CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
99.4%
On January 26, 2017, the OpenSSL Software Foundation released a security advisory that included three new vulnerabilities. The foundation also released one vulnerability that was already disclosed in the OpenSSL advisory for November 2016 and included in the Cisco Security Advisory Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: November 2016 [“https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161114-openssl”]. OpenSSL classifies all the new vulnerabilities as “Moderate Severity.”
The first vulnerability affects only OpenSSL used on 32-bit systems architecture and may cause OpenSSL to crash. The second vulnerability affects only version 1.1.0 and occurs only when OpenSSL is used on the client side. The second vulnerability may cause OpenSSL to crash when connecting to a malicious server. The third vulnerability affects only systems based on x86_64 architecture. A successful exploit of the third vulnerability could allow the attacker to access sensitive private key information.
Multiple Cisco products incorporate a version of the OpenSSL package that is affected by one or more of these vulnerabilities.
There are no Cisco products affected by the vulnerability identified by CVE ID CVE-2017-3730.
On February 16, 2017, the OpenSSL Software Foundation released another security advisory that included one high severity vulnerability identified by CVE ID CVE-2017-3733.
There are no Cisco products affected by this vulnerability.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170130-openssl [“https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170130-openssl”]
Vendor | Product | Version | CPE |
---|---|---|---|
cisco | prime_access_registrar | any | cpe:2.3:a:cisco:prime_access_registrar:any:*:*:*:*:*:*:* |
cisco | emergency_responder | any | cpe:2.3:a:cisco:emergency_responder:any:*:*:*:*:*:*:* |
cisco | unified_contact_center_hosted | any | cpe:2.3:a:cisco:unified_contact_center_hosted:any:*:*:*:*:*:*:* |
cisco | ios_xr_software | any | cpe:2.3:o:cisco:ios_xr_software:any:*:*:*:*:*:*:* |
cisco | wireless_lan_controller | any | cpe:2.3:h:cisco:wireless_lan_controller:any:*:*:*:*:*:*:* |
cisco | unity_connection | any | cpe:2.3:a:cisco:unity_connection:any:*:*:*:*:*:*:* |
cisco | telepresence_e20 | any | cpe:2.3:h:cisco:telepresence_e20:any:*:*:*:*:*:*:* |
cisco | unified_contact_center_express | any | cpe:2.3:a:cisco:unified_contact_center_express:any:*:*:*:*:*:*:* |
cisco | cisco_ios_and_ios-xe_software | any | cpe:2.3:a:cisco:cisco_ios_and_ios-xe_software:any:*:*:*:*:*:*:* |
cisco | video_surveillance_media_server | any | cpe:2.3:a:cisco:video_surveillance_media_server:any:*:*:*:*:*:*:* |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
99.4%