Cisco Security Advisory: Voice Vulnerabilities in Cisco IOS and Cisco Unified Communications Manager

Document ID: 98182

Advisory ID: cisco-sa-20070808-IOS-voice

http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

Revision 1.2

Last Updated 2007 August 20 1500 UTC (GMT)

For Public Release 2007 August 08 1600 UTC (GMT)

Summary
Affected Products
Details
Impact
Software Versions and Fixes
Workarounds
Obtaining Fixed Software
Exploitation and Public Announcements
Status of this Notice: FINAL
Distribution
Revision History
Cisco Security Procedures

Summary

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)
Media Gateway Control Protocol (MGCP)
Signaling protocols H.323, H.254
Real-time Transport Protocol (RTP)
Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml.

Note: The August 08, 2007 publication includes four Security Advisories and one Security Response. The advisories all affect IOS, one additionally affects Cisco Unified Communications Manager as well. Each advisory lists the releases that correct the vulnerability described in the advisory, and the advisories also detail the releases that correct the vulnerabilities in all four advisories. Individual publication links are listed below:

Cisco IOS Information Leakage Using IPv6 Routing Header
http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-IPv6-leak.shtml
Cisco IOS Next Hop Resolution Protocol Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20070808-nhrp.shtml
Cisco IOS Secure Copy Authorization Bypass Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20070808-scp.shtml
Voice Vulnerabilities in Cisco IOS and Cisco Unified Communications Manager
http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
Cisco Unified MeetingPlace XSS Vulnerability
http://www.cisco.com/warp/public/707/cisco-sr-20070808-mp.shtml

[Expand all sections] [Collapse all sections]

Affected Products

These vulnerabilities only affect devices running Cisco IOS that have voice services enabled. The only exception is the vulnerability documented as Cisco bug ID CSCsi80102 ( registered customers only) , which also exists on Cisco Unified Communications Manager.

Vulnerable Products

To determine the software running on a Cisco IOS product, log in to the device and issue the show version command to display the system banner. Cisco IOS software will identify itself as "Internetwork Operating System Software" or simply "IOS." On the next line of output, the image name will be displayed between parentheses, followed by "Version" and the Cisco IOS release name. Other Cisco devices will not have the show version command, or will give different output.

The following example shows output from a device running an IOS image:

Router>show version
Cisco IOS Software, 7200 Software (C7200-IK9S-M), Version 12.3(14)T1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Thu 31-Mar-05 08:04 by yiyan

Additional information about Cisco IOS release naming is available at the following link: http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_white_paper09186a008018305e.shtml.

SIP-related vulnerabilities

Any Cisco device that runs a vulnerable version of IOS and supports SIP processing could be vulnerable. This includes multiple IOS versions of 12.2, 12.3 and 12.4. Routers that are configured as SIP Public Switched Telephone Network (PSTN) Gateways and SIP Session Border Controllers (SBCs) are vulnerable. The CAT6000-CMM card is also vulnerable.

To determine if the device has SIP enabled, enter the commands show ip sockets and show tcp brief all. In some newer IOS releases the command show ip sockets is removed. If that is the case use show udp. The output is identical to the show ip sockets command.

Router#show ip sockets
Proto    Remote      Port      Local       Port  In Out Stat TTY OutputIF
17 0.0.0.0             0  --any--          5060   0   0  211   0
17 0.0.0.0             0 192.168.100.2       67   0   0 2211   0
17 0.0.0.0             0 192.168.100.2     2517   0   0   11   0

The first line with UDP Port 5060 shows that UDP SIP is enabled.

Router#show tcp brief all
TCB       Local Address           Foreign Address        (state)
2051E680  *.5060                  *.*                    LISTEN

The above lines with *.5060 show that TCP SIP is enabled.

The device is vulnerable even if it does not have SIP explicitly configured. If the output of the show ip sockets command is showing that the device is listening to port 5060, then the device is vulnerable.

