CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
98.9%
On September 22, 2016, the OpenSSL Software Foundation released an advisory that describes 14 vulnerabilities. Of these 14 vulnerabilities, the OpenSSL Software Foundation classifies one as “Critical Severity,” one as “Moderate Severity,” and the other 12 as “Low Severity.”
Subsequently, on September 26, the OpenSSL Software Foundation released an additional advisory that describes two new vulnerabilities. These vulnerabilities affect the OpenSSL versions that were released to address the vulnerabilities disclosed in the previous advisory. One of the new vulnerabilities was rated as “High Severity” and the other as “Moderate Severity.”
Of the 16 released vulnerabilities:
Fourteen track issues that could result in a denial of service (DoS) condition
One (CVE-2016-2183, aka SWEET32) tracks an implementation of a Birthday attack against Transport Layer Security (TLS) block ciphers that use a 64-bit block size that could result in loss of confidentiality
One (CVE-2016-2178) is a timing side-channel attack that, in specific circumstances, could allow an attacker to derive the private DSA key that belongs to another user or service running on the same system
Five of the 16 vulnerabilities exclusively affect the recently released OpenSSL versions that are part of the 1.1.0 release series, which has not yet been integrated into any Cisco product.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160927-openssl [“https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160927-openssl”]
Vendor | Product | Version | CPE |
---|---|---|---|
cisco | application_and_content_networking_system_software | any | cpe:2.3:a:cisco:application_and_content_networking_system_software:any:*:*:*:*:*:*:* |
cisco | prime_access_registrar | any | cpe:2.3:a:cisco:prime_access_registrar:any:*:*:*:*:*:*:* |
cisco | emergency_responder | any | cpe:2.3:a:cisco:emergency_responder:any:*:*:*:*:*:*:* |
cisco | unified_contact_center_hosted | any | cpe:2.3:a:cisco:unified_contact_center_hosted:any:*:*:*:*:*:*:* |
cisco | ios_xr_software | any | cpe:2.3:o:cisco:ios_xr_software:any:*:*:*:*:*:*:* |
cisco | cisco_ons_15454_system_software | any | cpe:2.3:o:cisco:cisco_ons_15454_system_software:any:*:*:*:*:*:*:* |
cisco | unity_express | any | cpe:2.3:h:cisco:unity_express:any:*:*:*:*:*:*:* |
cisco | nac_appliance | any | cpe:2.3:h:cisco:nac_appliance:any:*:*:*:*:*:*:* |
cisco | intrusion_prevention_system | any | cpe:2.3:a:cisco:intrusion_prevention_system:any:*:*:*:*:*:*:* |
cisco | cisco_adaptive_security_appliance_\(asa\)_software | any | cpe:2.3:a:cisco:cisco_adaptive_security_appliance_\(asa\)_software:any:*:*:*:*:*:*:* |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
98.9%