Cisco
ASA Interim Release Notes
The software images listed below are Interim releases. They contain bug fixes which address specific issues found since the last Feature or Maintenance release. The images are fully supported by Cisco TAC and will remain on the download site only until the next Maintenance release is available. If you do not have a specific problem which is resolved by an Interim release, we recommend that you use the Feature or Maintenance release images.
Important: These images were not fully regression tested. Each individual fix was unit tested, and the image has had a limited amount of automated regression testing to confirm a baseline of functionality. Keep this testing status in mind if you decide to run them in a production environment. We strongly encourage you to upgrade to a fully tested Maintenance or Feature release when it becomes available.
Revision: Version 8.4(7)31 – 04/08/2016
Files: asa847-31-k8.bin, asa847-31-smp-k8.bin
Defects resolved since 8.4(7)30:
|
Evaluation of pix-asa for OpenSSL December 2015 Vulnerabilities |
Revision: Version 8.4(7)30 – 01/15/2016
Files: asa847-30-k8.bin, asa847-30-smp-k8.bin
Defects resolved since 8.4(7)29:
|
Cisco ASA IKEv1 and IKEv2 Buffer Overflow Vulnerability |
|
|
|
Cisco ASA IKEv1 and IKEv2 Buffer Overflow Vulnerability |
||
Revision: Version 8.4(7)29 – 10/21/2015
Files: asa847-29-k8.bin,
asa847-29-smp-k8.bin
Defects resolved since 8.4(7)28:
|
Cisco ASA XAUTH Bypass Vulnerability |
|
|
|
ISAKMP SERVER traffic from codenomicon
crashes ASA |
||
|
ASA traceback in ThreadName:ci/console,while pinging
DNS Server name |
||
|
MARCH 2015 OpenSSL Vulnerabilities |
|
|
|
Traceback: mem_get_owner+104 at slib/../finesse/snap_api.h:163 |
||
|
Evaluation of OpenSSL June 2015 |
|
|
Revision: Version 8.4(7)28 – 04/08/2015
Files: asa847-28-k8.bin,
asa847-28-smp-k8.bin
Defects resolved since 8.4(7)26:
|
Cisco ASA Challenge-Response Tunnel Group Selection Bypass
Vulnerability |
|
|
|
WebVPN portal DOM based Cross-Site-Scripting Issue |
|
|
|
Cisco ASA Malformed DNS Reply Denial of Service Vulnerability |
|
|
|
ASA Crash in checkheaps due to snmp component |
|
|
|
Webvpn: Support for XFRAME in additional portal and CSD pages |
|
|
|
Failover units should accept only traffic coming from the peer |
|
|
|
Mac version smart-tunnel uses SSLv3 which is a vulnerability |
|
|
|
ASA SMTP inspection should not disable TLS by default |
|
|
|
ipsec-datapath:TFW management
connection via VPN takes a few minutes |
|
|
|
ASA5580-20 8.4.7.23: Traceback in
Thread Name: ssh |
|
|
|
JANUARY 2015 OpenSSL Vulnerabilities |
|
|
|
ASA: Traceback when removing manual
NAT rule |
|
|
|
ASA / denial of service against xml parser. |
|
|
|
2048-byte block leak if DNS
server replies with "No such name" |
||
|
|
|
|
Revision: Version 8.4(7)26 – 02/03/2015
Files: asa847-26-k8.bin,
asa847-26-smp-k8.bin
Defects resolved since 8.4(7)23:
|
ASA SSL: Continues to accept SSLv3 during TLSv1 only mode |
|
|
Idle timer and half-closed idle timer reset by out of sequence
SYN |
|
|
ASA5585-SSP60 Traceback in Thread Name
SSH on Capture Command |
|
|
Local pool address not released -> Duplicate local pool
address found |
|
|
1550 block leak occur if DNS replies "refused" query
response |
|
|
ASA5580 speed nonegotiate settings
kept link down after shut/no shut |
|
|
Object Group Search causing legitimate traffic to be dropped by
ACL |
|
|
DHCP Relay reloads after changing server interface |
|
|
ASA : evaluation of
SSLv3 POODLE vulnerability |
|
|
ASA: Traceback in idfw_proc |
|
|
DATAPATH Traceback in snp_mp_svc_udp_upstream_data function |
|
|
ASA Traceback in Thread Name:
DATAPATH-6-2544 |
|
|
ASA: evaluation of Poodle Bites in TLSv1 |
|
|
JANUARY 2015 OpenSSL Vulnerabilities |
Revision: Version 8.4(7)23 – 09/26/2014
Files: asa847-23-k8.bin,
