Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ShellShock Vulnerable products

Hello

 

We have Cisci UCS blade servers B420 M3 serial : FCH1710J7JP

and the Fabric Interconnect : UCS-FI-6248UP

I need to know if those product are vulnerable for ShellShock 

If they are vulnerable witch patch I need to install ? 

 

2 ACCEPTED SOLUTIONS

Accepted Solutions
Silver

Hi Konstantin-Yep, your

Hi Konstantin-

Yep, your Fabric Interconnect is, and there is no patch released yet.

Here is the bug: https://tools.cisco.com/bugsearch/bug/CSCur01379

Workaround:
The access to the FI Management Address has to be in a protected domain to block potential exploitation of the vulnerability.

Here is a link to the Security Advisory: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash

DJ

Community Member

Just an FYI a fix has been

Just an FYI a fix has been released (2.2(3b))......
 
Fixes will be available in the following upcoming releases:
3.0(1d) ==> ETA week of 10/13
2.2(3b) ==> released 10/9
2.2(2e) ==> ETA week of 10/13
2.2(1f) ==> ETA week of 10/13
2.1(3f) ==> ETA will be announced shortly
2.0(5g) ==> ETA will be announced shortly

All six CVEs, CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187 CVE-2014-6278, and CVE-2014-6277 have been fixed.

The 2.2(3b) release was published to CCO on 10/9. The other 2.2 release trains will be updated in the week of 10/13. The release schedule for the 2.0 and 2.1 release trains will be announced soon - release candidates are currently still in QA.
 
7 REPLIES
Silver

Hi Konstantin-Yep, your

Hi Konstantin-

Yep, your Fabric Interconnect is, and there is no patch released yet.

Here is the bug: https://tools.cisco.com/bugsearch/bug/CSCur01379

Workaround:
The access to the FI Management Address has to be in a protected domain to block potential exploitation of the vulnerability.

Here is a link to the Security Advisory: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash

DJ

Community Member

Do you know when the update

Do you know when the update suppose to release ? 

 

Silver

Hi Konstantin- I do not.

Hi Konstantin-

 

I do not.  Keep an eye on the bug that I referenced and it should be updated.

 

DJ

Community Member

They expect to have an update

They expect to have an update in the week starting 10/13/14.

Community Member

Just an FYI a fix has been

Just an FYI a fix has been released (2.2(3b))......
 
Fixes will be available in the following upcoming releases:
3.0(1d) ==> ETA week of 10/13
2.2(3b) ==> released 10/9
2.2(2e) ==> ETA week of 10/13
2.2(1f) ==> ETA week of 10/13
2.1(3f) ==> ETA will be announced shortly
2.0(5g) ==> ETA will be announced shortly

All six CVEs, CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187 CVE-2014-6278, and CVE-2014-6277 have been fixed.

The 2.2(3b) release was published to CCO on 10/9. The other 2.2 release trains will be updated in the week of 10/13. The release schedule for the 2.0 and 2.1 release trains will be announced soon - release candidates are currently still in QA.
 
Community Member

I have 2.2(1d) I don't see

I have 2.2(1d) 

I don't see that version on the list

does this version is fine - not need update  ? 

 

Community Member

All releases starting with

All releases starting with the the first release 1.0(1e) are vulnerable.

You have 2.2(1b) so you have to upgrade to 2.2(1f) or any other version above that such as 2.2(2e), 2.2(3b) or 3.0(1d).....
 

1022
Views
0
Helpful
7
Replies
CreatePlease to create content