Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CSCug34485 - IOS OSPF LSA Injection Vulnerability

Hi folks,

we're preparing upgrading all our routers to fix this bug or close this vulnerability.

We have some devices which run the 12.2(33)SXJ train. However, the "Known fixed version" states that the version 12.2(33)SXJ6 should fix this bug, but I can not find anthing about it in the release notes.

How can I make / be sure that this is really fixed? Is it a error in the release notes?

Cheers

Alex

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

CSCug34485 - IOS OSPF LSA Injection Vulnerability

The release notes are now updated.  Thank you for bringing this problem to our attention.

8 REPLIES
Cisco Employee

CSCug34485 - IOS OSPF LSA Injection Vulnerability

In general, the bug toolkit is the authoritive source, which pulls the data from the internal bug tracking system.

Also, the alert here

(http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130801-lsaospf)

explicitly calls out 12.(33)SXJ6.

Which document are you looking at that seems to have the wrong or confusing information?

New Member

CSCug34485 - IOS OSPF LSA Injection Vulnerability

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/release/notes/caveats_SXJ.html and search for the string "34485".

I even checked the PDF version from the master document

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/release/notes/ol_14271.html but there I only find this bug being resolved under 12.2(33)SXI12.

Cheers Alex

New Member

CSCug34485 - IOS OSPF LSA Injection Vulnerability

... not sure if the fact that SXI < SXJ implies the bug being resolved in SXJ because it has been explicitely resolved in SXI12?

Cisco Employee

Re: CSCug34485 - IOS OSPF LSA Injection Vulnerability

This must be an oversight.  The release note documents are "human created" and there is a special process for PSIRT bugs.  I'm guessing a quirk in the publishing cycle caused an oversight here.

I will submit a request for errata.  Not sure if it will ever get corrected, but I will pass information about the problem to the PSIRT group and the documentation group.

As a mater of believability in the presence of conflicting information,  you can generally place greater trust in PSIRT bulletins since they tend to have more verification and rechecking than other documents on  the website.

New Member

CSCug34485 - IOS OSPF LSA Injection Vulnerability

Thank you very much for this clarification.

Cisco Employee

CSCug34485 - IOS OSPF LSA Injection Vulnerability

Thanks for reporting it.  Sometimes things fall through the cracks and we can only fix it when people take the time to tell us.  We appreciate the diligence and dedication of our customers.

Cisco Employee

CSCug34485 - IOS OSPF LSA Injection Vulnerability

The release notes are now updated.  Thank you for bringing this problem to our attention.

New Member

CSCug34485 - IOS OSPF LSA Injection Vulnerability

ACK.

Great.

Thanks.

329
Views
0
Helpful
8
Replies