asa847-23-smp-k8.bin
Defects resolved since 8.4(7)22:
|
vpn-sessiondb detail missing
Filter Name after IKEv1 rekey |
||
|
ASA: Traceback when out of stack
memory with call-home configured |
||
|
ASA has inefficient memory use when cumulative AnyConnect
session grows |
||
|
ASA 9.1.2 DHCP - Wireless Apple devices are not getting an IP
via DHCPD |
||
|
ASA: Last packet in PCAP capture file not readable |
||
|
ASA 9.1: timer app id was corrupted causing to Dispatch Unit traceback |
||
|
ASA traceback in Thread Name: fover_parse during command replication |
||
|
ASA Webvpn CIFS vnode_create:
VNODE ALLOCATION LIMIT 100000 REACHED! |
||
|
ASA Transparent mode doesn't pass DHCP discover message |
||
|
ASA:Tracebacks in thread
dispatch unit due to SunRPC inspection |
||
|
Cisco ASA Information Disclosure Vulnerability |
||
|
'ASA modifies Request Host Part under 'ACK' packet for SIP
connection' |
||
|
ASA 5505 u-turned/hairpinned conn
counts toward license local-host limit |
||
|
ASA WebVPN Memory leak leading to Blank Portal Page/AnyConnect failure |
||
|
ENH: Add "speed nonegotiate"
command for fiber interfaces on ASA5585 |
||
|
Traceback on DATAPATH-7-1524 Generating Botnet Filter Syslog |
||
|
ASA allows IKEv1 clients to bypass address assignment, causing
conflict |
||
|
ASA does not relay BOOTP packets |
||
|
ASA with SFP+4GE-SSM sends flow-control packets at line rate |
||
|
ASA: HTTP searchPendingOrders.do function failing over WebVPN |
||
|
ASA allows to empty an access-list referenced elsewhere |
||
|
Standby ASA traceback on Fover_Parse with Botnet Filter |
||
|
Failover Standby unit has higher memory utilization |
||
|
ASA: Traceback in DATAPATH |
||
|
ASA: no auth prompt when accessing
internet website using ASA-CX |
||
|
9.0(4)5 - Unable to access internal
site via clientless SSLVPN |
||
|
ASA - Traceback in thread name: sch_prompt anonymous reporting |
||
|
Multiple Vulnerabilities in OpenSSL -
June 2014 |
||
|
TCP intercept does not work after embryonic connection ends |
||
|
ASA tmatch_summary_alloc block leak in
binsize 1024 |
||
|
Cisco ASA SSL VPN Portal Customization
Integrity Vulnerability |
|
|
|
ASA Traceback in Thread name:
ci/console while modifying an object-group |
||
|
ASA - Wrong object-group migration during upgrade from 8.2 |
||
|
ASA - Permitting/blocking traffic based on wrong IPs in ACL |
||
|
ASA: Traceback Page Fault in vpnfol_thread_msg on Standby ASA |
||
|
ASA with ACL optimization traceback in
"fover_parse" thread |
||
|
WebVPN: uploading customized portal.css breaks the portal login
page |
||
|
ASA failover standby device reboots due to delays in config replication |
||
|
IPsecOverNatT tunnel disappears after ASA failovers |
||
|
Smart Tunnels Spawn "UNKNOWN Publisher" Warning w/Java
7 Update 60 |
||
|
Using "?" to list files in directory with thousands of
files causing hog |
||
|
vbscript getting caught in
loop when passing thru ASA WebVPN Rewriter |
||
|
ASA - Traceback in thread name SSH
while changing NAT configuration |
||
|
Cisco ASA Privilege Escalation |
||
|
ASA: Entering Query String on /+CSCOE+/logon.html disclose
information |
||
|
Double Free when processing DTLS packets |
||
|
OpenSSL Zero-Length Fragments DTLS Memory Leak Denial of Service Vuln |
||
|
ASA Radius Access-Request contains both User-Password and
CHAP-Password |
||
|
LDAP CLI: Quotes removed if ldap
attribute-map name has spaces |
||
|
ASA:Incorrect link status in show failover o/p with
monitoring disabled |
||
|
ASA returns wrong content-length for cut-thru proxy
authentication page |
||
|
ASA:Multicast traffic silently
dropped due to Promiscuous Mode: Disabled |
||
Revision: Version 8.4(7)22 – 07/11/2014
Files: asa847-22-k8.bin,
asa847-22-smp-k8.bin
Defects resolved since 8.4(7)15:
|
ASA 5585 SSP-IPS 9.x Gig interfaces do not come up after module