MGCP-related vulnerabilities

To determine whether MGCP is configured on an IOS device, look for either of the following lines in in the Cisco IOS configuration:

Router#show running config
....
voice-port 1/1/1
!
mgcp
!         
dial-peer voice 1 pots
 service mgcpapp
 port 1/1/1

Router#show running config
....
controller T1 1/1                                                               
 framing sf                                                                     
 linecode ami                                                                   
 pri-group timeslots 1-24 service mgcp

Router#show running config
....
controller T1 1/1                                                               
 framing sf                                                                     
 linecode ami                                                                   
 ds0-group 0 timeslots 1-24 type none service mgcp

The exact port numbers may vary in the configuration.

H.323 signaling-related vulnerabilities

To determine whether H.323 is configured on an IOS device, look for either of the following lines in the Cisco IOS configuration.

For Cisco bug ID CSCsi60004 ( registered customers only) this configuration is vulnerable:

Router#show running config | include proxy
proxy h323

For Cisco bug ID CSCsg70474 ( registered customers only) this configuration is vulnerable:

Router#show running config | include inspect
ip inspect name H323_protocol h323
 ip inspect H323_protocol in

Real-time Transport Protocol-related vulnerabilities

No particular configuration is required to enable RTP because this protocol is invoked when audio or video information is transmitted. H.323, MGCP, SIP, or H.320 protocols must be processing packets for a router to process RTP packets.

Note: These vulnerabilities only affect sessions terminating or originating on a device itself, not transit traffic; for example, traffic that passes through a device, but is destined elsewhere is not affected.

Facsimile reception vulnerability

The IOS device will listen to incoming facsimile transmission by default if the Digital Signal Processor (DSP) is present. To determine the presence of DSP on a device, execute the following command:

Note: This vulnerability only affects sessions terminating or originating on a device itself, not transit traffic; for example, traffic that passes through a device, but is destined elsewhere is not affected.

Router#show voice dsp
 DSP  DSP             DSPWARE CURR  BOOT                         PAK     TX/RX
TYPE NUM CH CODEC    VERSION STATE STATE   RST AI VOICEPORT TS ABORT  PACK COUNT
==== === == ======== ======= ===== ======= === == ========= == ===== ============
C542 001 01 None       7.4.1 IDLE  idle      0  0 1/1/0     NA     0      598/607
C542 002 01 None       7.4.1 IDLE  idle      0  0 1/1/1     NA     0      591/588

The above example shows that DSP is present on the device.

Products Confirmed Not Vulnerable

No other Cisco products are currently known to be affected by these vulnerabilities. The following devices are known not to be affected:

Cisco Unified Communications Manager (with the exception of CSCsi80102 ( registered customers only) )
Cisco IP Phone

Top of the section Close Section

Details

Details for vulnerabilities are grouped by category and impact.

SIP-related vulnerabilities

SIP is a protocol that is used to establish, modify, and terminate multimedia sessions. Most commonly, SIP is used for Internet telephony. SIP call signaling can use UDP (User Datagram Protocol) or TCP (Transport Control Protocol) as an underlying transport protocol. In all cases vulnerabilities can be triggered by processing a malformed SIP packet.

A malformed SIP packet may cause a vulnerable device to crash and may allow arbitrary code to be executed. These vulnerabilities are documented as the following Cisco Bug IDs:

CSCsi80749 Crash while processing malformed SIP packet ( registered customers only)
CSCsi80102 CUCM - Crash while processing malformed SIP packet ( registered customers only)

A malformed SIP packet may cause a memory leak and device crash. These vulnerabilities are documented as the following Cisco Bug IDs:

CSCsf11855 Crash while processing malformed SIP packet ( registered customers only)
CSCeb21064 Crash while processing malformed SIP packet ( registered customers only)
CSCse40276 Router crashed by malformed SIP message ( registered customers only)
CSCse68355 Router crashed by malformed SIP packet ( registered customers only)
CSCsf30058 Memory leak when processing malformed SIP message ( registered customers only)
CSCsb24007 Memory corruption and unexpected reload on receiving a SIP packet ( registered customers only)
CSCsc60249 Crash while processing malformed SIP packet ( registered customers only)

MGCP-related vulnerabilities

MGCP is a protocol for controlling media gateways from external call control elements such as Media Gateway Controllers or Call Agents. A media gateway is typically a network element that provides conversion between the audio signals carried on telephone circuits and data packets carried over the Internet or over other packet networks. In a Cisco environment, a media gateway is used between the Cisco Communications Manager and the Cisco router and servers as a voice gateway.

