.0(2.136a) to 1.1(1j) and 1.0(3f)	Affected Products	Final	2015-November-13
1.16	Added Cisco IP Phone 8800 Series to affected products section.			2015-September-22
1.15	Updated fixed releases availability.			2015-June-02
1.14	Moved the Cisco Mobility Services Engine (MSE) to an affected product. Updated Fixed releases availability.			2015-May-28
1.13	Updated Vulnerable Products Fixed releases availability column.			2015-May-14
1.12	Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections.			2015-May-06
1.11	Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections.			2015-April-30
1.10	Updated the Vulnerable Products fixed column. Added Cisco IOS Access Points to under investigation.			2015-April-27
1.9	Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections.			2015-April-17
1.8	Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections.			2015-April-13
1.7	Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections. Removed End of Life product - Cisco Small Business ISA500 Series Integrated Security Appliances.			2015-April-09
1.6	Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections.			2015-April-02
1.5	Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections. Several End of Life products were removed from the advisory.			2015-March-26
1.4	Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections. Added Cisco TelePresence IP Gateway Series to the advisory.			2015-March-19
1.3	Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections.			2015-March-16
1.2	Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections.			2015-March-13
1.1	Moved Cisco Content Security Management Appliance (SMA) from Not Vulnerable to under Investigation. Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections.			2015-March-11
1.0	Initial public release.			2015-March-10

Show Less

Legal Disclaimer

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.

Feedback

Leave additional feedback