reset |
|
|
ASA may drop all traffic with Hierarchical priority queuing |
|
|
webvpn issue,part of the http request not sent by the client to
ASA |
|
|
Datapath:Observing Deadlock in different DATAPATH threads |
|
|
ASA5585-SSP60 Teardown process is delayed under heavy traffic
condition |
|
|
ASA: Watchdog traceback in Unicorn
Admin Handler with TopN host stats |
|
|
Traceback in Thread: IPsec message handler with
rip-tlog_event_allocate |
|
|
Ping doesn't work between peer IPs when answer-only is
configured |
|
|
Java rewriting takes too much time |
|
|
ASA WebVPN login page XSS vulnerability |
|
|
ASA not passing IPv6 traffic when connected to Anyconnect |
|
|
ASA using IKEv2 rejects multiple NAT_DETECTION_SOURCE_IP payloads |
|
|
Hash calculated for multiple ACEs on ASA are same |
|
|
Unable to access webvpn portal when
CSD and IE content advisor enabled. |
|
|
5585-20 8.4.7.11 traceback in Thread
Name Datapath w/ DCERPC inspection |
|
|
MEMLEAK: AnyConnect when
authenticating |
|
|
MEMLEAK: 128 byte leaks when requesting IPv6 address for AnyConnect |
|
|
High CPU with IKE daemon Process |
|
|
ASA 8.4.6: Traceback with fover_FSM_thread |
|
|
ASA Page Fault: Invalid Permission in thread name DATAPATH |
|
|
SNMP: cpmCPUTotal5sec/1min/5min return "0" |
|
|
VPN client firewall and split-tunneling mishandle
"inactive" acl rules |
|
|
Clientless scrollbar on right hand side of the screen doesn't
render |
|
|
ASA 9.0.4.1 traceback in webvpn datapath |
|
|
IPsec transform sets mode changes from transport to tunnel after
editing |
|
|
ASA - Cut Through Proxy sends empty redirect w/ Virtual HTTP and
Telnet |
|
|
Multicast - ASA doesn't populate mroutes
after failover |
|
|
ASA doesn't send invalid SPI notify for non-existent NAT-T IPSec
SA |
|
|
ASA: Page fault traceback in Dispatch
Unit |
|
|
Multiple Vulnerabilities in OpenSSL -
June 2014 |
Revision: Version 8.4(7)15 – 04/09/2014
Files: asa847-15-k8.bin,
asa847-15-smp-k8.bin
Defects resolved since 8.4(7)3:
|
ENH - Add device serial number and platform string to show run
output |
|||
|
ACL renamed but syslog doesn't reflect new name |
|||
|
Unable to create policy map depending on existing maps and name |
|||
|
ASA: multicast 80-byte block leak in combination with
phone-proxy |
|||
|
Improve HTTP inspection's logging of proxied
HTTP GETs |
|||
|
Backup Shared
License Server unable to open Socket |
|||
|
tmatch compile thread
assertion in "stride_terminal_node.c" |
|||
|
SMP ASA traceback on periodic_handler for inspecting icmp
or dns trafic |
|||
|
A warning message is needed when a new encryption license is
applied |
|||
|
Traceback on Configuration Manipulation over Telnet/SSH Sessions |
|||
|
Add text section to coredump |
|
||
|
ASA 8.4.4.5 - Traceback in Thread
Name: Dispatch Unit |
|||
|
HTTP Deep Packet Inspection Denial of Service Vulnerability |
|||
|
Mem Leak: ikev2_fo_parse_sa_message_id_data_v1 |
|||
|
Traceback when loading configuration from TFTP multiple contexts |
|||
|
IKEv2 : L2L tunnel fails with error "Duplicate entry in Tunnel
Manager" |
|||
|
ASA - Not all GRE connections are replicated to the standby unit |
|||
|
ASA KCD is broken in 8.4.5 onwards |
|||
|
Renew SmartTunnel Web Start .jnlp Certificate 9/7/2013 |
|||
|
ASA traceback with 'debug menu webvpn 160' command |
|||
|
WebVpn: javascript parser error while
rewriting libmin.js |
|||
|
WebVPN doesn't accept connections, Unicorn Proxy Thread no
longer exists |
|||
|
ENH: ASA should send flow-update for short-lived flows |
|||
|
ASA PAT rules are not applied to outbound SIP traffic |
|||
|
ASA traceback in Thread Name:
DATAPATH-2-1140 |
|||
|
CSCul37888Traceback in DATAPATH caused by HTTP Inspection |
|||
|
Privillage level 0 users getting full access |
|
||
|
traceback ABORT(-87): strcpy_s: source string too long for dest |