A specially crafted MGCP packet can cause a vulnerable device to crash or become unresponsive. The unresponsive device will not be able to establish new telephone calls, and a reboot is required to restore normal operation. These vulnerabilities are documented as the following Cisco Bug IDs:

CSCsf08998 MGCP stop responding after receiving malformed packet ( registered customers only)
CSCsd81407 Router crash on receiving abnormal MGCP messages ( registered customers only)

H.323-signaling related vulnerabilities

H.323 is an ITU (International Telecommunications Union) set of recommendations for multimedia communication and signaling in networks that use Internet Protocol.

A malformed H.323 packet can crash a vulnerable device. These vulnerabilities are documented as the following Cisco Bug IDs:

CSCsi60004 H323 Proxy Unregistration from Gatekeeper ( registered customers only)
CSCsg70474 IOS FW with h323 inspect crashes when malformed H.323 packets received ( registered customers only)

Real-time Transport Protocol-related vulnerabilities

RTP is a protocol that is designed to provide delivery services for data with real-time characteristics, such as interactive audio and video.

A malformed RTP packet can cause a vulnerable device to crash. These vulnerabilities are documented as the following Cisco Bug IDs:

CSCse68138 Issue in handling specific packets in VOIP RTP Lib ( registered customers only)
CSCse05642 I/O memory corruption crash on a router ( registered customers only)

Facsimile reception vulnerability

Reception of a large packet can cause a vulnerable device to crash. This vulnerability is documented as the following Cisco Bug ID:

CSCej20505 Router hangs with overly large packet ( registered customers only)

Vulnerability Scoring Details

Cisco is providing scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 1.0.

Cisco will provide a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks.

Cisco PSIRT will set the bias in all cases to normal. Customers are encouraged to apply the bias parameter when determining the environmental impact of a particular vulnerability.

CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response.

Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html.

Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss.

Note: To make this document more readable, individual CVSS scores for vulnerabilities are not shown. Instead, the vulnerabilities are grouped according to the score.

The following SIP-related vulnerabilities have identical CVSS scoring CSCsi80749 ( registered customers only) Calculate the environmental score CSCsi80102 - CUCM Calculate the environmental score
CVSS Base Score - 10
Access Vector	Access Complexity	Authentication	Confidentiality Impact	Integrity Impact	Availability Impact	Impact Bias
Remote	Low	Not Required	Complete	Complete	Complete	Normal
Temporal Score - 8.3
Exploitability		Remediation Level		Report Confidence
Functional		Official Fix		Confirmed

The following SIP-related vulnerabilities have identical CVSS scoring CSCsf11855 ( registered customers only) Calculate the environmental score CSCeb21064 ( registered customers only) Calculate the environmental score CSCse40276 ( registered customers only) Calculate the environmental score CSCse68355 ( registered customers only) Calculate the environmental score CSCsf30058 ( registered customers only) Calculate the environmental score CSCsb24007 ( registered customers only) Calculate the environmental score CSCsc60249 ( registered customers only) Calculate the environmental score
CVSS Base Score - 3.3
Access Vector	Access Complexity	Authentication	Confidentiality Impact	Integrity Impact	Availability Impact	Impact Bias
Remote	Low	Not Required	None	None	Complete	Normal
Temporal Score - 2.7
Exploitability		Remediation Level		Report Confidence
Functional		Official Fix		Confirmed

The following MGCP-related vulnerabilities have identical CVSS scoring CSCsf08998 ( registered customers only) Calculate the environmental score CSCsd81407 ( registered customers only) Calculate the environmental score
CVSS Base Score - 3.3
Access Vector	Access Complexity	Authentication	Confidentiality Impact	Integrity Impact	Availability Impact	Impact Bias
Remote	Low	Not Required	None	None	Complete	Normal
Temporal Score - 2.7
Exploitability		Remediation Level		Report Confidence
Functional		Official Fix		Confirmed

The following H.323 signaling-related vulnerabilities have identical CVSS scoring CSCsi60004 ( registered customers only) Calculate the environmental score CSCsg70474 ( registered customers only) Calculate the environmental score
CVSS Base Score - 3.3
Access Vector	Access Complexity	Authentication	Confidentiality Impact	Integrity Impact	Availability Impact	Impact Bias
Remote	Low	Not Required	None	None	Complete	Normal
Temporal Score - 2.7
Exploitability		Remediation Level		Report Confidence
Functional		Official Fix		Confirmed

