If you are running Cisco WebVPN

[deanwebb]

This got added today:

Exploitation and Public Announcements
The Cisco Product Security Incident Response Team (PSIRT) is aware of public knowledge of the vulnerability that is described in this advisory. Cisco PSIRT is aware of attempted malicious use of the vulnerability described in this advisory.

You best be patching those ASAs, people! GOGOGOGO DOO EET NAO!!!

[icecream-guy]

OK, I got you now. Yes ASAs doing termination of Anyconnect Clients are vulnerable. The client itself is not. I just wanted to make sure I didn't miss patching anything. From the new notice it seems the bug is in the underlying XML parser so any features that do XML will be vulnerable. So web, VPN, ASDM, etc.

-Otanx

Correct, it's in the hardware end, not the client end. And it's all the hardware, bigger stuff is more vulnerable than the smaller stuff.

if you are working for the gov like, me,  since it's a critical vulnerability, everything must be patched, doesn't matter if it's vulnerable or not, it gets patched, to fill the security overlords patching checkboxes.

[icecream-guy]

This got added today:

Exploitation and Public Announcements
The Cisco Product Security Incident Response Team (PSIRT) is aware of public knowledge of the vulnerability that is described in this advisory. Cisco PSIRT is aware of attempted malicious use of the vulnerability described in this advisory.

You best be patching those ASAs, people! GOGOGOGO DOO EET NAO!!!

unfortunately, we need to test,  with code that's less than 5 days out in public, and knowing how Cisco code has treated us in the past,  it's a tough call to have 100% in Cisco, ( look what happened with the .21 release)

[Otanx]

We like to keep all our stuff on common releases anyway. So the requirement to patch if vulnerable or not isn't an issue for us. It actually benefits us because I can wave the cyber requirement flag to get my windows approved.

-Otanx

[icecream-guy]

We like to keep all our stuff on common releases anyway. So the requirement to patch if vulnerable or not isn't an issue for us. It actually benefits us because I can wave the cyber requirement flag to get my windows approved.

-Otanx

our team of 5 manage about 200 ASA firewalls of various models and trains, (I know  )
between us we do a good amount of upgrades every month.
I don't think we ever get to finish a round, due to some vulnerability coming out every so frequently.

[Otanx]

Ouch, that sucks. We are about the same size device count and staff, but 95% of ours are the same model.

-Otanx

[deanwebb]

We like to keep all our stuff on common releases anyway. So the requirement to patch if vulnerable or not isn't an issue for us. It actually benefits us because I can wave the cyber requirement flag to get my windows approved.

-Otanx

our team of 5 manage about 200 ASA firewalls of various models and trains, (I know  )
between us we do a good amount of upgrades every month.
I don't think we ever get to finish a round, due to some vulnerability coming out every so frequently.

That last bit is a serious, serious issue. Dang.

[icecream-guy]

I don't think we ever get to finish a round, due to some vulnerability coming out every so frequently.

That last bit is a serious, serious issue. Dang.

not so bad, were loading 9.1.7.16 now to stop that 215 day bug,  next week as we continue, we'll start loading  9.1.7.23, then jump back around to do the ones running 9.1.7.16.