|||
|
ASA OSPF route stuck in database and routing table |
|||
|
ASA reloads on Thread name: idfw_proc |
|||
|
ASA: Page fault traceback with 'show
dynamic-filter dns-snoop detail' |
|||
|
Unable to assign ip address from the
local pool due to 'Duplicate local' |
|||
|
ASA traceback in Thread Name: ssh on modifying service object |
|||
|
ASA SMR: Multicast traffic for some groups stops flowing after
failover |
|||
|
ST not injected in mstsc.exe on 64-bit Win 8 IE 10 when started TSWebApp |
|||
|
ASA-SM - TFW Dropping jumbo mcast
traffic with 3 intf in a bridge group |
|||
|
ASA 8.4.7 - Traceback with assertion
in thread name Dispatch Unit |
|||
|
ASA traceback in Thread name - netfs_thread_init |
|||
|
WebVPN Java rewriter issue: Java Plugins fail after upgrade to
Java 7u45 |
|||
|
Wrong ACL seq & remarks shown when
using Range object w/ object-group |
|||
|
ASA fails to set forward address in OSPF route redistrubution |
|||
|
Webvpn rewriter some links from steal.js are mangled incorrectly |
|||
|
ASA Webvpn: Rewriter issue with
dynamic iframes |
|||
|
OpenSSH vulnerability CVE-2012-0814: Debug messages with key info |
|||
|
Traceback after upgrade from pre-8.3 to 8.3 and above |
|||
|
Object Group Search may cause ACL to be matched incorrectly |
|||
|
ASA: Page fault traceback after
running show asp table socket |
|||
|
INSPECT ICMP ERROR ICMP HEADER AFTER UN_NAT DOES NOT
MATCH IP DST ADDR |
|||
|
ASA traceback in Thread Name: DATAPATH
due to double block free |
|||
|
ASA: Hitless upgrade fails with port-channels |
|||
|
ENH: Need to optimize messages printed on upgrade from 8.2- to
8.3+ |
|||
|
WebVPN: sharepoint 2007/2010 and Office2007
can't download/edit pictures |
|||
|
traffic does not match time-rang access-list configured with
policy-maps |
|||
|
ASA: Memory leak with WebVPN and HTTP server enabled
simultaneously |
|||
|
ASA WebVPN Login portal returns to login page after successful
login |
|||
|
ASA Tranparent A/A - Replicated MAC
addresses not deleted after timeout |
|||
|
ASA with ICMP insp. drops replies with 'seq
num not matched' code |
|||
|
Case sensitivity check missing for Web Type ACL and Access-group |
|||
|
IPSEC VPN - One crypto ACE mismatch terminates all Phase2 with
that peer |
|||
|
Webvpn: ASA
fails to rewrite javascript tag
correctly |
|||
|
ASA fails to perform KCD SSO when web server listens on
non-default port |
|||
|
Acct-stop for VPN session doesn't send out when failover
occurred |
|||
|
ASA Assert Traceback in Dispatch Unit
during LU Xlate replication |
|||
|
EIGRP: Auth key with space replicates
to Secondary with no space |
|||
|
Capture Isakmp w/ match statement
cause Standby to reload at replication |
|||
|
ASA SSL VPN Privilege Escalation
Vulnerability |
|
||
|
WEBVPN multiple issues with LMS application |
|||
|
ASA: Phy setting change on member
interfaces not seen on port-channel |
|||
|
Redundant IFC not Switching Back |
|||
|
ASA - Remote access VPN sessions are not replicated to Standby
unit |
|||
|
ASA EIGRP redistribute static shows up as internal route |
|||
|
Copying configuration to running-config
fails |
|||
|
ASA tears down SIP signaling conn w/ reason Connection timeout |
|||
|
'Route-Lookup' Behavior Assumed for Twice NAT with Identity
Destination |
|||
|
Page fault traceback in DATAPATH under
DoS, rip qos_topn_hosts_db_reset |
|||
|
ASA reloads on Thread name: idfw_proc |
|||
|
ASA drops DHCP Offer packet in ASP when nat
configured with "Any" |
|||
|
secondary standby looses his cluster license after upgrade to 8.4.(7.3) |
|||
|
IKEv1 - Send INVALID_ID_INFO when received P2 ID's not in crypto
map |
|||
|
ASA policy-map action not applied correctly after config change |
|||
|
Webvpn: Add permissions attribute to portforwarder
jar file |
|||
|
Webvpn: Add permissions attribute to mac smart-tunnel jar |
|||
|
WebVPN: ASA webVPN fails to rewrite
dynamic content of pubmed website |
|||
|
ASA:Traceback in Thread Name:
DATAPATH-23-2334 |
|||
|
Traceback in IKEv2 Daemon with AnyConnect
Failure |
|||
|
IKEv2 leaks embryonic SAs during child SA negotiation with PFS
mismatch |
|||
|
ASA traceback on NAT assert on file nat_conf.c |
|||
|
ASA traceback in Unicorn Admin Handler |
|||
|
ASA: Traceback in pix_flash_config_thread
when upgrading with names |
|||
|
ASA - VPN session leak for IKEv2 if L2L sessions land on RA
tunnel group |
|||
|
ASA 9.1.3 SNMP Traceback in Thread
Name: SNMP |
|||
|
Traceback in Thread Name: ci/console |
|||
|
Assigned IP in show vpn-sessiondb anyconnect is missing. |
|||
|
ASA WebVPN memory leak - blank portal page |
|||
|
ASA: Traceback in aware_http_server_thread
after upgrade |
|||
|
ASA traceback in Thread Name: IKE
Daemon: with CX redirect in place. |
|||
|
Regex modification within context causes ASA traceback |
|||
|
ASA EIGRP route stuck after neighbour
disconnected |
|||
|
L2TP/IPSec connection is failed when there is PAT router. |
|||
Revision: Version 8.4(7)3 – 10/24/2013
Files: asa847-3-k8.bin,
asa847-3-smp-k8.bin
Defects resolved since 8.4.7:
|
ESP packet drop due to
failed anti-replay checking after HA failovered |
|||
|
Cookie usage in SSL VPN |
|
||
|
Traceback during child SA rekey |
|||
|
ASA drops some CX/CSC
inspected HTTP packets due to PAWS violation |
|||
|
Hostscan 3.1.03104 does not detect Kaspersky AV 6.0 |
|||
|
ASA: Data packets with
urgent pointer dropped with IPS as bad-tcp-cksum |
|||
|
ASA traceback
with less PAT with huge traffic |
|||
|
slow memory leak due to webvpn cache |
|||
|
ASA does not send
Gratuitous ARP(GARP) when booting |
|||
|
limitation of session-threshold-exceeded value is incorrect |
|||
|
ASA: SIP inspection always chooses
hairpin NAT/PAT for payload rewrite |
|||
|
ASA traceback
when using "Capture Wizard" on ASDM |
|||
|
ASA TFW doesn't rewrite
VLAN in BPDU packets containing Ethernet trailer |
|||
|
Intermittently users not
allowed to login due to hostscan data limit |
|||
|
ASA Assert in Checkheaps chunk create internal |
|||
|
ASA A/A fover
automatic MAC address change causes i/f monitoring
to fail |
|||
|
ASA-SM assert traceback in timer-infra |
|||
|
ASA: Multicast traffic
silently dropped on port-channel interfaces |
|||
|
ASA 8.2.5 snmpEngineTime displays incorrect values |
|||
|
ASA/IKEv1-L2L: Do not allow
two IPsec tunnels with identical proxy IDs |
|||
|
ASA Traceback
When Debug Crypto Archives with Negative Pointers |
|||
|
Safari crashes when use
scroll in safari on MAC 10.8 with smart-tunnel |
|||
|
AnyConnect Copyright Panel and Logon Form message removed after upgrade |
|||
|
Cisco ASA Crafted ICMP
Packet Denial of Service Vulnerability |
|||
|
ASA traceback
in pix_startup_thread |
|||
|
ASA drops packet as PAWS
failure after incorrect TSecr is seen |
|||
|
Failure when accessing CIFS
share with period character in username |
|||
|
ASA does not pass
calling-station-id when doing cert base authentication |
|||
|
ASA tears down SIP
signaling conn w/ reason Connection timeout |
|||
|
Clientless SSL VPN:Unable to translate for
Japanese |
|||
|
ASA traceback
when removing more than 210 CA certificates at once |
|||
|
AnyConnect states: "VPN configuration received... has an invalid
format" |
|||
|
ASA unable to remove ipv6
address from BVI interface |
|||
|
ASA 8.4.7 Multi Context TFW
not generating any syslog data |
|||
|
Certificate CN and ASA FQDN
mismatch causes ICA to fail. |
|||
|
Sustained high cpu usage in Unicorn proxy thread with jar file rewrite |
|||
|
no debug all, undebug all CLI commands doesnt reset
unicorn debug level |
|||
|
Add X-Frame-Options:
SAMEORIGIN to ASDM HTTP response |
|||
|
ASA drops inbound traffic
from AnyConnect Clients |
|||