11-07-2014 01:25 PM - edited 03-20-2019 08:21 PM
The POODLE vulnerability for ASA is described in bug CSCur23709.
The list of fixed releases for bug CSCur23709 lists 9.0(4.201). When will it be generally available? I don't see it on the ASA5525 Interim Releases page.
Also, Bug CSCur23709 refers to a fix for CSCug51375 as being available for releases 9.1.2 and later but I can find no reference to it in any of the Interim Release notes.
Finally, there is no indication of when a fixed release might be available. Can anyone comment?
11-07-2014 06:06 PM
If you need a maintenance build for a specific bug, you can open a TAC case. TAC will provide you that release.
The general availability of a release incorporating the bug fix is generally in the next minor release.
03-03-2015 04:57 AM
9.1.6 was released yesterday which should be the revision with the fix for POODLE. Hope that helps.
03-03-2015 06:49 AM
My understanding has been that the POODLE vulnerability was fixed in 9.1(5.20) since the bugs CSCur23709 and CSCug51375 were in the list of fixed bugs.
We have been using 9.1(5.21) as the fixed release.
Is 9.1(6) a better fix?
03-03-2015 08:38 AM
There was the POODLE vuln for SSLv3 and then TLS as well. My understanding from the TAC case I opened was that 9.1.6 is the first full fix. Also noted accordingly in this page: https://tools.cisco.com/bugsearch/bug/CSCus08101/
This vulnerability is hardware dependent.
ANY Cisco ASA Software releases running for Cisco ASAv and Cisco ASA1000v ARE NOT affected by this vulnerability.
ALL Cisco ASA Software releases running on Cisco ASA 5500 and 5500-X Series and Cisco ASA Service Module ARE affected by this issue.
The first fixed ASA software releases for this vulnerability are as follows
8.2 Train: 8.2.5.55
8.4 Train: 8.4.7.26
9.0 Train: 9.0.4.29
9.1 Train: 9.1.6
9.2 Train: 9.2.3.3
9.3 Train: 9.3.2.2
03-03-2015 10:46 AM
If you're running 9.1 train, maintenance release 9.1(6) would be preferred over interim release 9.1(5.21)
Generally speaking we try to avoid deploying the interim releases in favor of the maintenance releases except in case where the patch is critical to the customer's operations.
The reason is that interim releases are not as fully regression tested as maintenance releases and there may be latent bugs introduced that cause other, unrelated, problems when deployed.
04-28-2015 11:49 AM
9.1.6 doesn't have the fix for TLS poodle.
04-28-2015 12:00 PM
Yes it does. Post your config if you would like and I can tell you what the issue is. Thanks
04-28-2015 12:16 PM
Are you sure ???
I may have accidently thought this post was regarding TLS poodle but the bug ID's mentioned SSL poodle.
The workaround is available on the 2nd Gen ASA. If you think this is resolved then can you post the config for the 1st Gen ASA ?
04-28-2015 12:23 PM
9.1.6 fixed both the SSL and TLS POODLE for me... I set the ssl server-version to TLSv1-only. Then if you do a scan at a site like https://www.ssllabs.com/ssltest/ you should come back with a passing score.
04-28-2015 02:17 PM
I see the same result for 9.1(6),Thanks Kevin.
10-27-2015 12:10 PM
I"m on version 9.3.2 and still have a vulnerability to Poodle on an ASA 5515. Is there a fix? If i go to ssllabs.com/ssltest I get an F for my ASA. Terrible.
10-27-2015 02:36 PM
Get to 9.3(2.1) or 9.3(3) as they apparently contain the fix according to CSCus08101.
I don't think 9.3(2.1) is available for download on cisco.com anymore but 9.3(3) is.
Known fixed releases:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide