Are you sure ??? I may have

tdargis · ‎11-07-2014

The POODLE vulnerability for ASA is described in bug CSCur23709.

The list of fixed releases for bug CSCur23709 lists 9.0(4.201). When will it be generally available? I don't see it on the ASA5525 Interim Releases page.

Also, Bug CSCur23709 refers to a fix for CSCug51375 as being available for releases 9.1.2 and later but I can find no reference to it in any of the Interim Release notes.

Finally, there is no indication of when a fixed release might be available. Can anyone comment?

Marvin Rhoads · ‎11-07-2014

If you need a maintenance build for a specific bug, you can open a TAC case. TAC will provide you that release.

The general availability of a release incorporating the bug fix is generally in the next minor release.

kevin.blackburn · ‎03-03-2015

9.1.6 was released yesterday which should be the revision with the fix for POODLE. Hope that helps.

tdargis · ‎03-03-2015

My understanding has been that the POODLE vulnerability was fixed in 9.1(5.20) since the bugs CSCur23709 and CSCug51375 were in the list of fixed bugs.

We have been using 9.1(5.21) as the fixed release.

Is 9.1(6) a better fix?

kevin.blackburn · ‎03-03-2015

There was the POODLE vuln for SSLv3 and then TLS as well. My understanding from the TAC case I opened was that 9.1.6 is the first full fix. Also noted accordingly in this page: https://tools.cisco.com/bugsearch/bug/CSCus08101/

This vulnerability is hardware dependent.
ANY Cisco ASA Software releases running for Cisco ASAv and Cisco ASA1000v ARE NOT affected by this vulnerability.
ALL Cisco ASA Software releases running on Cisco ASA 5500 and 5500-X Series and Cisco ASA Service Module ARE affected by this issue.

The first fixed ASA software releases for this vulnerability are as follows
8.2 Train: 8.2.5.55
8.4 Train: 8.4.7.26
9.0 Train: 9.0.4.29
9.1 Train: 9.1.6
9.2 Train: 9.2.3.3
9.3 Train: 9.3.2.2

Marvin Rhoads · ‎03-03-2015

If you're running 9.1 train, maintenance release 9.1(6) would be preferred over interim release 9.1(5.21)

Generally speaking we try to avoid deploying the interim releases in favor of the maintenance releases except in case where the patch is critical to the customer's operations.

The reason is that interim releases are not as fully regression tested as maintenance releases and there may be latent bugs introduced that cause other, unrelated, problems when deployed.

nehmaan123 · ‎04-28-2015

9.1.6 doesn't have the fix for TLS poodle.

kevin.blackburn · ‎04-28-2015

Yes it does. Post your config if you would like and I can tell you what the issue is. Thanks

nehmaan123 · ‎04-28-2015

Are you sure ???

I may have accidently thought this post was regarding TLS poodle but the bug ID's mentioned SSL poodle.

The workaround is available on the 2nd Gen ASA. If you think this is resolved then can you post the config for the 1st Gen ASA ?

kevin.blackburn · ‎04-28-2015

9.1.6 fixed both the SSL and TLS POODLE for me... I set the ssl server-version to TLSv1-only. Then if you do a scan at a site like https://www.ssllabs.com/ssltest/ you should come back with a passing score.

nehmaan123 · ‎04-28-2015

I see the same result for 9.1(6),Thanks Kevin.

stevenle · ‎10-27-2015

I"m on version 9.3.2 and still have a vulnerability to Poodle on an ASA 5515. Is there a fix? If i go to ssllabs.com/ssltest I get an F for my ASA. Terrible.

nehmaan123 · ‎10-27-2015

Get to 9.3(2.1) or 9.3(3) as they apparently contain the fix according to CSCus08101.

I don't think 9.3(2.1) is available for download on cisco.com anymore but 9.3(3) is.

Known fixed releases:

9.0(4.27)

9.1(5.101)

9.1(6)

9.2(3.1)

9.2(4)

9.3(2.1)

9.3(2.201)

9.3(2.99)

9.3(3)

9.4(0.109)

9.4(1)

9.2(4) and 9.1.6(1) is recommended on Cisco website.

CSCur23709 - ASA Fixed releases for POODLE