The following RTP-related vulnerabilities have identical CVSS scoring CSCse68138 ( registered customers only) Calculate the environmental score CSCse05642 ( registered customers only) Calculate the environmental score
CVSS Base Score - 3.3
Access Vector	Access Complexity	Authentication	Confidentiality Impact	Integrity Impact	Availability Impact	Impact Bias
Remote	Low	Not Required	None	None	Complete	Normal
Temporal Score - 2.7
Exploitability		Remediation Level		Report Confidence
Functional		Official Fix		Confirmed

CVSS score for the facsimile reception vulnerability CSCej20505 ( registered customers only) Calculate the environmental score
CVSS Base Score - 3.3
Access Vector	Access Complexity	Authentication	Confidentiality Impact	Integrity Impact	Availability Impact	Impact Bias
Remote	Low	Not Required	None	None	Complete	Normal
Temporal Score - 2.7
Exploitability		Remediation Level		Report Confidence
Functional		Official Fix		Confirmed

Top of the section Close Section

Impact

The impacts associated with individual vulnerabilities are listed according to vulnerability type. If not specifically called out, all vulnerabilities within the same category have an identical impact.

SIP-related vulnerabilities

Successful exploitation of the vulnerabilities listed as Cisco Bug ID CSCsi80749 ( registered customers only) and CSCsi80102 ( registered customers only) can potentially lead to remote code execution.

Successful exploitation of other SIP-related vulnerabilities listed in this advisory can cause the affected device to crash. Repeated exploitation could result in a sustained denial of service (DoS) attack.

MGCP-related vulnerabilities

Successful exploitation of the vulnerability listed as Cisco Bug ID CSCsf08998 ( registered customers only) can cause the affected device to become unresponsive. The device will not be able to establish any new connections, and a reboot is required to restore normal functionality.

Successful exploitation of the vulnerability listed as Cisco Bug ID CSCsd81407 ( registered customers only) can cause the affected device to crash. Repeated exploitation could result in a sustained denial of service (DoS) attack.

H.323 Signaling-related vulnerabilities

Successful exploitation of the vulnerabilities listed in this advisory can cause the affected device to crash. Repeated exploitation could result in a sustained denial of service (DoS) attack.

Real-time Transport Protocol-related vulnerabilities

Successful exploitation of the vulnerabilities listed in this advisory can cause the affected device to crash. Repeated exploitation could result in a sustained denial of service (DoS) attack.

Facsimile reception vulnerability

Successful exploitation of the vulnerability listed in this advisory can cause the affected device to crash. Repeated exploitation could result in a sustained denial of service (DoS) attack.

Top of the section Close Section

Software Versions and Fixes

When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance.

Each row of the Cisco IOS software table (below) names a Cisco IOS release train. If a given release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" column of the table.

For further information about how Cisco IOS is built, numbered and maintained, please see the following URL: http://www.cisco.com/warp/public/620/1.html

