Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
The combination of the hardware platform and offered software features renders the product Cisco 4000 Series Integrated Services Routers (IOS XE Open Service Containers); Cisco ASR 1001-X Series Aggregation Services Routers (IOS XE Open Service Containers); Cisco ASR 1001-HX Series Aggregation Services Routers (IOS XE Open Service Containers); Cisco ASR 1002-X Series Aggregation Services Routers (IOS XE Open Service Containers); Cisco ASR 1002-HX Series Aggregation Services Routers (IOS XE Open Service Containers); Cisco ASR 1000 Series Aggregation Services Router with RP2 or RP3 (IOS XE Open Service Containers);Cisco Cloud Services Router 1000V Series (IOS XE Open Service Containers) affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2017-5754 - Rogue Data Cache Load Side-Channel Information Disclosure Vulnerability (aka Meltdown) This bug will address MELTDOWN CVE only. SPECTRE CVE will be tracked/addressed by new BUG : CSCvj59152 CSCvj59152 will address following SPECTRE CVEs: CVE-2017-5715 - Branch Target Injection AKA Spectre CVE-2017-5753 - Bounds Check Bypass AKA Spectre CVE-2018-3639 - Speculative Store Bypass (SSB), Variant 4 CVE-2018-3640 - Rogue System Register Read, Variant 3a
Devices must be configured to allow the use of Open Service Containers or the Cisco IOx features. Code running within either of these two features could be leveraged as an attack vector.
None
Administrators are advised to highly control access to network devices and perform an audit on those that allow the execution of non-Cisco supplied software to ensure they are in compliance with their corporate security policies. Cisco IOS-XE versions 3.17S and later on platforms that support the Open Service Container feature are affected. Cisco Polaris versions 16.x prior to the first fixed version that support the Open Service Container feature are affected. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 3 score. The Base CVSS score as of the time of evaluation is 5.3: https://tools.cisco.com/security/center/cvssCalculator.x?version=3.0&vector=AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html