Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco Security Manager is vulnerable to CVE-2014-0160 - aka Heartbleed

Dear All,

              We have CSM 4.4.0 SP2 patch 1 installed with no default configuration.

According to cisco, CSM is under Vulnerable Products list with cisco bug ID CSCuo19265. 

Do I need to take any action for my CSM ?

Thanks & Regards

Ahmed...

Everyone's tags (1)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Silver

I recommend that you restrict

I recommend that you restrict HTTPS access to the CSM server to the few clients that actually need access to it, until a fix has been released. That way you can at least restrict the amount of clients that could utilize this leak.

New Member

Hi Ahmed,CSM 4.4.0 SP2 patch

Hi Ahmed,

CSM 4.4.0 SP2 patch 1 is not vulnerable to heartbleed. No action required for this specific version of CSM.

 

Given below is list of CSM versions that are vulnerable:

CSM 4.5
CSM 4.5 SP0 PP1
CSM 4.5 SP0 PP2

10 REPLIES
Silver

I recommend that you restrict

I recommend that you restrict HTTPS access to the CSM server to the few clients that actually need access to it, until a fix has been released. That way you can at least restrict the amount of clients that could utilize this leak.

New Member

Hi Ahmed,CSM 4.4.0 SP2 patch

Hi Ahmed,

CSM 4.4.0 SP2 patch 1 is not vulnerable to heartbleed. No action required for this specific version of CSM.

 

Given below is list of CSM versions that are vulnerable:

CSM 4.5
CSM 4.5 SP0 PP1
CSM 4.5 SP0 PP2

New Member

Many thanks 

Many thanks 

New Member

I am running 4.5.0, it is

I am running 4.5.0, it is vulnerable because I have scanned it and tested it. I see version 4.6.0 has just popped up on cisco.com. Anyone confirm if that fixes the bug?

New Member

CSM 4.6 has the fix and not

CSM 4.6 has the fix and not vulnerable.

New Member

Im not sure if that's true.

Im not sure if that's true. the release notes don't state anything about fixing that big. and also looking at the opensource licenses PDF for 4.6.0 it states OpenSSL version: 1.0.1e (which is the same version as 4.5.0 and all versions 1a through 1f are vulnerable).

 

I would find it very odd they didn't fix it considering it was released just yesterday.

 

 

New Member

Will follow up and update the

Will follow up and update the documentation with correct OpenSSL Version 1.0.1g. Heartbleed vulnerability is addressed in CSM 4.6

New Member

Great thanks for confirmation

Great thanks for confirmation.

New Member

When will the patch to

When will the patch to resolve heartbleed issue in csm 4.5 be out??

New Member

CSM 4.5 CP3 is out and it

CSM 4.5 CP3 is out and it fixes the heartbleed vulnerability.

Request CSM450_SP0_CP3_bundle.zip from TAC

355
Views
10
Helpful
10
Replies
CreatePlease login to create content