Guest

CiscoWorks Common Services Software

Field Notice: FN - 62297 - Common Services 2.2 and 3.0 - Vulnerabilities in Third Party Software - Apache, ModSSL and OpenSSL - Patch/Upgrade Required


January 10, 2006

NOTICE:

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.


Products Affected

Products Affected

CiscoWorks Common Services - 2.2

CiscoWorks Common Services - 3.0

Problem Description

CiscoWorks Common Services 2.2 and 3.0 use Apache, ModSSL and OpenSSL. Security vulnerabilities that need to be addressed exist with these third party software programs.

Problem Symptoms

A vulnerability has been found in all previously released versions of OpenSSL (all versions up to 0.9.7h and 0.9.8a). Versions 0.9.7h and 0.9.8a have been released to address the issue. The vulnerability potentially affects applications that use the SSL/TLS server implementation provided by OpenSSL.

The Common Vulnerabilities and Exposures project has assigned the name CAN-2005-2969 to this issue.

For more details, see the OpenSSL Security Advisory.

CiscoWorks Common Services 2.2 and 3.0 currently ship with OpenSSL0.9.7d which needs to be upgraded to the latest version to address this security vulnerability.

Similarly, Common Services 2.2 and 3.0 currently use Apache1.3.31, which needs to be upgraded to the latest Apache version (1.3.34) because of recent security fixes. The main security vulnerabilities addressed in 1.3.34 are:

  • If a request contains both Transfer-Encoding and Content-Length headers, remove the Content-Length, mitigating some HTTP Request Splitting/Spoofing attacks.

  • Added TraceEnable [on|off|extended] per-server directive to alter the behavior of the TRACE method.

For more details, see the Apache HTTP Server 1.3.34 Released announcement.

Workaround/Solution

  1. Patches have been posted at the CiscoWorks CD One Patches (Strong Crypto) (registered customers only) site for CiscoWorks Common Services 2.2 and 3.0 on both Solaris and Windows platforms with appropriate readme files.

    Alternatively:

  2. If you currently have CiscoWorks Common Services 3.0, which ships with LMS 2.5, then upgrading to CiscoWorks LMS 2.5.1 will also resolve the issue.

Revision History

Revision

Date

Comment

1.0

10-JAN-2006

Initial Public Release

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.