Major Release	Availability of Repaired Releases
Affected 12.0-Based Release	First Fixed Release	Recommended Release
12.0	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.0DA	Not Vulnerable
12.0DB	Not Vulnerable
12.0DC	Not Vulnerable
12.0S	Not Vulnerable
12.0SC	Not Vulnerable
12.0SL	Not Vulnerable
12.0SP	Not Vulnerable
12.0ST	Not Vulnerable
12.0SX	Not Vulnerable
12.0SY	Not Vulnerable
12.0SZ	Not Vulnerable
12.0T	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.0W	Not Vulnerable
12.0WC	12.0(5)WC16
12.0WT	Not Vulnerable
12.0XA	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.0XB	Not Vulnerable
12.0XC	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.0XD	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.0XE	Vulnerable; first fixed in 12.1(27b)E2
12.0XF	Vulnerable; contact TAC
12.0XG	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.0XH	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.0XI	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.0XJ	Not Vulnerable
12.0XK	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.0XL	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.0XM	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.0XN	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.0XQ	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.0XR	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.0XS	Not Vulnerable
12.0XV	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.0XW	Not Vulnerable
Affected 12.1-Based Release	First Fixed Release	Recommended Release
12.1	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.1AA	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.1AX	Not Vulnerable
12.1AY	Not Vulnerable
12.1AZ	Not Vulnerable
12.1CX	Not Vulnerable
12.1DA	Not Vulnerable
12.1DB	Not Vulnerable
12.1DC	Not Vulnerable
12.1E	12.1(27b)E2
12.1EA	12.1(22)EA10	12.1(22)EA10a 12.1(22)EA10b; available 13-Sept-07
12.1EB	Not Vulnerable
12.1EC	Vulnerable; first fixed in 12.2(4)BC1	12.3(17b)BC8 12.3(21a)BC3
12.1EO	Not Vulnerable
12.1EU	Not Vulnerable
12.1EV	Not Vulnerable
12.1EW	Not Vulnerable
12.1EX	Vulnerable; first fixed in 12.1(27b)E2
12.1EY	Vulnerable; first fixed in 12.1(27b)E2
12.1EZ	Vulnerable; first fixed in 12.1(27b)E2
12.1GA	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.1GB	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.1T	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.1XA	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.1XB	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.1XC	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.1XD	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.1XE	Vulnerable; first fixed in 12.1(27b)E2
12.1XF	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.1XG	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.1XH	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.1XI	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.1XJ	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.1XK	Not Vulnerable
12.1XL	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.1XM	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.1XN	Not Vulnerable
12.1XO	Not Vulnerable
12.1XP	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.1XQ	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.1XR	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.1XS	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.1XT	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.1XU	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.1XV	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.1XW	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.1XX	Not Vulnerable
12.1XY	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.1XZ	Vulnerable; first fixed in 12.2(26c); available 14-Aug-07	12.2(46a)
12.1YA	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.1YB	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.1YC	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.1YD	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.1YE	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.1YF	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.1YG	Not Vulnerable
12.1YH	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.1YI	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.1YJ	Not Vulnerable
Affected 12.2-Based Release	First Fixed Release	Recommended Release
