Cisco Blog » The Platform

2015年9月1日星期二

Cisco Notification Alert -Nexus 5000 Series Switch-01-Sep-2015 16:53 GMT

 

 

 

 

 

 

 


Security Advisories & Responses - Nexus 5000 Series Switches

Title:
OpenSSL Alternative Chains Certificate Forgery Vulnerability (July 2015) Affecting Cisco Products
Description:

On July 9, 2015, the OpenSSL Project released a security advisory detailing a vulnerability affecting applications that verify certificates, including SSL/Transport Layer Security (TLS)/Datagram Transport Layer Security (DTLS) clients and SSL/TLS/DTLS servers using client authentication.

Multiple Cisco products incorporate a version of the OpenSSL package affected by this vulnerability that could allow an unauthenticated, remote attacker to cause certain checks on untrusted certificates to be bypassed, enabling the attacker to forge "trusted" certificates that could be used to conduct man-in-the-middle attacks.

This advisory will be updated as additional information becomes available.

Cisco will release free software updates that address this vulnerability.

Workarounds that mitigate this vulnerability may be available.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150710-openssl

Date:
29-AUG-2015

Find additional information in Cisco Security Advisories & Responses

Software Updates for Nexus 5000 Series Switches

Product Name:
Nexus 5624Q Switch
Software Type:
NX-OS System Software
Release Version:
7.1(2)N1(1)
Alert Type:
New File
File Name:
n6000-uk9.7.1.2.N1.1.bin
File Description:

Cisco Nexus 6000/5600 Series Switches 7.1(2)N1(1) System Image

File Release Date:
03-AUG-2015
Find additional information in Software Downloads index.

Software Updates for Nexus 5000 Series Switches

Product Name:
Nexus 5648Q Switch
Software Type:
NX-OS System Software
Release Version:
7.2(0)N1(1)
Alert Type:
New File
File Name:
n6000-uk9.7.2.0.N1.1.bin
File Description:

Cisco Nexus 6000/5600 Series Switches 7.2(0)N1(1) System Image

File Release Date:
11-AUG-2015
Alert Type:
New File
File Name:
n5000-uk9.7.2.0.N1.1.bin
File Description:

Cisco Nexus 5000 Series Switches 7.2(0)N1(1) System Image

File Release Date:
11-AUG-2015

Software Updates for Nexus 5000 Series Switches

Product Name:
Nexus 5648Q Switch
Software Type:
NX-OS System Software
Release Version:
7.1(2)N1(1)
Alert Type:
New File
File Name:
n5000-uk9.7.1.2.N1.1.bin
File Description:

Cisco Nexus 5000 Series Switches 7.1(2)N1(1) System Image

File Release Date:
31-JUL-2015
Alert Type:
New File
File Name:
n6000-uk9.7.1.2.N1.1.bin
File Description:

Cisco Nexus 6000/5600 Series Switches 7.1(2)N1(1) System Image

File Release Date:
31-JUL-2015
Find additional information in Software Downloads index.

Software Updates for Nexus 5000 Series Switches

Product Name:
Nexus 5696Q Switch
Software Type:
NX-OS System Software
Release Version:
7.0(7)N1(1)
Alert Type:
New File
File Name:
n6000-uk9.7.0.7.N1.1.bin
File Description:

Cisco Nexus 6000/5600 Series Switches 7.0(7)N1(1) System Image

File Release Date:
27-AUG-2015

Software Updates for Nexus 5000 Series Switches

Product Name:
Nexus 5696Q Switch
Software Type:
NX-OS System Software
Release Version:
7.1(2)N1(1)
Alert Type:
New File
File Name:
n6000-uk9.7.1.2.N1.1.bin
File Description:

Cisco Nexus 6000/5600 Series Switches 7.1(2)N1(1) System Image

File Release Date:
03-AUG-2015
Find additional information in Software Downloads index.

Software Updates for Nexus 5000 Series Switches

Product Name:
Nexus 5696Q Switch
Software Type:
NX-OS Kick Start
Release Version:
7.0(7)N1(1)
Alert Type:
New File
File Name:
n6000-uk9-kickstart.7.0.7.N1.1.bin
File Description:

Cisco Nexus 6000/5600 Series Switches 7.0(7)N1(1) Kick Start Image

File Release Date:
27-AUG-2015
Alert Type:
New File
File Name:
n6000_poap_script.7.0.7.N1.1.py
File Description:

Cisco Nexus 6000/5600 Series Switches 7.0(7)N1(1) Python Reference script for PowerOn Auto Provisioning (POAP)

File Release Date:
27-AUG-2015
Alert Type:
New File
File Name:
n6000_poap_script.7.0.7.N1.1.tcl
File Description:

Cisco Nexus 6000/5600 Series Switches 7.0(7)N1(1) TCL Reference script for PowerOn Auto Provisioning (POAP)

File Release Date:
27-AUG-2015

Software Updates for Nexus 5000 Series Switches

Product Name:
Nexus 5696Q Switch
Software Type:
NX-OS Kick Start
Release Version:
7.1(2)N1(1)
Alert Type:
New File
File Name:
n6000_poap_script.7.1.2.N1.1.tcl
File Description:

Cisco Nexus 6000/5600 Series Switches 7.1(2)N1(1) TCL Reference script for PowerOn Auto Provisioning (POAP)

File Release Date:
31-JUL-2015
Alert Type:
New File
File Name:
n6000-uk9-kickstart.7.1.2.N1.1.bin
File Description:

Cisco Nexus 6000/5600 Series Switches 7.1(2)N1(1) Kick Start Image

File Release Date:
31-JUL-2015
Alert Type:
New File
File Name:
n6000_poap_script.7.1.2.N1.1.py
File Description:

Cisco Nexus 6000/5600 Series Switches 7.1(2)N1(1) Python Reference script for PowerOn Auto Provisioning (POAP)

File Release Date:
31-JUL-2015
Find additional information in Software Downloads index.

Software Updates for Nexus 5000 Series Switches

Product Name:
Nexus 5596UP Switch
Software Type:
NX-OS Kick Start
Release Version:
7.0(7)N1(1)
Alert Type:
New File
File Name:
n5000_poap_script.7.0.7.N1.1.tcl
File Description:

Cisco Nexus 5000 Series Switches 7.0(7)N1(1) TCL Reference script for PowerOn Auto Provisioning (POAP)

File Release Date:
27-AUG-2015
Alert Type:
New File
File Name:
n5000_poap_script.7.0.7.N1.1.py
File Description:

Cisco Nexus 5000 Series Switches 7.0(7)N1(1) Python Reference script for PowerOn Auto Provisioning (POAP)

File Release Date:
27-AUG-2015
Alert Type:
New File
File Name:
n5000-uk9-kickstart.7.0.7.N1.1.bin
File Description:

Cisco Nexus 5000 Series Switches 7.0(7)N1(1) Kick Start Image

File Release Date:
27-AUG-2015

Software Updates for Nexus 5000 Series Switches

Product Name:
Nexus 5596UP Switch
Software Type:
NX-OS Kick Start
Release Version:
7.1(2)N1(1)
Alert Type:
New File
File Name:
n5000_poap_script.7.1.2.N1.1.py
File Description:

Cisco Nexus 5000 Series Switches 7.1(2)N1(1) Python Reference script for PowerOn Auto Provisioning (POAP)

File Release Date:
31-JUL-2015
Alert Type:
New File
File Name:
n5000-uk9-kickstart.7.1.2.N1.1.bin
File Description:

Cisco Nexus 5000 Series Switches 7.1(2)N1(1) Kick Start Image

File Release Date:
31-JUL-2015
Alert Type:
New File
File Name:
n5000_poap_script.7.1.2.N1.1.tcl
File Description:

Cisco Nexus 5000 Series Switches 7.1(2)N1(1) TCL Reference script for PowerOn Auto Provisioning (POAP)

File Release Date:
31-JUL-2015
Find additional information in Software Downloads index.

Software Updates for Nexus 5000 Series Switches

Product Name:
Nexus 5624Q Switch
Software Type:
NX-OS Kick Start
Release Version:
7.1(2)N1(1)
Alert Type:
New File
File Name:
n6000_poap_script.7.1.2.N1.1.py
File Description:

Cisco Nexus 6000/5600 Series Switches 7.1(2)N1(1) Python Reference script for PowerOn Auto Provisioning (POAP)

File Release Date:
31-JUL-2015
Alert Type:
New File
File Name:
n6000_poap_script.7.1.2.N1.1.tcl
File Description:

Cisco Nexus 6000/5600 Series Switches 7.1(2)N1(1) TCL Reference script for PowerOn Auto Provisioning (POAP)

File Release Date:
31-JUL-2015
Alert Type:
New File
File Name:
n6000-uk9-kickstart.7.1.2.N1.1.bin
File Description:

Cisco Nexus 6000/5600 Series Switches 7.1(2)N1(1) Kick Start Image

File Release Date:
31-JUL-2015
Find additional information in Software Downloads index.

Software Updates for Nexus 5000 Series Switches

Product Name:
Nexus 5548P Switch
Software Type:
NX-OS System Software
Release Version:
7.0(7)N1(1)
Alert Type:
New File
File Name:
n5000-uk9.7.0.7.N1.1.bin
File Description:

Cisco Nexus 5000 Series Switches 7.0(7)N1(1) System Image

File Release Date:
27-AUG-2015

Software Updates for Nexus 5000 Series Switches

Product Name:
Nexus 5548P Switch
Software Type:
NX-OS System Software
Release Version:
7.1(2)N1(1)
Alert Type:
New File
File Name:
n5000-uk9.7.1.2.N1.1.bin
File Description:

Cisco Nexus 5000 Series Switches 7.1(2)N1(1) System Image

File Release Date:
03-AUG-2015
Find additional information in Software Downloads index.

Software Updates for Nexus 5000 Series Switches

Product Name:
Nexus 5548UP Switch
Software Type:
NX-OS System Software
Release Version:
7.0(7)N1(1)
Alert Type:
New File
File Name:
n5000-uk9.7.0.7.N1.1.bin
File Description:

Cisco Nexus 5000 Series Switches 7.0(7)N1(1) System Image

File Release Date:
27-AUG-2015

Software Updates for Nexus 5000 Series Switches

Product Name:
Nexus 5548UP Switch
Software Type:
NX-OS System Software
Release Version:
7.1(2)N1(1)
Alert Type:
New File
File Name:
n5000-uk9.7.1.2.N1.1.bin
File Description:

Cisco Nexus 5000 Series Switches 7.1(2)N1(1) System Image

File Release Date:
31-JUL-2015
Find additional information in Software Downloads index.

Software Updates for Nexus 5000 Series Switches

Product Name:
Nexus 5648Q Switch
Software Type:
NX-OS Kick Start
Release Version:
7.1(2)N1(1)
Alert Type:
New File
File Name:
n5000_poap_script.7.1.2.N1.1.py
File Description:

Cisco Nexus 5000 Series Switches 7.1(2)N1(1) Python Reference script for PowerOn Auto Provisioning (POAP)

File Release Date:
31-JUL-2015
Alert Type:
New File
File Name:
n5000_poap_script.7.1.2.N1.1.tcl
File Description:

Cisco Nexus 5000 Series Switches 7.1(2)N1(1) TCL Reference script for PowerOn Auto Provisioning (POAP)

File Release Date:
31-JUL-2015
Alert Type:
New File
File Name:
n6000_poap_script.7.1.2.N1.1.py
File Description:

Cisco Nexus 6000/5600 Series Switches 7.1(2)N1(1) Python Reference script for PowerOn Auto Provisioning (POAP)

File Release Date:
31-JUL-2015
Alert Type:
New File
File Name:
n5000-uk9-kickstart.7.1.2.N1.1.bin
File Description:

Cisco Nexus 5000 Series Switches 7.1(2)N1(1) Kick Start Image

File Release Date:
31-JUL-2015
Alert Type:
New File
File Name:
n6000_poap_script.7.1.2.N1.1.tcl
File Description:

Cisco Nexus 6000/5600 Series Switches 7.1(2)N1(1) TCL Reference script for PowerOn Auto Provisioning (POAP)

File Release Date:
31-JUL-2015
Alert Type:
New File
File Name:
n6000-uk9-kickstart.7.1.2.N1.1.bin
File Description:

Cisco Nexus 6000/5600 Series Switches 7.1(2)N1(1) Kick Start Image

File Release Date:
31-JUL-2015
Find additional information in Software Downloads index.

