Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

CSCur23709 - ASA Fixed releases for POODLE

The POODLE vulnerability for ASA is described in bug CSCur23709.

The list of fixed releases for bug CSCur23709 lists 9.0(4.201). When will it be generally available? I don't see it on the ASA5525 Interim Releases page.

Also, Bug CSCur23709 refers to a fix for CSCug51375 as being available for releases 9.1.2 and later but I can find no reference to it in any of the Interim Release notes.

Finally, there is no indication of when a fixed release might be available. Can anyone comment?

12 REPLIES
Hall of Fame Super Silver

If you need a maintenance

If you need a maintenance build for a specific bug, you can open a TAC case. TAC will provide you that release.

The general availability of a release incorporating the bug fix is generally in the next minor release. 

New Member

9.1.6 was released yesterday

9.1.6 was released yesterday which should be the revision with the fix for POODLE. Hope that helps.

New Member

My understanding has been

My understanding has been that the POODLE vulnerability was fixed in 9.1(5.20) since the bugs CSCur23709 and CSCug51375 were in the list of fixed bugs.

We have been using 9.1(5.21) as the fixed release.

Is 9.1(6) a better fix?

 

New Member

There was the POODLE vuln for

There was the POODLE vuln for SSLv3 and then TLS as well. My understanding from the TAC case I opened was that 9.1.6 is the first full fix. Also noted accordingly in this page: https://tools.cisco.com/bugsearch/bug/CSCus08101/

This vulnerability is hardware dependent.
ANY Cisco ASA Software releases running for Cisco ASAv and Cisco ASA1000v ARE NOT affected by this vulnerability.
ALL Cisco ASA Software releases running on Cisco ASA 5500 and 5500-X Series and Cisco ASA Service Module ARE affected by this issue.

The first fixed ASA software releases for this vulnerability are as follows
8.2 Train: 8.2.5.55
8.4 Train: 8.4.7.26
9.0 Train: 9.0.4.29
9.1 Train: 9.1.6
9.2 Train: 9.2.3.3
9.3 Train: 9.3.2.2

 

 


 

Hall of Fame Super Silver

If you're running 9.1 train,

If you're running 9.1 train, maintenance release 9.1(6) would be preferred over interim release 9.1(5.21)

Generally speaking we try to avoid deploying the interim releases in favor of the maintenance releases except in case where the patch is critical to the customer's operations.

The reason is that interim releases are not as fully regression tested as maintenance releases and there may be latent bugs introduced that cause other, unrelated, problems when deployed.

New Member

9.1.6 doesn't have the fix.

9.1.6 doesn't have the fix for TLS poodle.

New Member

Yes it does. Post your config

Yes it does. Post your config if you would like and I can tell you what the issue is. Thanks 

New Member

Are you sure ??? I may have

Are you sure ???

 

I may have accidently thought this post was regarding TLS poodle but the bug ID's mentioned SSL poodle.

 

The workaround is available on the 2nd Gen ASA. If you think this is resolved then can you post the config for the 1st Gen ASA ?

New Member

9.1.6 fixed both the SSL and

9.1.6 fixed both the SSL and TLS POODLE for me... I set the ssl server-version to TLSv1-only. Then if you do a scan at a site like https://www.ssllabs.com/ssltest/ you should come back with a passing score. 

New Member

I see the same result for 9.1

I see the same result for 9.1(6),Thanks Kevin.

New Member

I"m on version 9.3.2 and

I"m on version 9.3.2 and still have a vulnerability to Poodle on an ASA 5515. Is there a fix? If i go to ssllabs.com/ssltest I get an F for my ASA. Terrible.

New Member

Get to 9.3(2.1) or 9.3(3) as

Get to 9.3(2.1) or 9.3(3) as they apparently contain the fix according to CSCus08101.

 

I don't think 9.3(2.1) is available for download on cisco.com anymore but 9.3(3) is.

 

Known fixed releases:

9.0(4.27)
9.1(5.101)
9.1(6)
9.2(3.1)
9.2(4)
9.3(2.1)
9.3(2.201)
9.3(2.99)
9.3(3)
9.4(0.109)
9.4(1)
 
9.2(4) and 9.1.6(1) is recommended on Cisco website.
3167
Views
0
Helpful
12
Replies
CreatePlease to create content