12.2	12.2(26c); available 14-Aug-07 12.2(27c); available 14-Aug-07 12.2(28d); available 14-Aug-07 12.2(29b); available 14-Aug-07 12.2(46a); available 15-Aug-07	12.2(46a)
12.2B	Vulnerable; first fixed in 12.3(11)T12; available 16-Aug-07	12.4(12c) 12.4(3h) 12.4(5c) 12.4(8d); available 03-Sep-07 12.4(7f) 12.4(16) 12.4(10c) 12.4(13d)
12.2BC	Not Vulnerable
12.2BW	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.2BY	Vulnerable; first fixed in 12.3(11)T12; available 16-Aug-07	12.4(12c) 12.4(3h) 12.4(5c) 12.4(8d); available 03-Sep-07 12.4(7f) 12.4(16) 12.4(10c) 12.4(13d)
12.2BZ	Not Vulnerable
12.2CX	Not Vulnerable
12.2CY	Not Vulnerable
12.2CZ	Vulnerable; contact TAC
12.2DA	Not Vulnerable
12.2DD	Vulnerable; first fixed in 12.3(11)T12; available 16-Aug-07	12.4(12c) 12.4(3h) 12.4(5c) 12.4(8d); available 03-Sep-07 12.4(7f) 12.4(16) 12.4(10c) 12.4(13d)
12.2DX	Vulnerable; first fixed in 12.3(11)T12; available 16-Aug-07	12.4(12c) 12.4(3h) 12.4(5c) 12.4(8d); available 03-Sep-07 12.4(7f) 12.4(16) 12.4(10c) 12.4(13d)
12.2EU	Not Vulnerable
12.2EW	Not Vulnerable
12.2EWA	Not Vulnerable
12.2EX	Not Vulnerable
12.2EY	Not Vulnerable
12.2EZ	Not Vulnerable
12.2FX	Not Vulnerable
12.2FY	Not Vulnerable
12.2FZ	Not Vulnerable
12.2IXA	Vulnerable; first fixed in 12.2(18)IXD1	12.2(18)IXD1
12.2IXB	Vulnerable; first fixed in 12.2(18)IXD1	12.2(18)IXD1
12.2IXC	Vulnerable; first fixed in 12.2(18)IXD1	12.2(18)IXD1
12.2IXD	12.2(18)IXD1	12.2(18)IXD1
12.2IXE	Not Vulnerable
12.2JA	Not Vulnerable
12.2JK	Not Vulnerable
12.2MB	Not Vulnerable
12.2MC	12.2(15)MC1 12.2(15)MC2a 12.2(15)MC2i 12.2(8)MC1 12.2(8)MC2	12.2(15)MC2j
12.2S	12.2(14)S19 12.2(18)S13 12.2(20)S13 12.2(25)S13 12.2(30)S	12.2(25)S13 12.2(14)S19
12.2SB	12.2(28)SB1 12.2(31)SB6	12.2(28)SB9; available 15-Aug-07 12.2(31)SB6
12.2SBC	Vulnerable; first fixed in 12.2(28)SB1	12.2(28)SB9; available 15-Aug-07 12.2(31)SB6
12.2SE	Not Vulnerable
12.2SEA	Not Vulnerable
12.2SEB	Not Vulnerable
12.2SEC	Not Vulnerable
12.2SED	Not Vulnerable
12.2SEE	Not Vulnerable
12.2SEF	Not Vulnerable
12.2SEG	Not Vulnerable
12.2SG	Not Vulnerable
12.2SGA	Not Vulnerable
12.2SL	Not Vulnerable
12.2SM	Not Vulnerable
12.2SO	Not Vulnerable
12.2SRA	12.2(33)SRA5	12.2(33)SRA5
12.2SRB	12.2(33)SRB2; available 31-Aug-07	12.2(33)SRB2; available 31-Aug-07
12.2SU	Vulnerable; first fixed in 12.3(11)T12; available 16-Aug-07	12.4(12c) 12.4(3h) 12.4(5c) 12.4(8d); available 03-Sep-07 12.4(7f) 12.4(16) 12.4(10c) 12.4(13d)
12.2SV	12.2(22)SV 12.2(23)SV 12.2(24)SV 12.2(25)SV 12.2(27)SV2 12.2(27)SV3 12.2(28)SV1 12.2(29)SV 12.2(29a)SV	12.2(29)SV4; available 14-Oct-07
12.2SVA	Not Vulnerable
12.2SVC	Vulnerable; contact TAC
12.2SW	12.2(20)SW 12.2(21)SW 12.2(21)SW1 12.2(25)SW10 12.2(25)SW11	12.2(25)SW11
12.2SX	Vulnerable; first fixed in 12.2(18)SXF10
12.2SXA	Vulnerable; first fixed in 12.2(18)SXF10
12.2SXB	Vulnerable; first fixed in 12.2(18)SXF10	12.2(18)SXF10
12.2SXD	Vulnerable; contact TAC
12.2SXE	Vulnerable; first fixed in 12.2(18)SXF10	12.2(18)SXF10
12.2SXF	12.2(18)SXF10	12.2(18)SXF10
12.2SXH	Not Vulnerable
12.2SY	Not Vulnerable
12.2SZ	Vulnerable; first fixed in 12.2(30)S	12.2(25)S13 12.2(14)S19
12.2T	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.2TPC	12.2(8)TPC10c; available 17-Aug-07	12.2(8)TPC10c
12.2UZ	Not Vulnerable
12.2VZ	Vulnerable; first fixed in 12.2(31)SB6	12.2(28)SB9; available 15-Aug-07 12.2(31)SB6
12.2XA	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.2XB	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.2XC	Vulnerable; first fixed in 12.3(11)T12; available 16-Aug-07	12.4(12c) 12.4(3h) 12.4(5c) 12.4(8d); available 03-Sep-07 12.4(7f) 12.4(16) 12.4(10c) 12.4(13d)
12.2XD	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.2XE	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.2XF	Not Vulnerable
12.2XG	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.2XH	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.2XI	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.2XJ	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.2XK	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.2XL	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.2XM	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.2XN	Vulnerable; first fixed in 12.3(23)	12.3(23) 12.3(20a) 12.3(21b) 12.3(22a) 12.3(18a) 12.3(19a); available 16-Aug-07 12.3(17c); available 16-Aug-07
12.2XQ

Hierarchical Navigation

Products & Services