Software Updates for Nexus 5000 Series Switches

Product Name:
Nexus 5548UP Switch
Software Type:
NX-OS Kick Start
Release Version:
7.0(7)N1(1)
Alert Type:
New File
File Name:
n5000_poap_script.7.0.7.N1.1.tcl
File Description:

Cisco Nexus 5000 Series Switches 7.0(7)N1(1) TCL Reference script for PowerOn Auto Provisioning (POAP)

File Release Date:
27-AUG-2015
Alert Type:
New File
File Name:
n5000_poap_script.7.0.7.N1.1.py
File Description:

Cisco Nexus 5000 Series Switches 7.0(7)N1(1) Python Reference script for PowerOn Auto Provisioning (POAP)

File Release Date:
27-AUG-2015
Alert Type:
New File
File Name:
n5000-uk9-kickstart.7.0.7.N1.1.bin
File Description:

Cisco Nexus 5000 Series Switches 7.0(7)N1(1) Kick Start Image

File Release Date:
27-AUG-2015

Software Updates for Nexus 5000 Series Switches

Product Name:
Nexus 5548UP Switch
Software Type:
NX-OS Kick Start
Release Version:
7.1(2)N1(1)
Alert Type:
New File
File Name:
n5000_poap_script.7.1.2.N1.1.py
File Description:

Cisco Nexus 5000 Series Switches 7.1(2)N1(1) Python Reference script for PowerOn Auto Provisioning (POAP)

File Release Date:
31-JUL-2015
Alert Type:
New File
File Name:
n5000_poap_script.7.1.2.N1.1.tcl
File Description:

Cisco Nexus 5000 Series Switches 7.1(2)N1(1) TCL Reference script for PowerOn Auto Provisioning (POAP)

File Release Date:
31-JUL-2015
Alert Type:
New File
File Name:
n5000-uk9-kickstart.7.1.2.N1.1.bin
File Description:

Cisco Nexus 5000 Series Switches 7.1(2)N1(1) Kick Start Image

File Release Date:
31-JUL-2015
Find additional information in Software Downloads index.

Software Updates for Nexus 5000 Series Switches

Product Name:
Nexus 5672UP Switch
Software Type:
NX-OS Kick Start
Release Version:
7.0(7)N1(1)
Alert Type:
New File
File Name:
n6000_poap_script.7.0.7.N1.1.py
File Description:

Cisco Nexus 6000/5600 Series Switches 7.0(7)N1(1) Python Reference script for PowerOn Auto Provisioning (POAP)

File Release Date:
27-AUG-2015
Alert Type:
New File
File Name:
n6000-uk9-kickstart.7.0.7.N1.1.bin
File Description:

Cisco Nexus 6000/5600 Series Switches 7.0(7)N1(1) Kick Start Image

File Release Date:
27-AUG-2015
Alert Type:
New File
File Name:
n6000_poap_script.7.0.7.N1.1.tcl
File Description:

Cisco Nexus 6000/5600 Series Switches 7.0(7)N1(1) TCL Reference script for PowerOn Auto Provisioning (POAP)

File Release Date:
27-AUG-2015

Software Updates for Nexus 5000 Series Switches

Product Name:
Nexus 5672UP Switch
Software Type:
NX-OS Kick Start
Release Version:
7.1(2)N1(1)
Alert Type:
New File
File Name:
n6000_poap_script.7.1.2.N1.1.tcl
File Description:

Cisco Nexus 6000/5600 Series Switches 7.1(2)N1(1) TCL Reference script for PowerOn Auto Provisioning (POAP)

File Release Date:
31-JUL-2015
Alert Type:
New File
File Name:
n6000_poap_script.7.1.2.N1.1.py
File Description:

Cisco Nexus 6000/5600 Series Switches 7.1(2)N1(1) Python Reference script for PowerOn Auto Provisioning (POAP)

File Release Date:
31-JUL-2015
Alert Type:
New File
File Name:
n6000-uk9-kickstart.7.1.2.N1.1.bin
File Description:

Cisco Nexus 6000/5600 Series Switches 7.1(2)N1(1) Kick Start Image

File Release Date:
31-JUL-2015
Find additional information in Software Downloads index.

Software Updates for Nexus 5000 Series Switches

Product Name:
Nexus 5596UP Switch
Software Type:
NX-OS System Software
Release Version:
7.0(7)N1(1)
Alert Type:
New File
File Name:
n5000-uk9.7.0.7.N1.1.bin
File Description:

Cisco Nexus 5000 Series Switches 7.0(7)N1(1) System Image

File Release Date:
27-AUG-2015

Software Updates for Nexus 5000 Series Switches

Product Name:
Nexus 5596UP Switch
Software Type:
NX-OS System Software
Release Version:
7.1(2)N1(1)
Alert Type:
New File
File Name:
n5000-uk9.7.1.2.N1.1.bin
File Description:

Cisco Nexus 5000 Series Switches 7.1(2)N1(1) System Image

File Release Date:
03-AUG-2015
Find additional information in Software Downloads index.

Software Updates for Nexus 5000 Series Switches

Product Name:
Nexus 56128P Switch
Software Type:
NX-OS System Software
Release Version:
7.0(7)N1(1)
Alert Type:
New File
File Name:
n6000-uk9.7.0.7.N1.1.bin
File Description:

Cisco Nexus 6000/5600 Series Switches 7.0(7)N1(1) System Image

File Release Date:
27-AUG-2015

Software Updates for Nexus 5000 Series Switches

Product Name:
Nexus 56128P Switch
Software Type:
NX-OS System Software
Release Version:
7.1(2)N1(1)
Alert Type:
New File
File Name:
n6000-uk9.7.1.2.N1.1.bin
File Description:

Cisco Nexus 6000/5600 Series Switches 7.1(2)N1(1) System Image

File Release Date:
03-AUG-2015
Find additional information in Software Downloads index.

Software Updates for Nexus 5000 Series Switches

Product Name:
Nexus 56128P Switch
Software Type:
NX-OS Kick Start
Release Version:
7.1(2)N1(1)
Alert Type:
New File
File Name:
n6000-uk9-kickstart.7.1.2.N1.1.bin
File Description:

Cisco Nexus 6000/5600 Series Switches 7.1(2)N1(1) Kick Start Image

File Release Date:
31-JUL-2015
Alert Type:
New File
File Name:
n6000_poap_script.7.1.2.N1.1.py
File Description:

Cisco Nexus 6000/5600 Series Switches 7.1(2)N1(1) Python Reference script for PowerOn Auto Provisioning (POAP)

File Release Date:
31-JUL-2015
Alert Type:
New File
File Name:
n6000_poap_script.7.1.2.N1.1.tcl
File Description:

Cisco Nexus 6000/5600 Series Switches 7.1(2)N1(1) TCL Reference script for PowerOn Auto Provisioning (POAP)

File Release Date:
31-JUL-2015

Software Updates for Nexus 5000 Series Switches

Product Name:
Nexus 56128P Switch
Software Type:
NX-OS Kick Start
Release Version:
7.0(7)N1(1)
Alert Type:
New File
File Name:
n6000_poap_script.7.0.7.N1.1.py
File Description:

Cisco Nexus 6000/5600 Series Switches 7.0(7)N1(1) Python Reference script for PowerOn Auto Provisioning (POAP)

File Release Date:
27-AUG-2015
Alert Type:
New File
File Name:
n6000-uk9-kickstart.7.0.7.N1.1.bin
File Description:

Cisco Nexus 6000/5600 Series Switches 7.0(7)N1(1) Kick Start Image

File Release Date:
27-AUG-2015
Alert Type:
New File
File Name:
n6000_poap_script.7.0.7.N1.1.tcl
File Description:

Cisco Nexus 6000/5600 Series Switches 7.0(7)N1(1) TCL Reference script for PowerOn Auto Provisioning (POAP)

File Release Date:
27-AUG-2015
Find additional information in Software Downloads index.

Software Updates for Nexus 5000 Series Switches

Product Name:
Nexus 5548P Switch
Software Type:
NX-OS Kick Start
Release Version:
7.1(2)N1(1)
Alert Type:
New File
File Name:
n5000_poap_script.7.1.2.N1.1.tcl
File Description:

Cisco Nexus 5000 Series Switches 7.1(2)N1(1) TCL Reference script for PowerOn Auto Provisioning (POAP)

File Release Date:
31-JUL-2015
Alert Type:
New File
File Name:
n5000_poap_script.7.1.2.N1.1.py
File Description:

Cisco Nexus 5000 Series Switches 7.1(2)N1(1) Python Reference script for PowerOn Auto Provisioning (POAP)

File Release Date:
31-JUL-2015
Alert Type:
New File
File Name:
n5000-uk9-kickstart.7.1.2.N1.1.bin
File Description:

Cisco Nexus 5000 Series Switches 7.1(2)N1(1) Kick Start Image

File Release Date:
31-JUL-2015

Software Updates for Nexus 5000 Series Switches

Product Name:
Nexus 5548P Switch
Software Type:
NX-OS Kick Start
Release Version:
7.0(7)N1(1)
Alert Type:
New File
File Name:
n5000-uk9-kickstart.7.0.7.N1.1.bin
File Description:

Cisco Nexus 5000 Series Switches 7.0(7)N1(1) Kick Start Image

File Release Date:
27-AUG-2015
Alert Type:
New File
File Name:
n5000_poap_script.7.0.7.N1.1.tcl
File Description:

Cisco Nexus 5000 Series Switches 7.0(7)N1(1) TCL Reference script for PowerOn Auto Provisioning (POAP)

File Release Date:
27-AUG-2015
Alert Type:
New File
File Name:
n5000_poap_script.7.0.7.N1.1.py
File Description:

Cisco Nexus 5000 Series Switches 7.0(7)N1(1) Python Reference script for PowerOn Auto Provisioning (POAP)

File Release Date:
27-AUG-2015
Find additional information in Software Downloads index.

Software Updates for Nexus 5000 Series Switches

Product Name:
Nexus 5672UP Switch
Software Type:
NX-OS System Software
Release Version:
7.1(2)N1(1)
Alert Type:
New File
File Name:
n6000-uk9.7.1.2.N1.1.bin
File Description:

Cisco Nexus 6000/5600 Series Switches 7.1(2)N1(1) System Image

File Release Date:
03-AUG-2015

Software Updates for Nexus 5000 Series Switches

Product Name:
Nexus 5672UP Switch
Software Type:
NX-OS System Software
Release Version:
7.0(7)N1(1)
Alert Type:
New File
File Name:
n6000-uk9.7.0.7.N1.1.bin
File Description:

Cisco Nexus 6000/5600 Series Switches 7.0(7)N1(1) System Image

File Release Date:
27-AUG-2015
Find additional information in Software Downloads index.

Known Bugs - Nexus 5000 Series Switches

Alert Type:
Updated *
Bug Id:
CSCtk19132
Title:
Nexus reset due to HA policy on multiple CDP process crash
Status:
Fixed
Severity:
1 Catastrophic
Description: *

Symptoms:
A Cisco Nexus 5000 may reset due to a HA policy if the CDP process crashes multiple times

Conditions:
This has been seen when processing a malformed CDP packet

Workaround:
Disable the CDP process

PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.1/5:

http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:A/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0

CVE ID CVE-2012-2469 has been assigned to document this issue.

Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

Last Modified:
06-AUG-2015
Known Affected Releases:
4.1(3)N2(1a)
Known Fixed Releases:
5.0(2)N2(1)
Alert Type:
Updated *
Bug Id:
CSCur30094
Title:
Nexus 5000 : evaluation of SSLv3 POODLE vulnerability
Status:
Fixed
Severity:
2 Severe
Description:

Symptom:
This product includes a version of SSL that is affected by the vulnerability identified by the Common Vulnerability and Exposures (CVE) IDs:

CVE-2014-3505
CVE-2014-3506
CVE-2014-3507
CVE-2014-3508
CVE-2014-3510

CVE-2014-3566 (POODLE)

This bug has been opened to address the potential impact on this product.

Conditions:
The POODLE Security issue CVE-2014-3566 exists if we configure LDAP as part of DFA configuration

Something like this

fabric database type network
server protocol ldap ip 10.95.126.166 vrf management

Or

Onep is configured with "transport type tls ..." option

Or

vmtracker configuration

Workaround:
1. Avoid any "fabric database" configuration with keyword "enable-ssl".
For example:
fabric database type network
server protocol ldap ip 172.29.21.2 enable-ssl
2. Make sure the 'secure LDAP' option is unchecked when defining POAP template on DCNM.
3. Do not use onep

Further Problem Description:
A POODLE attack requires a man in the middle attack between the nexus5000/6000 switch (the LDAP client)
and the LDAP server. It would also require a protocol downgrade attack since, by default, nexus5000/6000
uses TLS protocol.

