Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1219
Views
5
Helpful
5
Replies

OpenSSL vulnerabilities in WLC 7.4.110.0

Go to solution
Rene S.
Level 1
Level 1

‎07-11-2014 12:23 AM - edited ‎07-05-2021 01:12 AM

Hi, version 7.4.11.0 is vulnerable to the following CVE IDs:

CVE-2014-0224 CVE-2014-0221 CVE-2014-0195 CVE-2014-0198 CVE-2010-5298 CVE-2014-3470 CVE-2014-0076
 
Is there a patch, that could fix it?
 
Thanks!
 
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mohanak
Cisco Employee
Cisco Employee

‎07-11-2014 01:11 AM

Multiple Vulnerabilities in OpenSSL - June 2014
CSCup22587
 
Description

Symptom:
The following Cisco products:

Wireless Lan Controllers: 5500, 2500, Wism1, Wism2, 7500, 8500, 2100, NM-WLC, 4400

include a version of openssl that is affected by the vulnerabilities identified by the Common Vulnerability and Exposures (CVE) IDs:

CVE-2014-0224 - SSL/TLS MITM vulnerability
CVE-2014-0221 - DTLS recursion flaw
CVE-2014-3470 - Anonymous ECDH denial of service
CVE-2014-0221 - DTLS recursion flaw
CVE-2014-0195 - DTLS invalid fragment vulnerability

This bug has been opened to address the potential impact on this product.


Conditions:
Devices with default configuration.

Affected Releases
All 4.x, 5.x, 6.x, 7.0.x, 7.2.x, 7.3.x, 7.4.x, 7.5.x, 7.6.x
Workaround:Not Available


More Info:
CVE-2014-3470: EDCH is not in use, but a patch for the issue will be included

Fixed Releases
Upcoming: 7.4.130.0, 7.6.130.0, 8.0, 7.0.x
Will not be fixed: 4.x, 5.x, 6.x, 7.2.x, 7.3.x, 7.5.x (all end of engineering maintenance)

Fixed code will be posted in CCO soon. For beta access contact wnbu-mrbeta@external.cisco.com

PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/7.5:

https://intellishield.cisco.com/security/alertmanager/cvss?target=new&version=2.0&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:U/RC:C

The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
 

View solution in original post

5 Replies 5

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎07-11-2014 12:47 AM

Use firmware version 7.4.121.0.

0 Helpful

Go to solution
mohanak
Cisco Employee
Cisco Employee

‎07-11-2014 01:11 AM

Multiple Vulnerabilities in OpenSSL - June 2014
CSCup22587
 
Description

Symptom:
The following Cisco products:

Wireless Lan Controllers: 5500, 2500, Wism1, Wism2, 7500, 8500, 2100, NM-WLC, 4400

include a version of openssl that is affected by the vulnerabilities identified by the Common Vulnerability and Exposures (CVE) IDs:

CVE-2014-0224 - SSL/TLS MITM vulnerability
CVE-2014-0221 - DTLS recursion flaw
CVE-2014-3470 - Anonymous ECDH denial of service
CVE-2014-0221 - DTLS recursion flaw
CVE-2014-0195 - DTLS invalid fragment vulnerability

This bug has been opened to address the potential impact on this product.


Conditions:
Devices with default configuration.

Affected Releases
All 4.x, 5.x, 6.x, 7.0.x, 7.2.x, 7.3.x, 7.4.x, 7.5.x, 7.6.x
Workaround:Not Available


More Info:
CVE-2014-3470: EDCH is not in use, but a patch for the issue will be included

Fixed Releases
Upcoming: 7.4.130.0, 7.6.130.0, 8.0, 7.0.x
Will not be fixed: 4.x, 5.x, 6.x, 7.2.x, 7.3.x, 7.5.x (all end of engineering maintenance)

Fixed code will be posted in CCO soon. For beta access contact wnbu-mrbeta@external.cisco.com

PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/7.5:

https://intellishield.cisco.com/security/alertmanager/cvss?target=new&version=2.0&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:U/RC:C

The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
 

Go to solution
Rene S.
Level 1
Level 1
In response to mohanak

‎07-24-2014 05:14 AM

Hi, thanks for your answer. Do you know approximately when 7.6.130.0 will be released? Because I'll have to upgrade WLC anyway and if the release will be out soon, I would wait for it.

 

Thanks,

KR

0 Helpful

Go to solution
Rasika Nayanajith
VIP
VIP
In response to Rene S.

‎07-24-2014 03:53 PM

As far as I know it will be released by mid August. Let's wait & see smiley

HTH

Rasika

**** Pls rate all useful responses ****

0 Helpful

Go to solution
frankpetersatt
Level 1
Level 1
In response to Rasika Nayanajith

‎08-05-2014 06:25 AM

Is 7.4.121.0 affected or not?

I can see that 7.4.120.0 is affected and that the fix will be in 7.4.130.0 but no mentioning of 7.4.121.0.

Thanks,

Frank

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card