Guest

Cisco CSS 11500 Series Content Services Switches

WebNS 7.10.2.06 for the Cisco CSS 11500 Series Content Services Switch Has High Severity Defects and Should be Upgraded to Version 7.10.2.06A


June 19, 2003


Products Affected

Product

Comments

CSS11501

Running WebNS 7.10.2.06 (sg0710206.adi) only

CSS11503-AC

Running WebNS 7.10.2.06 (sg0710206.adi) only

CSS11503-DC

Running WebNS 7.10.2.06 (sg0710206.adi) only

CSS11506-2AC

Running WebNS 7.10.2.06 (sg0710206.adi) only

CSS11506-2DC

Running WebNS 7.10.2.06 (sg0710206.adi) only

Problem Description

WebNS 7.10.2.06 (sg0710206.adi) has the following high severity bugs and has been replaced with version 7.10.2.06A on CCO. These defects under certain traffic patterns can cause the system to core and reload. In addition, if SNMP traps are configured for DOS, this can also cause the system to core and reload.

Defects:

  • CSCeb12602 - ibcAgtKick_SM can crash the switch referencing through a NULL ptr

  • CSCeb12567- IPV4 task can can cause unexpected behavior

  • CSCeb12562 - Fm_MgmtMsgTask can return if error on sysMsgReceive

  • CSCeb09364 - DOS attack with snmp DOS trap configured causes a reload

A fix for CSCea88415 was included as well. This defect was not introduced in version 7.10.2.06, but was resolved in version 7.10.2.06A. CSCea88415 SNMP is always enabled and responds to null community strings.

Background

Cisco found high severity defects in the version 7.10.2.06 maintenance release and built version 7.10.2.06A with the fixes for these defects.

Problem Symptoms

WebNS 7.10.2.06 has four high severity defects that could cause a CSS 11500 to core and reload. There is a defect that was not introduced in version 7.10.2.06 that could result in a security vulnerability if a community string is not configured or null.

Show running-config on a system running version 7.10.2.06 will show: sg0710206

Workaround/Solution

Download version 7.10.2.06A (sg0710206A.adi-gz) from CCO and upgrade all CSS 11500s that are currently running version 7.10.2.06. Show version on a system running version 7.10.2.06 will display version : sg0710206(7.10 build 206)

Software can be found on the CSS11500 Maintenance Releases page.

After the upgrade show version will display:

version: sg0710206a(7.10 build 206)

or

version: sg0710206A(7.10 build 206)

NOTE: 7.10.2.06A is built off of 7.10.2.06 and contains all fixes from 7.10.2.06 and the fixes referenced in this Field Notice. Sustaining builds were not built off of this version. It is a rebuild of a maintenance release. All fixes are incorporated into a later sustaining release 7.10.2.10s along with any other sustaining fixes. Cisco is recommending that all customers running 7.10.2.06 upgrade to 7.10.2.06A.

DDTS

To follow the bug ID link below and see detailed bug information, you must be a registered user and you must be logged in.

DDTS

Description

CSCeb12602 (registered customers only)

Under extremely heavy load, the FlowMgrMgmtTask can stop working due to corruption of an internal message. This may cause the system to run out of message buffers resulting in a system reload.

Workaround: Reduce traffic load.

CSCeb12567 (registered customers only)

Under extremely heavy load, the FlowMgrMgmtTask can stop working due to corruption of an internal message. This may cause the system to run out of message buffers resulting in a system reload.

Workaround: Reduce traffic load.

CSCeb12562 (registered customers only)

Under extremely heavy load, the FlowMgrMgmtTask can stop working due to corruption of an internal message. This may cause the system to run out of message buffers resulting in a system reload.

Workaround: Reduce traffic load.

CSCeb09364 (registered customers only)

The system would reload when attempting to send a Denial Of Service SNMP Trap.

Workaround: Remove the Denial of Service Trap from the configuration.

CSCea88415 (registered customers only)

On a CSS11500 running 7.10.2.06 and earlier it is possible to do a snmpwalk against the device with a null community string while no SNMP services are configured on the device.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.