Current schedule for the fix :
- 7.1(1)N1(1) March or early April 2015 (was postponed from Feb 2015)
- 7.2 release April 2015

PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the
time of evaluation are: 2.6/2.5

https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C

The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html

Last Modified:
01-AUG-2015
Known Affected Releases:
6.0(2)N3(0.91), 7.0(4)N1(1), 7.1(0)ZN(91.34), 7.2(0)N1(0.76), 7.2(0)N1(0.82), 7.2(0)N1(0.85), 7.2(0)N1(0.88), 7.2(0)VX(0.9), 7.2(0.1)PR(0.1), 7.9(0)ZD(0.4)
Known Fixed Releases: *
7.0(0)HSK(0.433), 7.0(0)KM(0.119), 7.0(0)KMS(0.11), 7.1(0)AV(0.74), 7.1(0)ES(0.18), 7.1(0)IB(122), 7.1(0)SIB(99.109), 7.1(1)N1(0.482), 7.1(1)N1(1), 7.1(1)ZD(0.19)
Alert Type:
Updated *
Bug Id:
CSCut59888
Title:
After MAC Flap, MAC is not relearned correctly on one of the VPC Peers.
Status: *
Terminated
Severity:
2 Severe
Description:

Symptom:
After a short MAC-address flapping we can see on a VPC-Peer that
one VPC peer has the MAC address pointing to a single source interface
Other VPC peer has the MAC address pointing to the different source interface

Example:

Switch_A# sh mac add dy vlan 10
Legend:
* - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC
age - seconds since last seen,+ - primary entry using vPC Peer-Link
VLAN MAC Address Type age Secure NTFY Ports/SWID.SSID.LID
---------+-----------------+--------+---------+------+----+------------------
* 10 0000.0c07.ac00 dynamic 120 F F 333.0.0


Switch_B# sh mac add dy vlan 10
Legend:
* - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC
age - seconds since last seen,+ - primary entry using vPC Peer-Link
VLAN MAC Address Type age Secure NTFY Ports/SWID.SSID.LID
---------+-----------------+--------+---------+------+----+------------------
* 10 0000.0c07.ac00 dynamic 10 F F Po6

And traffic is sourced from source-mac 0000.0c07.ac00 only on Po6

Conditions:
2 Variations have been seen of the issue:
- MAC is wrong till MAX-age and corrects
- MAC is not cleared on MAX-age

This is only seen when only one leg of the VPC is receiving the traffic and one leg is not receiving *any* traffic from the affected source-mac address.

Workaround:
Clear the MAC manually

Further Problem Description:

Last Modified:
03-AUG-2015
Known Affected Releases:
6.0(2)N2(4)
Known Fixed Releases:
Alert Type:
Updated *
Bug Id:
CSCuc72380
Title:
Nexus 5500: IGMP Link Local Destination Packet Flooded
Status:
Fixed
Severity:
2 Severe
Description:

Symptom:
IGMP membership reports are looped within VLAN.

Conditions:
- Upstream vPC member port is IGMP mrouter port
- Destination address is link-local multicast address (i.e., 224.0.0.252)
- IGMP membership report for any address other than 0.0.0.0

Workaround:
Remove affected VLAN from peer-link. Traffic will still be forwarded by vPC primary due to graceful consistency check.

Further Problem Description:

Last Modified:
04-AUG-2015
Known Affected Releases:
5.1(3)N2(1a), 6.0(2)N2(4)
Known Fixed Releases: *
7.0(0)HSK(0.433), 7.0(0)KM(0.119), 7.0(0)KMS(0.11), 7.1(0)AV(0.74), 7.1(0)ES(0.18), 7.1(2)N1(0.548), 7.1(2)N1(1), 7.1(2)ZD(0.5), 7.1(2)ZN(0.7), 7.2(0)BA(0.12)
Alert Type:
Updated *
Bug Id:
CSCts46521
Title:
crash in igmp process @ igmp_snoop_orib_fill_source_update
Status:
Fixed
Severity:
2 Severe
Description: *

Symptom:

Cisco Nexus 5000 switches may experience a device reload after receiving certain IGMP packets. Successful exploitation may cause a reload of the
affected device. Repeated exploitation could result in a sustained denial of service (DoS) condition.

Conditions:
Cisco Nexus 5000 configured with IGMP snooping. An attacker needs to be Layer 2 adjacent in order to trigger this vulnerability.

Workaround:
IGMP can be disabled as a workaround if not needed.

PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.1/5:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:A/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C &version=2.0

CVE ID CVE-2012-1357 has been assigned to document this issue.

Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

Last Modified:
06-AUG-2015
Known Affected Releases:
5.0(3)N2(1)
Known Fixed Releases:
5.1(3)N1(1), 7.2(0)ZN(0.111)
Alert Type:
Updated *
Bug Id:
CSCtr58428
Title:
Command Injection vulnerability with the | section command
Status:
Other
Severity:
2 Severe
Description: *

Symptom:
Cisco Nexus OS contains a vulnerability that could allow an authenticated,
local attacker to execute arbitrary commands on a targeted device. The
vulnerability is due to improper sanitization of user-supplied values to
command line interface commands.

An authenticated, local attacker could exploit the vulnerability by issuing
commands that contain malicious options on the device command line interface.
If successful, the attacker could gain elevated privileges on the targeted device.

Conditions:Injection can be done via either the less or the section sub command. Full
details below:

----------------------------------------------------------------------
NX-OS - "less" sub-command - Command injection / sanitization issues.
----------------------------------------------------------------------

Affected Products:
==================

The following products are affected by this vulnerability:

+-----------------------------------------------------------------+
| Affected Product | Cisco Bug | First Fixed |
| | ID | Release |
|-----------------------------------+------------+----------------|
| Cisco Nexus 7000 Series Switches | CSCtf40008 | 4.2(6) |
| | | 5.1(1) |
|-----------------------------------+------------+----------------|
| Cisco Nexus 5000 Series Switches | CSCtf40008 | 4.2(1)N2(1) |
|-----------------------------------+------------+----------------|
| Cisco Nexus 2000 Series Switches | CSCtf40008 | 4.1(1)N2(1) |
|-----------------------------------+------------+----------------|
| Cisco Nexus 1000V Series Switches | CSCtf40008 | 4.2(1)SV1(5.1) |
|-----------------------------------+------------+----------------|
| Cisco MDS 9000 Software | CSCtf40008 | 4.2(6) |
| | | 5.1(1) |
|-----------------------------------+------------+----------------|
| Cisco Unified Computing System | CSCtg18363 | 1.3(1c) |
| | | 1.4(1i) |
+-----------------------------------------------------------------+

The following are not affecfed by the "less" sub-command - command injection
vulnerability.

* Cisco Nexus 3000 Series Switches
* Cisco Nexus 4000 Series Switches

-------------------------------------------------------------------------
NX-OS - "section" sub-command - Command injection / sanitization issues.
-------------------------------------------------------------------------

Affected Products:
==================

The following products are affected by this vulnerability:

+--------------------------------------------------------------+
| Affected Product | Cisco Bug | First Fixed |
| | ID | Release |
|-----------------------------------+------------+-------------|
| Cisco Nexus 7000 Series Switches | CSCtr44645 | 5.2(1) |
|-----------------------------------+------------+-------------|
| Cisco Nexus 5000 Series Switches | CSCtr44645 | 5.1(3)N1(1) |
|-----------------------------------+------------+-------------|
| Cisco Nexus 3000 Series Switches | CSCts10188

Last Modified:
06-AUG-2015
Known Affected Releases:
5.0(3)N1(1)
Known Fixed Releases:
Alert Type:
Updated *
Bug Id:
CSCte87709
Title:
CDP with the long hostname crashes Nexus 5k
Status:
Fixed
Severity:
2 Severe
Description: *

Symptom:
The mgmt port is connected to other switch with CDP enabled. When N5k receives the first CDP packet, it crashes. When N5k comes back up and
receives another CDP packet, it crashes again. It happens repeatedly.

Conditions:
It happens when the remote switches or routers with CDP enabled has the extraordinary LONG hostname.

Workaround:
Disable CDP under the interface of the remote device where the mgmt port is connected to.

Further Problem Description:
None.

PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.1/6.1:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:A/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2011-0360 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

Last Modified:
06-AUG-2015
Known Affected Releases:
4.1(3)N2(1a)
Known Fixed Releases:
4.2(1)N1(1)
Alert Type:
Updated *
Bug Id:
CSCto09813
Title:
N5k: Remark in a ACL before a deny leaks traffic
Status:
Fixed
Severity:
2 Severe
Description: *

Summary
A vulnerability exists in Cisco Nexus 5000 and 3000 Series Switches that may allow traffic to bypass deny statements in access control lists
(ACLs) that are configured on the device.

Cisco has released free software updates that address this vulnerability.

A workaround is available to mitigate this vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110907-nexus.shtml

PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.1:

http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C&version=2.0

CVE ID CVE-2011-2581 has been assigned to document this issue.

Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

Last Modified:
06-AUG-2015
Known Affected Releases:
5.0(3)N1(1a)
Known Fixed Releases:
5.0(3)N2(1)
Alert Type:
Updated *
Bug Id:
CSCtx66087
Title:
CDP crashes when receiving malformed packet
Status:
Fixed
Severity:
2 Severe
Description: *

Symptoms:
Cisco Nexus 1000, 3000, 4000, 5000, and 7000 switches as well as Cisco Unified Computing System Fabric Interconnect devices may restart after receiving malformed Cisco Discovery Protocol (CDP) Packets. An adjacent attacker, with the ability to submit malformed CDP traffic to an affected device could cause a denial of service condition while the device reloads or fails over to a redundant Supervisor card if so equipped.

Conditions:
Cisco Nexus Switches running an affected version of NX-OS.
Cisco Unified Computing System, Fabric Interconnect devices running an affected version of UCS Software.

Workaround:
Disable CDP on the affecte device, the CDP protocol is enabled by default.

NX-OS:
no cdp enable

UCS:
Add the 'disable cdp' command to all Network Control Policies


Further Problem Description:
This issue was identified through internal hardening efforts on the NX-OS platform.

PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.1/5:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:A/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0

CVE ID CVE-2012-1322 has been assigned to document this issue.

Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

Last Modified:
06-AUG-2015
Known Affected Releases:
5.0(3)N2(2)
Known Fixed Releases:
5.1(3)N2(1)
Alert Type:
Updated *
Bug Id:
CSCte90364
Title:
File System Access
Status:
Fixed
Severity:
2 Severe
Description: *

Symptoms:
A vulnerability exists in NX-OS which allows an authenticated, local attacker to read or write arbitrary files in volatile storage. A successful exploit could
allow the attacker to gain unauthorized access to sensitive files on the device, or to overwrite arbitrary files in volatile storage.

Conditions:
Devices running affected versions of NX-OS are vulnerable.

Workaround:
None

Further Problem Description:
This issue was discovered in internal security testing and has been resolved in all current versions of affected software.

PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are
5.2/4.3:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:L/AC:L/Au:S/C:C/I:P/A:N/E:F/RL:OF/RC:C&version=2.0

CVE ID CVE-2011-4490 has been assigned to document this issue.

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

Last Modified:
06-AUG-2015
Known Affected Releases:
4.1(3)N2(1a)
Known Fixed Releases:
Alert Type:
Updated *
Bug Id:
CSCtx54794
Title:
Specific SNMP GET request causes 'vlan_mgr' to crash on Nexus switches
Status:
Fixed
Severity:
2 Severe
Description: *

Symptoms:
Cisco Nexus 1000v, Nexus 3000, Nexus 5000, and Nexus 7000 devices contain a denial of service vulnerability within the SNMP subsystem. An
authenticated, remote attacker could submit a request to an affected device designed to trigger a null pointer dereference error that results in a crash
and reload of the affected device.

Conditions:
Cisco Nexus 1000v, Nexus 3000, Nexus 5000, and Nexus 7000 devices running an affected version of Cisco NX-OS Software.

Workaround:
None.

Further Problem Description:
None.

PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are
6.8/6.5:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:S/C:N/I:N/A:C/E:F/RL:U/RC:C&version=2.0

CVE ID CVE-2012-4125 has been assigned to document this issue.

Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

Last Modified:
06-AUG-2015
Known Affected Releases:
5.0(3)N2(2a)
Known Fixed Releases:
5.1(3)N2(1)
Alert Type:
Updated *
Bug Id:
CSCtj62291
Title:
Nexus 5000: switch reloaded upon [show vlan]
Status:
Fixed
Severity:
2 Severe
Description: *

Symptom:

When an authenticated user issues the 'show vlan' command on the cli, the Nexus
5000 may crash and reload.


