×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA Security Advisory - CSCui77398 - Is 9.0(3) Vulnerable?

Unanswered Question
Oct 21st, 2013
User Badges:

Hello

We are currently running ASA9.0(3)ED on our firewalls.  This is the latest release in the 9.0 train on the downloads page, dated 22/07/2013


The bug above is in the latest set of advisories released 13/10/2013

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCui77398


The bug states that it was first found in 9.0(3.2), first fixed in 9.0(3.5) and the latest interim release available for download is 9.0(3.6)

The interim releases are presumably released after the original ASA9.0(3)ED date? Is this correct?


This particular bug is not mentioned in the release notes for the latest interim release.  It would be good to be able to see the release notes for the 9.0(3.5) release, which is where it should be documented


My fundamental question is can we assume that the version we are using is effectively 9.0(3.0) and therefore not vulnerable?


Any help would be appreciated


Regards

Francis

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marvin Rhoads Tue, 11/05/2013 - 16:41
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

Interim releases do not generally get their own release notes on the product support page. For ASA 9.0(3), anything with a 3._ in that last part would be an interim release. The downloads page does have the release notes for the currently available interim builds (9.0(3.6) and 9.0(3.8) in that train).


If, after reading the security advisory and analyzing its applicability to your environment, you judge it necessary to update to the interim release that addresses the vulnerability, you can download it directly or contact the TAC to obtain a copy (without service contract in the case of PSIRT-identified vulnerabilities).


I suppose of you want to see the specific release notes for 9.0(3.5) the TAC would probably be able to get you a copy of those too.

Actions

This Discussion