There are no workarounds that address this vulnerability. The following mitigation helps limit exposure to this vulnerability.
Configure ASA to drop any IP fragments it receives as follows:
ASA# conf t
ASA(config)# fragment chain 1
Please note that this can be configured globally only, so it will affect all user traffic passing across the ASA, not only traffic specifically directed toward the Cisco ASA CX module. This configuration will result in all IP fragments being dropped by the ASA, even if this traffic will not be handled by the ASA CX module.