Conditions:

This issue may occur when more than 1000 VLANs and Virtual Ethernet Ports
(VETH) have been configured on a device running affected software.

Workaround:

None.


Further Problem Description:

PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following
CVSS version 2 score. The Base and Temporal CVSS scores as of
the time of evaluation are 4.6/4.0:

http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:H/RL:O/RC:C&version=2.0

CVE ID CVE-2011-0370 has been assigned to document this issue.

Additional information on Cisco's security vulnerability policy can be found at
the following URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html


Last Modified:
06-AUG-2015
Known Affected Releases:
4.2(1)N2(1)
Known Fixed Releases:
4.0(4)SV1(3c), 4.2(1)N2(1b), 4.2(7.96)S0, 5.0(2)N1(1), 5.0(5)S9, 5.0(6.7)S0, 5.1(1.57)S0
Alert Type:
Updated *
Bug Id:
CSCuc19558
Title:
RADIUS insufficient attribute length check
Status:
Fixed
Severity:
2 Severe
Description: *

Symptom:
Cisco NXOS contains a vulnerability in the RADIUS authentication code.

Conditions:
Malformed packets are returned from a RADIUS authentication server.

Workaround:
None.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2012-6377 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

Further Problem Description:


Last Modified:
06-AUG-2015
Known Affected Releases:
5.2(1)N1(1)
Known Fixed Releases:
6.0(2)N2(4.63), 6.0(2)N2(5)
Alert Type:
Updated *
Bug Id:
CSCte62753
Title:
Command Injection in admin CLI
Status:
Fixed
Severity:
2 Severe
Description: *

Symptoms:
A vulnerability exists in affected versions of NX-OS which could allow an authenticated local attacker to inject shell commands. A successful exploit
would allow an attacker to gain elevated privileges on the underlying operating system.

Conditions:
Devices running affected versions of NX-OS are vulnerable.

Workaround:
None

Further Problem Description:
This issue was discovered in internal security testing and has been resolved in all current versions of affected software.

PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are
6.8/5.6:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:L/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C&version=2.0

CVE ID CVE-2011-4235 has been assigned to document this issue.

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

Last Modified:
06-AUG-2015
Known Affected Releases:
4.0(1a)N2(1), 4.1(3)N2(1a)
Known Fixed Releases:
4.2(1)N1(1)
Alert Type:
Updated *
Bug Id:
CSCuu13486
Title:
Traffic issue in some vrf on setup with 100 vrf
Status: *
Terminated
Severity:
2 Severe
Description: *

Symptom:
asm multicast issue for some vrf in scaled setup

Conditions:
when asm traffic started for 100 vrfs each with 50 s,g

Workaround:
do not start for so many at the same time

Further Problem Description:












Last Modified:
06-AUG-2015
Known Affected Releases:
7.2(0)N1(0.186)
Known Fixed Releases:
Alert Type:
Updated *
Bug Id:
CSCta72709
Title:
Disabling IGMP snooping causes flood to all FEX port with trunk on FEX
Status:
Terminated
Severity:
2 Severe
Description: *

Symptom:

On Cisco Nexus 5000 Series switches with a Cisco Nexus 2000 Series Fabric Extenders (FEX) installed,
unregistered IP multicast packets on one VLAN are forwarded to other VLANs where IGMP snooping is disabled.

Conditions:

1. The Cisco Nexus 5000 Series has a Nexus 2000 FEX installed.

2. There are multiple VLANs configured on the Nexus 2000 FEX.

3. IGMP snooping is disabled on the VLAN where the traffic is forwarded to.

Affects the following Nexus Products with the Cisco Nexus 2000 FEX installed:
* Cisco Nexus 5548P Switch prior to integration of Cisco Bug ID CSCtk03738.
* Cisco Nexus 5020 Switch for all versions. Currently no plan to address in 5020 platforms.
* Cisco Nexus 5010 Switch for all versions. Currently no plan to address in 5010 platforms.

Workaround:

Serveral potential workarounds exist for this vulnerability:

* Static IGMP entries

Enable IGMP snooping, then use static IGMP entries to add multicast receiver to the switch MAC table if
the host is unable to send IGMP group membership report.

* Single VLAN per FEX

Ensuring that trunking is disabled for the FEX uplink port and have a single VLAN assigned to the FEX.

* Upgrade end host applications

Upgrade host application to support IGMP protocol so it can automatically send IGMP join/leave report
without static configuration on the switch.

PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS
scores as of the time of evaluation are 3.3/3.1:

http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:A/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C&version=2.0

CVE ID CVE-2011-0397 has been assigned to document this issue.

Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

Last Modified:
06-AUG-2015
Known Affected Releases:
4.1(3)N1(0.185)
Known Fixed Releases:
Alert Type:
Updated *
Bug Id:
CSCuu03271
Title:
Module/FEX gets into failure state with the NF Errors
Status:
Fixed
Severity:
2 Severe
Description:

Symptom:
The messages 'nfp: ACL abort fails' or 'nfp: ACL commit fails' appears on the console multiple times. This could be followed by fex modules going offline

Conditions:
ISSU of n6000 with netflow feature enabled from 7.2(0)N1(1) to a higher release version can cause this issue.
Reload of a 7.2(0)N1(1) n6000 with netflow feature enabled also can cause this issue very rarely.

Workaround:
To avoid the issue, please remove netflow feature and configure it again once the ISSU or reload is done.

Further Problem Description:

Last Modified:
13-AUG-2015
Known Affected Releases:
7.2(0)N1(0.170)
Known Fixed Releases: *
7.2(1)N1(0.282), 7.2(1)N1(1), 7.2(1)ZN(0.46)
Alert Type:
Updated *
Bug Id:
CSCur14826
Title:
WRL 5: GNU Bourne Shell "Shellshock" Vulnerability for kernel migration
Status:
Fixed
Severity:
2 Severe
Description:

Symptom:
The following Cisco products with NXOS:
N7K
include a version of Bash that may be affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs:

CVE-2014-6271
CVE-2014-6277
CVE-2014-6278
CVE-2014-7169
CVE-2014-7186
CVE-2014-7187

Conditions:
Not applicable

Workaround:
Not applicable

Further Problem Description:
Additional details about those vulnerabilities can be found at http://cve.mitre.org/cve/cve.html

PSIRT Evaluation:
The Cisco PSIRT has evaluated those issues and they do not meet the criteria for PSIRT ownership or involvement. Those issues will be addressed via normal resolution channels.

If you believe that there is new information that would cause a change in the severity of those issues, please contact psirt@cisco.com for another evaluation.

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html

Last Modified:
19-AUG-2015
Known Affected Releases:
0.1
Known Fixed Releases: *
7.0(0)FFW(0.11), 7.0(0)HSK(0.509), 7.0(0)KM(0.87)
Alert Type:
Updated *
Bug Id:
CSCuv07607
Title:
N5k/N6k - No login possible to device when root directory is full
Status:
Fixed
Severity:
2 Severe
Description:

Symptom:
N5k/N6k switches may not be accessible remotely or locally due to no space available in Root directory.
Authentication is unsuccessful both remotely or locally when this happen, even when issue is not with credentials. Following error message may appear on Syslog server:
%DAEMON-3-SYSTEM_MSG: Unable to create temporary user xxxxxxxx. Error 0x404a000a (16777216)

Conditions:
Issue is seen when debugs are enabled without redirecting to a logfile. Debugs thus are automatically redirected to "startupdebug" file which can grow as much as space available in Root directory.

Debugs are currently seen persistent and they still exist post reload and filling up startupdebug file. Once Root directory runs out of space no more login to box is possible.

- "dir log:" CLI could be used to check for startupdebug file
- show debug, would show active debugs running.

Workaround:
Disable debugs and do not run them to eternity.
Use debug logfile <> to redirect logs to a non-system file. This file is limited to 4MB and is overridden once full.

If you hit these symptoms, please check "show debug" to see if debugs are enabled, if yes, then disable them.

Further Problem Description:
It is possible even with debug logfile <> enabled with debugs running, post reload debugs still persist and now written to startupdebug file.
Traffic forwarded through the switch or even control plane is not impacted. Only login to the switch is not possible.

Last Modified:
19-AUG-2015
Known Affected Releases:
7.0(5)N1(1a), 7.1(1)N1(1)
Known Fixed Releases: *
7.0(7)N1(0.292), 7.0(7)N1(1), 7.0(7)ZN(0.187), 7.1(3)N1(0.608), 7.1(3)N1(1), 7.1(3)ZN(0.13), 7.2(1)N1(0.265), 7.2(1)N1(1), 7.2(1)ZN(0.29)
Alert Type:
New
Bug Id:
CSCuv67865
Title:
IBM: Switch port in "Link not Connected" state with Aix 7.1 host
Status:
Other
Severity:
2 Severe
Description:

Symptom:
After an upgrade to NX-OS 7.0(6)N1(1) or 7.1(1)N1(1) or 7.2(0)N1(1), interfaces on Nexus 5548P and N55-M16P module might go down or start flapping. It could be few days after the upgrade before they can go down or start flapping.

Conditions:
Seen in Nexus Nexus 5548P or 16P Gigabit Ethernet Module N55-M16P after an upgrade to NX-OS
7.0(6)N1(1) or 7.1(1)N1(1) or 7.2(0)N1(1) . This bug does not apply to Nexus 5548UP, Nexus 6000/5600 or N55-M16UP GEM

Workaround:
Once switch is in this state, it will need to be reloaded to recover. However, after an upgrade or reload, following debug command can be enabled to avoid running into this issue
debug hardware internal carmel dom-thread disable

Note that the command is not saved in NVRAM and needs to be applied on subsequent reloads. An EEM script can be used to automatically configure this after reloads.

event manager applet dom-disable
event syslog pattern "MOD_STATUS_ONLINE"
action 1 cli debug hardware internal carmel dom-thread disable
action 2 syslog priority alerts msg Disabling DOM monitoring

Prior to upgrading the switch to a fixed NX-OS version, remove the EEM script from the running configuration.

Further Problem Description:

Last Modified:
20-AUG-2015
Known Affected Releases:
7.2(0)N1(1)
Known Fixed Releases:
Alert Type:
New
Bug Id:
CSCuv15524
Title:
Unable to bring UP FC interface between N5K & MDS
Status:
Other
Severity:
2 Severe
Description:

Symptom:
Some of the Fibre Channel interfaces on a N55-M16UP module are error disabled (port reinit limit reached) after reloading of the N5K switch.

Conditions:
These are the conditions that could introduce the problem :
(1) upgrade from NX-OS 5.2(1)N1(5) to 6.0(2)N2(3), and
(2) reload of N55-M16UP

Check the following commands to verify if you're hitting the bug
N5K-TEMP# show platform afm errors | i "afm_module_inserted"
N5K-TEMP# show platform afm errors | i "ERROR: Label allocation"

Workaround:
No Workaround

Further Problem Description:

Last Modified:
20-AUG-2015
Known Affected Releases:
6.0(2)N2(3)
Known Fixed Releases:
Alert Type:
Updated *
Bug Id:
CSCuo02240
Title:
N5K carmelusd core
Status:
Fixed
Severity:
2 Severe
Description:

Symptom:
Nexus 5500 switch crash due to carmelusd hap reset. There is a memory leak from Carmel USD driver.

Conditions:
a) Apply and remove HIF storm policer configuration to HIF interface
b) Apply HIF storm policer configuration and flap HIF interfaces

Workaround:
None.

Further Problem Description:
AVL tree is used to add HIF storm policer information to Carmel/Bigsur database
when user applies HIF storm policer to HIF interface. Memory allocated for HIF
storm policer is not properly deallocated when HIF policer is deleted fron AVL
tree. 280 bytes of heap memory is not getting properly deallocated when HIF storm policer is removed from interface.

Last Modified:
20-AUG-2015
Known Affected Releases:
6.0(2)N2(3), 7.0(6)N1(1.6), 7.2(0)N1(0.192)
Known Fixed Releases: *
7.0(6)N1(1.8), 7.0(6)N1(2s), 7.0(7)N1(0.293), 7.0(7)N1(1), 7.0(7)ZN(0.188), 7.1(3)N1(0.608), 7.1(3)N1(1), 7.1(3)ZN(0.13), 7.2(1)N1(0.287), 7.2(1)N1(1)
Alert Type:
New
Bug Id:
CSCuh30885
Title:
CTS:RBACL Update and Programming Fails in Certain Scenarios.
Status:
Fixed
Severity:
2 Severe
Description:


Symptom:

RBACL SGT, DGT programming fails under certain conditions.

