ASA Security Advisory - CSCui77398 - Is 9.0(3) Vulnerable?

francis fox · ‎10-21-2013

Hello

We are currently running ASA9.0(3)ED on our firewalls. This is the latest release in the 9.0 train on the downloads page, dated 22/07/2013

The bug above is in the latest set of advisories released 13/10/2013

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCui77398

The bug states that it was first found in 9.0(3.2), first fixed in 9.0(3.5) and the latest interim release available for download is 9.0(3.6)

The interim releases are presumably released after the original ASA9.0(3)ED date? Is this correct?

This particular bug is not mentioned in the release notes for the latest interim release. It would be good to be able to see the release notes for the 9.0(3.5) release, which is where it should be documented

My fundamental question is can we assume that the version we are using is effectively 9.0(3.0) and therefore not vulnerable?

Any help would be appreciated

Regards

Francis

Marvin Rhoads · ‎11-05-2013

Interim releases do not generally get their own release notes on the product support page. For ASA 9.0(3), anything with a 3._ in that last part would be an interim release. The downloads page does have the release notes for the currently available interim builds (9.0(3.6) and 9.0(3.8) in that train).

If, after reading the security advisory and analyzing its applicability to your environment, you judge it necessary to update to the interim release that addresses the vulnerability, you can download it directly or contact the TAC to obtain a copy (without service contract in the case of PSIRT-identified vulnerabilities).

I suppose of you want to see the specific release notes for 9.0(3.5) the TAC would probably be able to get you a copy of those too.