Guest

Cisco ACE XML Gateways

Field Notice: FN - 62995 - ACE XML Gateway CRL Issue on Version 5.x


Revised December 7, 2007

December 6, 2007

NOTICE:

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.


Revision History

Revision

Date

Comment

1.1

07-DEC-2007

Updated Title

1.0

06-DEC-2007

Initial Public Release

Products Affected

Products Affected

ACEXML - ACE-XML-K9

ACEXML - ACE-XML-SW-5.0

AVS - ACE-XML-SW-5.1

ACE XML GATEWAY

ACE XML MANAGER

Problem Description

There is a security issue in version 5.0 of the ACE-XML-Gateway product. With the CRL feature enabled, it is possible for traffic to run through the fast path, which does not support the CRL feature. The result is that it is possible for revoked X.509 certificates to be considered valid even if the user has enabled the CRL feature. This will happen in the following situation:

  1. The customer is using version 5.0 or later of ACE-XML-Gateway.

  2. The customer has enabled the CRL feature.

  3. The customer has otherwise only enabled features supported on fast path.

  4. The customer has not explicitly configured the data to run through flex path.

  5. One or more certificates have been revoked per the signing CA's CRL.

  6. One of the above revoked certificate is used to establish an SSL connection or for XML-DSig (in version 5.1 or later)

The problem will occur only when all of these conditions have been met.

Background

In version 5.0 of the ACE-XML-Gateway, Cisco introduced a new data plane engine, dubbed fast path. This engine runs in parallel with the original engine, dubbed flex path. The fast path engine only supports a small subset of the functionality supported by flex path. The config plane is responsible for identifying which data paths should be run through the fast versus flex paths based on the features enabled. Flex path supports a certificate revocation list (CRL) retrieval and validation feature, whereby X.509 certificates are considered invalid if they are found on the signing certificate authority's (CA's) CRL. This feature has not yet been implemented on fast path. The config plane must generate a data plane policy that passes traffic through flex path if the user has enabled CRL functionality.

Problem Symptoms

If a customer matches all of the listed conditions, then they are vulnerable.

  1. The customer is using version 5.0 or later of ACE-XML-Gateway.

  2. The customer has enabled the CRL feature.

  3. The customer has otherwise only enabled features supported on fast path.

  4. The customer has not explicitly configured the data to run through flex path.

  5. One or more certificates have been revoked per the signing CA's CRL.

  6. One of the above revoked certificate is used to establish an SSL connection or for XML-DSig (in version 5.1 or later)

Workaround/Solution

To solve this issue you will need to configure the ACE-XML-Gateway product to run on flex path. This is done by checking the "Always Use Flex Path" checkbox on all effected HTTP Ports and redeploying the policy.

Here are the detailed instructions:

  1. Log into the AXG Manager.

  2. Click on "HTTP Servers" in the left nav bar.

  3. For each HTTP Server listed, perform the following:

    1. Click "view".

    2. Click "EDIT" in the "GENERAL" section.

    3. Under "Flex Path," ensure the "Always Use Flex Path" checkbox is checked.

    4. Click "Save Changes".

    5. Click "Exit to HTTP Servers List".

  4. Deploy the policy.

  5. If you are using sub-policies, repeat steps two through four in each sub-policy.

DDTS

To follow the bug ID link below and see detailed bug information, you must be a registered user and you must be logged in.

DDTS

Description

CSCsk36979 (registered customers only)

CRL's not updating with hf022

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.