Conditions:

When cells corresponding to different DGT's get downloaded or many cells (>10) for same DGT are downloaded from ISE with RBACL enforcement enabled on vlan's.

Workaround:

Disable/enable feature cts and reconfigure cts.

More Info:

Higher the number of SGT, DGT pairs downloaded plus the vlan's on which rbacl enforcement is enabled, more likely the issue will be hit.

Last Modified:
20-AUG-2015
Known Affected Releases:
6.0(2)N2(0.137)
Known Fixed Releases:
6.0(2)N3(0.73), 6.0(2)N3(1), 7.0(0)N1(1.3), 7.0(0)N1(2), 7.0(0)ZN(1.2), 7.1(0)ZN(0.183)
Alert Type:
Updated *
Bug Id:
CSCtx97987
Title:
IP-connectivity broken with /30-subnets between 6500 and N5K in vpc
Status:
Fixed
Severity:
2 Severe
Description: *

Symptom:
In triangular setup connecting a 6500(possibly any switch), to a pair of N5500 in vpc with L3-module.
1 physical connection goes to each N5K, forming a port-channel on 6500 and vpc-port-channel on N5K.

______N5K-Sec
/ ||
6500 ||
\______N5K-Pri

we create 1 vlan per logical connection:
6500<->N5K-Pri
6500<->N5K-Sec
N5K-Pri<->N5K-Sec (over peer link)

so we enable 2 vlans on the port-channel
and 3 on the vpc-peer-link.

Conditions:
5.0(3)N1(1c) , 5.1(3)N1(1)
when using /30 addresses, found that mac learning is not working fully from N5K-Pri to N5K-sec,
when etherchannel-loadbalancing on 6500 is choosing physical link to N5K-Pri to reach SVI on N5K-Sec.
mac-address of SVI on 6500 doesn't get learned on N5K-Sec

Workaround:
using /29 addresses this problem is not present

Further Problem Description:

Last Modified:
26-AUG-2015
Known Affected Releases:
5.0(3)N1(1c), 5.1(3)N1(1)
Known Fixed Releases:
Alert Type:
Updated *
Bug Id:
CSCuc26047
Title:
Nexus 5k/6k reset due to Kernel Panic
Status:
Fixed
Severity:
2 Severe
Description: *

Symptom:
A Nexus5000/6000 switch will reset with a kernel panic. The process seen when the kernel panic occurs can vary and is not specific to any particular service. If this issue is suspected, collect the output for 'show logging onboard stack-trace' and contact TAC to verify this.

Conditions:
This has been seen on a N5k/N6K platform. There are no specific conditions to hit the problem currently.

Workaround:
None at this time.

Further Problem Description:

Last Modified:
26-AUG-2015
Known Affected Releases:
5.0(3)N2(2b), 5.2(1)N1(3), 6.0(2)N2(2)
Known Fixed Releases:
5.2(1)N1(7.132), 5.2(1)N1(8), 6.0(2)N2(5.85), 6.0(2)N2(6), 7.0(1)ZN(0.716), 7.0(6)N1(0.219), 7.0(6)N1(1), 7.1(0)N1(0.309), 7.1(0)N1(1), 7.1(0)ZN(0.395)
Alert Type:
Updated *
Bug Id:
CSCuv59999
Title:
vlan_mgr Memory Leak on VLAN Addition\Removal
Status:
Fixed
Severity:
2 Severe
Description:

Symptom:
Memory leak under the allocators "VLAN_MGR_MEM_vlan_port_affected_notif_p" and "VLAN_MGR_MEM_if_info_t" in the output of "show vlan internal mem-stats detail"

Conditions:
Seems to occur when allocating VLANs in "mode fabric", working on narrowing down the specific triggers and prerequisite conditions.

Workaround:
No known workaround to prevent the leak. A reload will clear any leaked memory on the switch.

Further Problem Description:

Last Modified:
28-AUG-2015
Known Affected Releases:
7.0(5)N1(1)
Known Fixed Releases: *
7.0(7)N1(0.296), 7.0(7)N1(1), 7.0(7)ZN(0.198), 7.1(3)N1(0.616), 7.1(3)N1(1), 7.1(3)ZN(0.22), 7.2(1)N1(0.293), 7.2(1)N1(1), 7.2(1)ZN(0.57)
Alert Type:
Updated *
Bug Id:
CSCuv92830
Title:
RADIUS login only assigned network-operator role
Status:
Fixed
Severity:
2 Severe
Description: *

Symptom:
A previously working AAA authenticated user who is configured for non network-operator privileges (such as network-admin) only receives network-operator privileges. This user is no longer able to configure the switch via CLI or SNMP.

The CLI user will show as having 'network-operator' role:

switch# show user-account fieldsupport
user:fieldsupport
roles:network-operator

Also, if the SNMP user exists, it will show as having 'network-operator' role:

switch# show snmp user fieldsupport
______________________________________________________________
SNMP USERS
______________________________________________________________
User Auth Priv(enforce) Groups
____ ____ _____________ ______
fieldsupport md5 des(no) network-operator

Conditions:
This issue only affects logins that meet all of the following conditions:

1) are authenticated remotely via RADIUS
2) have multiple Vendor Specific Attributes (VSAs) defined as a single Cisco-AVPair, eg, shell and SNMP version 3 settings:

shell:roles="operations-user fieldsupport" snmpv3:auth=SHA priv=AES-128

This issue does not occur if the 'shell:roles' VSA is defined alone (even with multiple roles assigned).

Workaround:
On the AAA server, create a separate RADIUS policy for users that splits Cisco-AVPairs into true attribute pairs, eg:

Cisco-AVPair #1: shell:roles="operations-user fieldsupport"
Cisco-AVPair #2: snmpv3:auth=SHA priv=AES-128

Assign this policy conditionally on the requesting RADIUS client IP address (ie, the switch mgmt0 IP address).

If the RADIUS server does not support conditional assignment of policies by RADIUS client IP address then an alternate method is possible. Create a local user on the switch with local role assignment which will override the remotely supplied role using the following commands:

switch(config)# no username
switch(config)# username password ! role fieldsupport

Further Problem Description:

Last Modified:
31-AUG-2015
Known Affected Releases:
7.2(1)N1(0.1)
Known Fixed Releases:
Alert Type:
Updated *
Bug Id:
CSCuu14439
Title:
DFE Tuning: Servers not Sending Traffic after Microflap
Status:
Fixed
Severity:
2 Severe
Description: *

Symptom:
Switch doesn't see traffic from the serer. Server doesn't receive anything from the switch (including broadcasts):

Ethernet1/45 is up
RX
0 unicast packets 0 multicast packets 0 broadcast packets
0 input packets 0 bytes
TX
0 unicast packets 10613 multicast packets 0 broadcast packets
10613 output packets 1152256 bytes

Conditions:
- Nexus 55xxUP
- Microflap occurred

Workaround:
Flap the interface by issuing a 'shut / no shut'

Further Problem Description:
CSCuj86736 was implemented in an earlier code to restart DFE tuning if link faults are seen and disappear within debounce timeout. In this case link status will remain in UP state if link recovers within link debounce timeout.

In rare cases where the DFE tuning is not successful, the Nexus 55xxUP ASIC sends remote faults to Server. The server will not send any data packets to Switch as per IEEE standards when these faults are received. This is the reason Packet counters do not increase. In 7.0(7)N1(1) and later code, the Nexus 55xxUP will identify this scenario and force the interface to flap.

Last Modified:
31-AUG-2015
Known Affected Releases:
7.0(5)N1(1)
Known Fixed Releases:
7.0(7)N1(0.297), 7.0(7)N1(1), 7.0(7)ZN(0.200)
Alert Type:
New
Bug Id:
CSCuu48350
Title:
Nexus5k: configuration lines missing after the NX-OS upgade
Status:
Fixed
Severity:
3 Moderate
Description:

Symptom:
On Cisco Nexus 5000 (N5K) when the user tried to create a user with a specific role an error of the form -
usermod: user does not exist.

Conditions:
Cisco Nexus devices running an affected version of NXOS software.

Workaround:
None.

Further Problem Description:
None.

PSIRT Evaluation:
The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal
resolution channels.

If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another
evaluation.

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

Last Modified:
05-AUG-2015
Known Affected Releases:
7.0(3)N1(0.28), 7.1(2)N1(0.528), 7.2(1)N1(0.5)
Known Fixed Releases:
7.0(7)ZN(0.122), 7.1(2)N1(0.567), 7.1(2)N1(1), 7.1(2)ZN(0.27), 7.2(1)N1(0.28), 7.2(1)N1(1), 7.3(0)N1(1)
Alert Type:
Updated *
Bug Id:
CSCur31350
Title:
Multiple Vulnerabilities in OpenSSL - August 2014
Status:
Fixed
Severity:
3 Moderate
Description:

Symptom:
This product includes a version of SSL that is affected by the vulnerability identified by the Common Vulnerability and Exposures (CVE) IDs:

CVE-2014-3505
CVE-2014-3506
CVE-2014-3507
CVE-2014-3508
CVE-2014-3510

CVE-2014-3566 (POODLE)

This bug has been opened to address the potential impact on this product.

Conditions:
The POODLE Security issue CVE-2014-3566 exists if we configure LDAP as part of DFA configuration

Something like this

fabric database type network
server protocol ldap ip 10.95.126.166 vrf management

Or

Onep is configured with "transport type tls ..." option

Or

vmtracker configuration

Workaround:
1. Avoid any "fabric database" configuration with keyword "enable-ssl".
For example:
fabric database type network
server protocol ldap ip 172.29.21.2 enable-ssl
2. Make sure the 'secure LDAP' option is unchecked when defining POAP template on DCNM.
3. Do not use onep

Further Problem Description:
A POODLE attack requires a man in the middle attack between the nexus5000/6000 switch (the LDAP client)
and the LDAP server. It would also require a protocol downgrade attack since, by default, nexus5000/6000
uses TLS protocol.

Current schedule for the fix :
- 7.1(1)N1(1) March or early April 2015 (was postponed from Feb 2015)
- 7.2 release April 2015

PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the
time of evaluation are: 2.6/2.5

https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C

The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html

Last Modified:
31-AUG-2015
Known Affected Releases:
6.0(2)N3(0.91), 7.2(0)VX(0.9), 7.2(0.1)PR(0.1), 9.4(1)N1(6.8)
Known Fixed Releases: *
5.2(1)N1(9), 6.0(2)N2(7), 7.0(7)N1(1), 7.1(2)N1(1), 7.2(1)N1(1)
Alert Type:
Updated *
Bug Id:
CSCtu10585
Title:
CDP memory leak on device id
Status:
Fixed
Severity:
3 Moderate
Description: *

Symptoms:
Cisco Nexus devices contain a memory leak vulnerability. An unauthenticated, adjacent attacker can trigger a 1 byte memory leak by submitting a
maliciously crafted CDP packet to the affected device.

Conditions:
Cisco Nexus devices running an affected version of NX-OS Software.

Workaround:
If not required, Disabling CDP is an effective mitigation for this issue.

Further Problem Description:
This issue was identified during an internal security audit of Cisco Nexus and related devices.

PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are
3.3/2.7:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:A/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C&version=2.0

No CVE ID has been assigned to this issue.

Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

Last Modified:
06-AUG-2015
Known Affected Releases:
5.0(3)N2(2)
Known Fixed Releases:
5.1(3)N1(1)
Alert Type:
Updated *
Bug Id:
CSCua39143
Title:
Command injection with SSH keypair functionality
Status:
Fixed
Severity:
3 Moderate
Description: *

Symptoms:
Cisco Nexus devices contain a local command injection vulnerability within the SSH key generation configuration commands of the CLI. An authenticated, local attacker could
inject commands that are subsequently executed on the underlying operating system with elevated privileges.

The vulnerability exists due to a failure to properly sanitize all user supplied input prior to using it to execute commands on the underlying operating system. An attacker with
administrative level privileges on an affected device could inject arbitrary commands that are then executed on the underlying operating system with elevated privileges.

Conditions:
Cisco Nexus devices running an affected version of Cisco NX-OS software.

Workaround:
None.

Further Problem Description:
This vulnerability can only be exploited by an administrator with sufficient privileges to execute the affected commands.

PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.8/5.6:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:L/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C&version=2.0

CVE ID CVE-2012-4139 has been assigned to document this issue.

Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

Last Modified:
06-AUG-2015
Known Affected Releases:
5.1(3)N2(1)
Known Fixed Releases:
6.0(2)N1(1)
Alert Type:
New
Bug Id:
CSCuj46729
Title:
tac-pac not vrf aware on N5K
Status:
Fixed
Severity:
3 Moderate
Description:

Symptom:
There is no option to specify a vrf name, while running the tac-pac command.

Conditions:
N/A

Workaround:
N/A

Further Problem Description:
Enhancement

Last Modified:
31-AUG-2015
Known Affected Releases:
5.2(1)N1(5)
Known Fixed Releases:
7.0(0)N1(1)
Alert Type:
New
Bug Id:
CSCua08693
Title:
Incorrect PFC Operational mode after reload
Status:
Other
Severity:
3 Moderate
Description:

Symptom:
On Nexus 5000/5500 switch, after upgrading the NX-OS release to 5.1.3.N2.1 pfc is no more enabled for the ports.

This is the symptom of the problem:

lct-n5kup# sh int priority-flow-control
============================================================
Port Mode Oper(VL bmap) RxPPP TxPPP
============================================================

Ethernet1/1 Auto On (8) 0 0

After updating to version to 5.1(3)N1(1)

the port will never set pfc to on:

ct-n5kup(config-if)# sh int priority-flow-control
============================================================
Port Mode Oper(VL bmap) RxPPP TxPPP
============================================================

Ethernet1/1 Auto Off 0 0

Conditions:
Nexus 5000/5500 switch running 5.1.3.N2.1 release

Workaround:
Downgrade to NX-OS release 5.0.3.N2.2b or earlier

Further Problem Description:
Bug Fix:

Last Modified:
31-AUG-2015
Known Affected Releases:
5.1(3)N2(1)
Known Fixed Releases:
Alert Type:
Updated *
Bug Id:
CSCuu27754
Title:
N55xx "reload power-cycle" is not resetting ADM
Status:
Fixed
Severity:
3 Moderate
Description:

Symptom:
N55xx "reload power-cycle" is not resetting ADM

Conditions:
Execute "reload power-cycle"

Workaround:
manually power cycle the switch

Further Problem Description:

Last Modified:
28-AUG-2015
Known Affected Releases:
6.0(2)N2(6), 7.1(1)N1(1)
Known Fixed Releases: *
7.1(3)N1(0.616), 7.1(3)N1(1), 7.1(3)ZN(0.22)
Alert Type:
Updated *
Bug Id:
CSCur18043
Title:
N6K "ntp access-group peer" wont show up in running config
Status:
Fixed
Severity:
3 Moderate
Description:

Symptom:
"ntp access-group peer" wont show up in running config if "ntp access-group serve-only" is configured

Conditions:
show run ntp will show both "ntp access-group peer " and "ntp access-group serve-only", but the "ntp access-group peer " is missing from general show run

Workaround:
show run ntp

Further Problem Description:

Last Modified:
28-AUG-2015
Known Affected Releases:
7.1(1)N1(0.444)
Known Fixed Releases: *
7.0(7)ZN(0.108), 7.1(2)N1(0.554), 7.1(2)N1(1), 7.1(2)ZD(0.10), 7.1(2)ZN(0.13), 7.2(1)D1(0.65), 7.2(1)N1(0.294), 7.2(1)N1(1), 7.2(1)ZD(0.57), 7.2(1)ZN(0.58)
Alert Type:
Updated *
Bug Id:
CSCun16332
Title:
Nexus2232PP FEX hangs when 1G optics are present in certain host ports
Status: *
Terminated
Severity:
3 Moderate
Description: *

Symptom:
A Nexus 2232 FEX with 1G optics inserted in host ports prior to bringing the FEX online causes it to hang. Due to this, the FEX fabric interfaces on the parent Nexus 5000, 6000 or 7000 switch do not come up due to which the FEX fails to download the image and come Online.

Conditions:
A Nexus 2232 FEX which has 1G optics inserted in host ports prior to it associating to a parent Nexus 5000, 6000 or 7000 switch.

Workaround:
Remove all 1G optics from the host interfaces and then connect the FEX uplinks to the parent Nexus 5000, 6000 or 7000 switch. After the FEX comes online, the 1G optics can be put back into the host ports.

Further Problem Description:

Last Modified:
27-AUG-2015
Known Affected Releases:
7.0(0)N1(1)
Known Fixed Releases:
Alert Type:
New
Bug Id:
CSCuj36247
Title:
5-7 seconds traffic convergence upond vPC+ switch recovers from a reload
Status:
Other
Severity:
3 Moderate
Description:

Symptom:
When one of the vPC+ peer switch is recovering from a reload, 5-7 seconds traffic re-convergence was observed. Traffic loss start soon after fabricpath adjacency have re-established but prior to vPC+ re-established.

Conditions:
Spine nodes are n7k and leaf nodes are n5k vPC+ peer. n2k FEXs are connected to the parent n5k switches. There are bidirectional layer2 and layer3 traffic sending/receiving between leaf nodes.

Workaround:
None

Further Problem Description:

Last Modified:
27-AUG-2015
Known Affected Releases:
5.2(1)N1(5)
Known Fixed Releases:
Alert Type:
Updated *
Bug Id:
CSCum17923
Title:
N5k should not send ELS_RSCN upon mgmt port changes on a connected MDS
Status:
Fixed
Severity:
3 Moderate
Description:

Symptom:
In a scenario like the following:

mds ------- n5k ------ end device

when you make config changes on int mgmt0 of the mds switch, the mds sends a SW_RSCN to n5k and the n5k in turn sends an ELS_RSCN to end devices. That ELS_RSCN may trigger a logout of the end device from the fabric.

Also, when the mgmt port of the n5k itself changes, the n5k sends ELS_RSCNs to end devices, which again may trigger a log out from the fabric.

Conditions:
N5k is in switching mode (non NPV mode).

Workaround:
None.

Further Problem Description:
This is modify the behavior of the n5k in the scenario above. In particular:

a. the n5k should not send ELS_RSCNs to end devices when receiving a SW_RSCN from a connected MDS switch that sent it because its mgmt port was changed

b. there should be a knob on n5k in order to enable or disable sending ELS_RSCNs to end devices when the mgmt port of the n5k itself changes. Something like what was introduced in MDS platform recently:

# configuration terminal
(config)# [no] rscn permit type nport event switch-config [vsan ]

Last Modified:
27-AUG-2015
Known Affected Releases:
5.2(1)N1(6), 6.0(2)N2(1)
Known Fixed Releases: *
7.1(3)N1(0.615), 7.1(3)N1(1), 7.1(3)ZN(0.21), 7.3(0)BZN(0.7), 7.3(0)N1(0.45), 7.3(0)N1(1), 7.3(0)ZN(0.50)
Alert Type:
Updated *
Bug Id:
CSCty07159
Title:
tar CLI command allows arbitrary file access
Status:
Fixed
Severity:
3 Moderate
Description: *

Cisco NX-OS software contains a directory traversal vulnerability within the command line interface that could allow a local, authenticated
attacker to access arbitrary files on the device. An attacker could leverage the ''tar'' command to read files by archiving the file to a
location that they can directly access file contents. The ''tar'' command can also be used to un-archive a user created file to any location in
the filesystem, thus creating or overwriting arbitrary files.

The following Cisco Nexus devices are affected:
Cisco Nexus 7000 Series
Cisco Nexus 5000 Series
Cisco Nexus 3000 Series
Cisco Nexus 1000V Series

Conditions:

Device is running an affected version of Cisco NX-OS software.

Workaround:

Restrict access to trusted users.

Further Problem Description:

This issue was discovered during internal testing by Cisco.

PSIRT Evaluation:

The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are :
4.3/4.1
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:L/AC:L/Au:S/C:P/I:P/A:P/E:F/RL:U/RC:C&version=2.0

CVE ID CVE-2012-4131 has been assigned to document this issue.

Additional details about the vulnerability described here can be found at:
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2012-4131

Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html


Last Modified:
06-AUG-2015
Known Affected Releases:
5.0(3)N2(2a)
Known Fixed Releases:
6.0(2)N1(1)
Alert Type:
Updated *
Bug Id:
CSCts56664
Title:
Command injection vulnerability in NX-OS 'ethanalyzer' command
Status:
Fixed
Severity:
3 Moderate
Description: *



Symptom:

Cisco Nexus 5000 series and Cisco Unified Computing System fabric interconnect devices contain a command injection vulnerability. This issue could
allow a local, authenticated attacker to execute commands on the underlying operating system with elevated privileges.

The issue exists when parsing user supplied input passed to the ethanalyzer command.

The following NX-OS Based products are affected:
Nexus 5000
Cisco Unified Computing System Fabric Interconnect Devices



Conditions:

Cisco Nexus and UCS Fabric Interconnect devices running an affected version of NX-OS softare.



Workaround:

Restrict access to trusted users only.



Further Problem Description:

This issue was identified during an internal security audit of Cisco Nexus and UCS devices.

PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are
6.8/5.6:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:L/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C&version=2.0

CVE ID CVE-2012-4103 has been assigned to document this issue.

Additional details about the vulnerability described here can be found at:
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2012-4103

Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html


Last Modified:
06-AUG-2015
Known Affected Releases:
5.0(3)N2(1)
Known Fixed Releases:
Alert Type:
Updated *
Bug Id:
CSCtx83729
Title:
CDP memory leak on repeated TLVs
Status:
Other
Severity:
3 Moderate
Description: *

Symptoms:
Cisco Nexus 1000, 3000, 4000, 5000, and 7000 switches may leak memory when processing malformed Cisco Discovery Protocol (CDP) Packets, this can lead to an eventual reload of the switch. An adjacent attacker, with the ability to submit malformed CDP traffic to an affected device could cause a denial of service condition while the device reloads or fails over to a redundant Supervisor card if so equipped.

Conditions:
Cisco Nexus Switches running an affected version of NX-OS.

Workaround:
Disable CDP on the affecte device, the CDP protocol is enabled by default.

NX-OS:
no cdp enable


Further Problem Description:
This issue was identified through internal hardening efforts on the NX-OS platform.

PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.7/4.8:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:A/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:U/RC:C&version=2.0

CVE ID CVE-2012-1323 has been assigned to document this issue.

Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

Last Modified:
06-AUG-2015
Known Affected Releases:
5.0(3)N2(2b)
Known Fixed Releases:
Alert Type:
Updated *
Bug Id:
CSCua71557
Title:
CLI file redirection write vulnerability
Status:
Fixed
Severity:
3 Moderate
Description: *

Symptom:
Symptoms:
Cisco Nexus 7000 and Nexus 5000 devices contain a local arbitrary write redirection issue. This vulnerability could allow a local, authenticated attacker to create files in any location they may have access too. This could allow them to write malicious script files into locations that may later be inadvertently accessed by an administrator.

Conditions:
Conditions:
Cisco Nexus devices running an affected version of NXOS Software.

Workaround:
Conditions:
Cisco Nexus devices running an affected version of NXOS Software.

Further Problem Description:
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.6/3.8:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:L/AC:L/Au:S/C:N/I:C/A:N/E:F/RL:OF/RC:C&version=2.0

CVE ID CVE-2012-4141 has been assigned to document this issue.

Additional details about the vulnerability described here can be found at:
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2012-4141

Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html


Last Modified:
06-AUG-2015
Known Affected Releases:
5.0(3)N2(2b)
Known Fixed Releases:
6.0(2)A1(1), 6.0(2)N1(1), 6.0(2)U1(1), 9.3(1)ZD4.8, 9.3(1)ZE1.2, 9.3(1)ZM0.80
Alert Type:
Updated *
Bug Id:
CSCte90384
Title:
NX-OS arbitrary command injection in admin CLI
Status:
Fixed
Severity:
3 Moderate
Description: *

Symptoms:
A vulnerability exists in NX-OS which can allow an authenticated, local attacker to execute arbitrary commands on an affected system. A successful
exploit would allow an attacker to gain unauthorized access to the underlying operating system.

Conditions:
Devices running affected versions of NX-OS software are vulnerable.

Workaround:
None

Further Problem Description:
This issue was discovered in internal security testing and has been resolved in all current versions of affected software.

PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are
6.8/5.6:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:L/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C&version=2.0

CVE ID CVE-2011-4240 has been assigned to document this issue.

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

Last Modified:
06-AUG-2015
Known Affected Releases:
4.1(3)N2(1a)
Known Fixed Releases:
4.2(1)N1(1)
Alert Type:
Updated *
Bug Id:
CSCtn87115
Title:
Nexus 5000: 5.0(3)N1(1a) show queuing interface might crash the switch
Status:
Fixed
Severity:
3 Moderate
Description: *

Symptom:
A Nexus 5000 switch running 5.0(3)N1(a) with a N5K-M1060 FC expansion module
installed and feature FCOE enabled might crash when command show queuing
interface
or show queuing interface fcx/y is issued.

