WAAS - CVE-2008-5077 - OpenSSL Security Advisory

Answered Question
Feb 11th, 2009


I hope I am addressing this question to the right forum.

We have many customers who have a concern regarding this advisory. It refers to OpenSSL 0.9.8 being the affected version and 0.9.8j being the version that contains the patch for the vulnerability.

We have customers running versions 4.0.19 and 4.1.1c.

My question is, are these customers at risk? If so, when will a release be made available to rectify this?



I have this problem too.
0 votes
Correct Answer by dstolt about 7 years 8 months ago

It should be available next month.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
htarra Tue, 02/17/2009 - 11:53

This condition may occur if a device running WAAS software is configured for Edge Services, which utilizes Common Internet File System (CIFS) optimization and receives a flood of TCP SYN packets on port 139 or 445.

Cisco has made free software available to address this vulnerability for affected customers. Workarounds are available to mitigate the effects of this vulnerability.

dstolt Wed, 02/18/2009 - 07:30


I have found a DDTS for patching this (CSCsx25549) which will be integrated in release 4.1.3. However, in versions 4.0.19 and 4.1.1c we do not have an AO to accelerate any SSL connections except with TFO, so customer will not be exposed. However in release 4.1.3, we will enable an SSL accelerator, so they are patching for CVE-2008-5077 as appropriate.

Hope that helps,


Paul Pinto Wed, 02/18/2009 - 12:13


Thanks very much for the response. Would it be possible to get the details of CSCsx25549 for my record, and curiosity, purposes? Probably pushing my luck, but...

Thanks again for the response.


Correct Answer
dstolt Wed, 02/18/2009 - 12:32

It should be available next month.




This Discussion