Conditions:
The switch has a N5K-M1060 FC expansion module and feature fcoe is enabled.

Workaround:
Do not issue above commands but use command show queuing interface Ethernet
1/x
instead.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are
4.4/3.6:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:L/AC:M/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2011-0965 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

Last Modified:
06-AUG-2015
Known Affected Releases:
5.0(3)N1(1a)
Known Fixed Releases:
5.0(3)N1(1b)
Alert Type:
Updated *
Bug Id:
CSCtr76417
Title:
memory leak in port profile (ppm) process associated with libavl()
Status:
Fixed
Severity:
3 Moderate
Description: *

Symptom:

Memory leak seen in port profile (ppm) process associated with libavl()
PPM process will crash and system will reload once Memalloc goes to 250MB

Conditions:

When switch has a switch-profile configured with atleast one command and a ''show
running''/ ''show running switch-profile'' or ''show running diff''
commands are executed.

Workaround:
1. Not configure switch-profile
2. Have a planned reload of the box when memalloc gets close to 250 MB. -
Check memory used by ppm process using
show process memory | grep port-profile
If either MemAlloc / RSS Memory is close is 250 MB, system should be reloaded.

PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.8/2.3:

http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:M/C:N/I:N/A:P/E:F/RL:OF/RC:C&version=2.0

No CVE ID has been assigned to this issue.

Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

Last Modified:
06-AUG-2015
Known Affected Releases:
5.0(3)N2(1)
Known Fixed Releases:
5.0(3)N2(2), 9.9(0)BS(0.13)
Alert Type:
Updated *
Bug Id:
CSCur04684
Title:
RX CRC errors on Nexus L3 (routed) interface
Status: *
Terminated
Severity:
3 Moderate
Description: *

Symptom:
CRC errors are observed on TX of L3 interface on N5K and RX of upstream device

Same number of CRC errors and Giants is observed on RX of Upstream device L3 interface.
Same number of CRC errors and Jumbo frames is observed on TX of N5K L3 interface.

Conditions:
Possibly Nexus 5k with routed interface (no switchport) configured and Jumbo mtu qos config applied.

Workaround:
unknown at the moment

Further Problem Description:

Last Modified:
11-AUG-2015
Known Affected Releases:
5.1(3)N2(1c)
Known Fixed Releases:
Alert Type:
Updated *
Bug Id:
CSCuo01637
Title:
Nexus5k : Network-operator role can view sensitive configuration
Status:
Fixed
Severity:
3 Moderate
Description: *

Symptom:

Cisco Nexus devices contain an information disclosure issue that could allow an authenticated, local attacker to gain access to sensitive information.
The affected devices do not perform sufficient sanitization of configuration files when they are viewed by a user that has been assigned the Network-
Operator role. This could allow an attacker to gain access to the password hashes of locally configured users.



Conditions:

Cisco Nexus devices running an affected version of NXOS software.



Workaround:

Restrict access to trusted users only.



Further Problem Description:

None.

PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are
4/3.3:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:S/C:P/I:N/A:N/E:F/RL:OF/RC:C&version=2.0

CVE ID CVE-2012-4090 has been assigned to document this issue.

Additional details about the vulnerability described here can be found at:
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2012-4090

Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html


Last Modified:
11-AUG-2015
Known Affected Releases:
5.2(1)N1(7)
Known Fixed Releases:
5.2(1)N1(7.131), 5.2(1)N1(8), 6.0(2)N2(4.70), 6.0(2)N2(5), 7.0(7)ZN(0.108), 7.1(0)N1(0.212), 7.1(0)N1(1), 7.1(0)ZN(0.315), 7.2(0)ZN(0.93)
Alert Type:
Updated *
Bug Id:
CSCuh15128
Title:
POE is not supported on Nexus 5000 or 5500 switches
Status:
Fixed
Severity:
3 Moderate
Description: *

Hi,

Removed POE instances from the document as mentioned in the bug.
Updated doc URL for reference:
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/layer2/b_Cisco_Nexus_5000_Series_NX-OS_.html

Thanks and regards,
Vanitha

Symptom:

Conditions:

Workaround:

Further Problem Description:

Last Modified:
12-AUG-2015
Known Affected Releases:
5.1(3)N1(1)
Known Fixed Releases:
Alert Type:
New
Bug Id:
CSCuv68924
Title:
Nexus 56128P rlir hap reset during ISSU
Status:
Open
Severity:
3 Moderate
Description:

Symptom:
Switch reset during ISSU upgrade from 7.1(0)N1(1b) to 7.1(1)N1(1).

%$ VDC-1 %$ %USER-2-SYSTEM_MSG: CLIS: loading cmd files begin - clis
%$ VDC-1 %$ %RLIR-2-PSS_FAILED: RLIR PSS operation failed: Open failed for RLIR runtime context: No such file or directory
%$ VDC-1 %$ %RLIR-2-INIT_FAILED: RLIR Init failed: Unable to initialize PSS
%$ VDC-1 %$ %RSCN-2-PSS_FAILED: RSCN PSS operation failed: Open failed for SCR Table: No such file or directory
%$ VDC-1 %$ %RSCN-2-INIT_FAILED: RSCN Init failed: Unable to initialize PSS
%$ VDC-1 %$ %FCDOMAIN-2-EPORT_ISOLATED: %$VSAN 11%$ Isolation of interface san-port-channel 19 (reason: other side Eport indicates isolation)
%$ VDC-1 %$ %FCDOMAIN-2-EPORT_ISOLATED: %$VSAN 13%$ Isolation of interface san-port-channel 19 (reason: other side Eport indicates isolation)
%$ VDC-1 %$ %USER-2-SYSTEM_MSG: CLIS: loading cmd files end - clis
%$ VDC-1 %$ %USER-2-SYSTEM_MSG: CLIS: init begin - clis
[ 79.888078] Shutdown Ports..
[ 79.922428] writing reset reason 16, rlir hap reset

Reason: Reset triggered due to HA policy of Reset
System version: 7.1(1)N1(1)
Service: rlir hap reset

Conditions:
Not all the conditions are known at this time. This problem has been observed on cisco Nexus 56128P.

Workaround:
None

Further Problem Description:

Last Modified:
14-AUG-2015
Known Affected Releases:
7.1(0)N1(1)
Known Fixed Releases:
Alert Type:
Updated *
Bug Id:
CSCuj86736
Title:
Need to optimize DFE tuning in 55xxUP series switches - RX CRC Errors
Status:
Fixed
Severity:
3 Moderate
Description: *

Symptom:
Ingress CRCs seen on Nexus 55xxUP switches when using twinax cabling.

Conditions:
Nexus 55xx.
May occur after rapid link flaps.

Workaround:
shut/no shut the interface experiencing this issue.
May require several repetitions.

Further Problem Description:
This problem can be verified from carmel ASIC on Nexus 5500 series switches.


Nexus# show hardware internal carmel eye
+-------+------------+-------------+------------+----------------------------+--+--+--+--+--+--+--+--+--+--+
| Port | Eye Height | Eye Width | Raw values | Time measured |St|20|21|22|23|24|25|26|2E|2F|
+-------+------------+-------------+------------+----------------------------+--+--+--+--+--+--+--+--+--+--+
(...)
Eth 1/7 |37 mv| 359 mUI | c/ 17 | 08/13/2014 14:25:19.743224 |00|00|00|00|00|00|00|00|00|00|

Eye hight of 37 mv is below expectations.

Nexus# show hardware internal carmel eye
+-------+------------+-------------+------------+----------------------------+--+--+--+--+--+--+--+--+--+--+
| Port | Eye Height | Eye Width | Raw values | Time measured |St|20|21|22|23|24|25|26|2E|2F|
+-------+------------+-------------+------------+----------------------------+--+--+--+--+--+--+--+--+--+--+
Eth 1/1 |106 mv| 734 mUI | 22/ 2f | 09/11/2014 08:29:28.379302 |a9|d7|86|18|30|57|86|18|88|00|


Eye height of 106 mv is within expected results.


Similar bug exists on UCS and it tracked under - CSCuo76425

Last Modified:
14-AUG-2015
Known Affected Releases:
5.2(1)N1(6), 6.0(2)N2(3)
Known Fixed Releases:
5.2(1)N1(7), 6.0(2)N2(5.94), 6.0(2)N2(6), 7.0(1)ZN(0.495), 7.0(4)N1(0.132), 7.0(4)N1(1), 7.1(0)N1(0.268), 7.1(0)N1(1), 7.1(0)ZN(0.363)
Alert Type:
Updated *
Bug Id:
CSCta78541
Title:
"show system error-id list" CLI core VSH on FEX
Status:
Fixed
Severity:
3 Moderate
Description: *

Symptom:

The following steps cause the issue:
attach fex 102
show system error-id list

This causes VSH to crash and generate a core. The fex doesn't reload and the core does not impact the functionality of the FEX.

Workaround:
None.

Last Modified:
15-AUG-2015
Known Affected Releases:
4.1(3)N1(0.188)
Known Fixed Releases:
4.1(3)N2(1)
Alert Type:
Updated *
Bug Id:
CSCus19543
Title:
DOC: NX-OS upgrade by changing boot variables & reload is not supported
Status:
Fixed
Severity:
3 Moderate
Description:

Symptom:
Configuration loss and other forwarding problems can be seen in Nexus 5000/5500/5600/6000 if switch
was upgraded by changing boot variables and reload.

This bug is filed to remove the "Upgrading a Dual-Homed FEX Access Layer" section from documentation, which suggests changing boot variables manually and to insert a warning not to do this instead:
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/upgrade/521_N1_8/n5k_upgrade_downgrade_521.html#pgfId-641802
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5500/sw/upgrade/602_N2_5/n5500_upgrade_downgrade_602.html#pgfId-641802
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5600/sw/upgrade/704_N1_1/n5600_upgrade_downgrade_700.html#pgfId-641802

Conditions:
Nexus 5000/5500/5600/6000 switch was upgraded by changing boot variables and reload.

Workaround:
If a switch was upgraded by changing boot variables and reloading, workaround is to do a "write erase" ,
reload and re-apply the configuration.

Further Problem Description:
Also refer to CSCuo34379 ("N5K/6K:NX-OS upgrade by changing bootvariables & reload is not supported").

Last Modified:
18-AUG-2015
Known Affected Releases: *
5.2(1)N1(8a), 6.0(2)N2(5), 7.0(1)N1(2), 7.0(4)N1(1)
Known Fixed Releases:
Alert Type:
Updated *
Bug Id:
CSCuv08448
Title:
Cisco Nexus 5000 VDC Authenticated Privilege Escalation Vulnerability
Status:
Fixed
Severity:
3 Moderate
Description:

Symptom:
A vulnerability in Command Line Interface (CLI) parser of the Cisco Nexus Operating
System (NX-OS) devices could allow an authenticated, local attacker to perform a
privilege escalation at the CLI.

The vulnerability is due to improper input validation of special characters within
filenames. An attacker could exploit this vulnerability by authenticating at the local
shell and writing a file to disk with certain special characters. The attacker could then
use that file with other CLI commands to obtain an shell prompt at their current
privilege level. An exploit could allowthe attacker to read/write files and perform
other privileged commands.

Conditions:
Device running with default configuration running an affected version of
software.

Workaround:
The user has to be authenticated so use care when distributing ''admin''
credentials to only trusted sources.

Further Problem Description:
Credit:
Cisco would like to thank Jens Krabbenhoeft for discovering and reporting this vulnerability.

PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are
4.3/4.1:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:L/AC:L/Au:S/C:P/I:P/A:P/E:F/RL:U/RC:C&version=2.0
CVE ID CVE-2015-4237 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

Last Modified:
19-AUG-2015
Known Affected Releases:
7.2(0)ZZ(99.1)
Known Fixed Releases: *
7.0(7)N1(0.291), 7.0(7)N1(1), 7.0(7)ZN(0.186), 7.1(3)N1(0.608), 7.1(3)N1(1), 7.1(3)ZN(0.13), 7.2(1)N1(0.253), 7.2(1)N1(1), 7.2(1)ZN(0.18)
Alert Type:
New
Bug Id:
CSCuv83420
Title:
Fwm Memleak in fwm_ppf_enable_default_sup_redir
Status:
Open
Severity:
3 Moderate
Description:

Symptom:
Memleak

Conditions:
during fwm init

Workaround:
none

Further Problem Description:
none

Last Modified:
19-AUG-2015
Known Affected Releases:
7.3(0.83)
Known Fixed Releases:
Alert Type:
Updated *
Bug Id:
CSCuj16995
Title:
N5k: Inband drops after enabling ERSPAN session
Status: *
Terminated
Severity:
3 Moderate
Description:

Symptom:
Random inband traffic drops after enabling ERSPAN-source session on Nexus 5500 switch.
Affected inband traffic is traffic destined to the switch SVI address of the VLAN used to send the ERSPAN traffic and which ingresses via the VPC peer-link.

Conditions:
This was observed on Nexus 5500 switch after an upgrade from 5.0(3)N1(1c) to 5.2(1)N1(3). Switches that had other upgrade paths may be affected as well.

Workaround:
Use a dedicated VLAN for sending the ERSPAN replicated traffic, other than the VLAN used for management purposes. Another workaround is to use the mgmt0 interface for management purposes.

Further Problem Description:

Last Modified:
20-AUG-2015
Known Affected Releases:
5.2(1)N1(3)
Known Fixed Releases:
Alert Type:
New
Bug Id:
CSCuv83438
Title:
Fwm memleak: acl_install_uninstall
Status:
Open
Severity:
3 Moderate
Description:

Symptom:
Memleak

Conditions:
during init

Workaround:
none

Further Problem Description:
none

Last Modified:
20-AUG-2015
Known Affected Releases:
7.3(0.83)
Known Fixed Releases:
Alert Type:
New
Bug Id:
CSCul49154
Title:
flow match stats displaying 0 for default drop flow
Status:
Fixed
Severity:
3 Moderate
Description:

Symptom:
The flows statistics for the openflow-agent installed default flow is not available.

Conditions:
The default drop functionality works as expected but the flow statistics is not incremented. This is applicable for the default-drop flow installed by the Cisco XNC controller in proactive mode and the default flows installed using the 'default-miss cascade <>' command.

Workaround:
none

Further Problem Description:
Install proactive flows in DUT with help of cisco one controller. Check the flows are installed and aces are present in DUT

O2-96-F19# show openflow switch 1 flows
Logical Switch Id: 1
Total flows: 1

Flow: 1 <<<<<<< Match:
Actions: drop
Priority: 0
Table: 0
Cookie: 0x0
Duration: 2981.29s
Number of packets: 0
Number of bytes: 0
O2-96-F19#
O2-96-F19#
O2-96-F19#
O2-96-F19# show ip access-lists

IPV4 ACL onep-acl-16
statistics per-entry
268431361 deny ip any any priority -1 [match=0] <<<<<<<<<<<< ace for default drop

O2-96-F19#

Now send traffic stream and check whether packets are being dropped and counters are updated accordingly.


O2-96-F19# show platform afm info group-config id 41 asic 2
Current running group id counter: 42
Group 41 configuration for asic id 2:
Label Table: [ifacl]-[valid:1, size:2048, used:8]
In use labels:
0-3,6,1024,65534-65535

Label:1024 group:41, logical operators:


TCAM entries [ifacl tcam]:
K-keyType, L-label, B-bindcheck, DH-L2DA, CT-cdceTrnst
L(IF-ifacl V-vacl Q-qos R-rbacl)

[3191]> K:IP (3/0) IN v4 L-[IF-7ff/401 ]
[3191] SA:00000000/00000000 DA:00000000/00000000
[3191]-> prio:7 stats:0 DROP
count:[0]-handle[44001cf044001d6]


[3192]> K:ALL (0/0) IN L-[IF-400/400 ]
[3192]-> prio:7 stats:1792 DROP
count:[17615730341]-handle[ffffffffffffffff] <<<<<<
O2-96-F19#

Last Modified:
20-AUG-2015
Known Affected Releases:
6.0(2)N3(0.356)
Known Fixed Releases:
7.0(1)N1(0.132), 7.0(1)N1(1), 7.0(1)ZN(0.191)
Alert Type:
New
Bug Id:
CSCur05609
Title:
CLIs missing after upgrade from 5.2.1.N1.1 to 7.0.4.N1.1 Build 167
Status:
Open
Severity:
3 Moderate
Description:

Symptom:
CLIs missing after upgrade from 5.2.1.N1.1 to 7.0.4.N1.1 Build 167

Conditions:
Upgrade from 5.2.1.N1.1 to 7.0.4.N1.1 Build 167

Workaround:
None

Further Problem Description:
I am seeing the following CLIs missing in the config when doing upgrade from 5.2.1.N1.1 to Iluka MR3 7.0.4.N1.1 Build 167.

Vodafone Specific CLIs:
logging level feature-mgr 0
class-map type qos class-fcoe
class-map type qos match-all test
class-map type queuing class-fcoe
match qos-group 1
class-map type queuing class-all-flood
match qos-group 2
class-map type queuing class-ip-multicast
match qos-group 2
class class-default
class-map type network-qos class-fcoe
match qos-group 1
class-map type network-qos class-all-flood
match qos-group 2
class-map type network-qos class-ip-multicast
match qos-group 2

My switch specific CLIs:
crypto key param rsa label dcnmCAKey modulus 512 exportable


The full config file as present before and after upgrade are attached.

Last Modified:
20-AUG-2015
Known Affected Releases:
7.0(4)N1(0.167)
Known Fixed Releases:
Alert Type:
New
Bug Id:
CSCuq61530
Title:
Secure LDAP does not work over LDAPS port
Status:
Open
Severity:
3 Moderate
Description:

Symptom:
secure ldap connection over LDAPS (636) port to query / download from LDAP server doesnt work. An example configuration is shown below:

fabric database type network
server protocol ldap ip 8.0.100.23 port 636 vrf management enable-ssl
db-table ou=networks,dc=cisco,dc=com key-type 1
fabric database type profile
server protocol ldap ip 8.0.100.23 port 636 vrf management enable-ssl
db-table ou=profiles,dc=cisco,dc=com
fabric database type partition
server protocol ldap ip 8.0.100.23 port 636 vrf management enable-ssl
db-table ou=partitions,dc=cisco,dc=com

Conditions:

Workaround:
Do not use port 636.

Further Problem Description:

Last Modified:
20-AUG-2015
Known Affected Releases:
7.1(0)N1(0.291)
Known Fixed Releases:
Alert Type:
New
Bug Id:
CSCue33173
Title:
ipsg does not work with pvlan isolated trunk
Status:
Fixed
Severity:
3 Moderate
Description:

Symptom:
If user does non-disruptive ISSU upgrade from old version to the new version with the fix, and if the DHCP IPSG was previously configured for PVLAN Isolated Trunk port (very unlikely though, because the feature was not working and blocking all traffic), the DHCP IPSG may still not work after upgrade.

Conditions:
Non-disruptive ISSU upgrade with IPSG previously configured on PVLAN Isolated Trunk port.

Workaround:
After ISSU upgrade, if IPSG on PVLAN Isolated Trunk port was previously configured, user needs to unconfigure and reconfigure it to make it work.

Further Problem Description:

Last Modified:
21-AUG-2015
Known Affected Releases:
6.0(2)N1(1)
Known Fixed Releases:
7.0(2)N1(0.161), 7.0(2)N1(1)
Alert Type:
Updated *
Bug Id:
CSCuv82719
Title:
Unable to login with new passwd reset from switch(boot) prompt
Status:
Fixed
Severity:
3 Moderate
Description:

Symptom:
Originally there were following Issues

The admin password updated from Kickstart bootcli never got applied in following cases.

1) Without doing a previous write erase, come to kickstart boot promot and do a admin-password change. Then load system image.
The updated password was never applied.

2) Following procedure does not work always. (It works sometime as seen in tests)
Copy Running Cfg (This will have Pass 2), Write Erase, Boot Kickstart, Enter Admin Pass 1, Enter Another Admin Pass 2, Login with Pass 2, Copy stored Running Config to Startup Config and Reload, At Kickstart Boot Prompt Change Admin Pass 1
At switch login prompt, Pass 2 works and Pass1 does not work.

3) Following procedure does not work always (It works sometime as seen in tests)
Copy Running Cfg (This will have Pass 2), Write Erase, Boot Kickstart, Enter Admin Pass 2 at switch Login, Login with Pass 2, Copy stored Running Config to Startup Config and Reload, At Kickstart Boot Prompt Change Admin Pass 1
At switch login prompt, Pass 2 works and Pass1 does not work.

Prior to CSCuo63609/CSCut79464 for N5K all the 3 cases did not work.

Resolution with CSCut79464

With CSCut79464
Case 1) works always
Case 2) & 3) works sometimes. Not consistent.

Conditions:
With CSCut79464
Case 1) works always
Case 2) & 3) works sometimes. Not consistent.

Workaround:
The change admin password now works from kickstart without a write erase. Which is Case 1 above.
Customers who to change the admin password after write erase can always configure the new password after when System Software is loaded for the first time.

Further Problem Description:

Last Modified:
24-AUG-2015
Known Affected Releases:
7.2(0)N1(0.165)
Known Fixed Releases: *
7.0(7)N1(0.297), 7.0(7)N1(1), 7.0(7)ZN(0.200), 7.1(3)N1(0.608), 7.1(3)N1(1), 7.1(3)ZN(0.13), 7.2(1)N1(0.287), 7.2(1)N1(1), 7.2(1)ZN(0.51)
Alert Type:
Updated *
Bug Id:
CSCty38446
Title:
vPC: STP unexpectedly blocked due to %STP-2-L2GW_BACKBONE_BLOCK:
Status:
Terminated
Severity:
3 Moderate
Description:

Symptom:
STP interface unexpectedly blocked due to %STP-2-L2GW_BACKBONE_BLOCK
Traffic might be affected for a few seconds.

Conditions:
The issue happens just after boots up. It was observed on Nexus 5000 and Nexus 6000 switches.

Workaround:
Apply an "STP pseudo-information priority" better than the bridge root priority

vlan 1-100
mode fabricpath
spanning-tree pathcost method long
spanning-tree pseudo-information
vlan 1-100 root priority 4096 <<<----

So 4096 above should be lower than the root bridge priority.

Further Problem Description:
Shortly after bootup, the Nexus FP edge switch uses its physical STP switch ID instead of the FP shared STP switch ID

Last Modified:
25-AUG-2015
Known Affected Releases:
5.1(3)N1(1a)
Known Fixed Releases:
Alert Type:
New
Bug Id:
CSCuw01048
Title:
Enhancement: Add commands to show tech-support
Status:
Open
Severity:
4 Minor
Description:

Symptom:
This is an enhancement request to add the commands ....


show tech-support fc
show running-config ipqos all

...to ...
show tech
and
show tech details

Conditions:

Workaround:
Issue the commands separately.

Further Problem Description:

Last Modified:
30-AUG-2015
Known Affected Releases:
7.0(7)N1(0.9)
Known Fixed Releases:
Alert Type:
New
Bug Id:
CSCul56313
Title:
xcvr_enable_proton_dom_caching: Error
Status:
Open
Severity:
4 Minor
Description:

Symptom:
show interface transceiver details output gives the following truncated output with errors :

as1-nme.bllon# show int e1/20 transceiver details
Error reading from SFP <<<---------------------------

Ethernet1/20
transceiver is present
type is Fabric Extender Transceiver
name is CISCO-FINISAR
part number is FTLX8570D3BCL-C2
revision is A
serial number is FNS17510TZQ
nominal bitrate is 10300 MBit/sec
Link length supported for 50/125um OM3 fiber is 100 m
Link length supported for 62.5/125um fiber is 10 m
cisco id is --
cisco extended id number is 4 <<< -----------------------------

Also all the output below the arrow portion is not visible here such as the signal strength etc.



Conditions:
Customer's issue was noticed on the following platforms, however other platforms and software code versions might also be affected.

HW: N5K-C5596UP
SW: n5000-uk9.5.2.1.N1.6.bin

Workaround:
None.

Further Problem Description:

Last Modified:
26-AUG-2015
Known Affected Releases:
6.0(2)N3(0.358)
Known Fixed Releases:
Alert Type:
Updated *
Bug Id:
CSCtl87089
Title:
show tech-support to include show processes cpu history
Status:
Fixed
Severity:
4 Minor
Description: *

Symptom:
show processes cpu history is currently not part of the show tech-support output

Conditions:
run a show tech-support on the switch

Workaround:
run manually show processes cpu history

Further Problem Description:

Last Modified:
28-AUG-2015
Known Affected Releases:
5.0(2)N2(1)
Known Fixed Releases: *
7.0(5)N1(1)
Alert Type:
New
Bug Id:
CSCut94326
Title:
Nexus 5596UP as FC switch: cannot change FSPF cost under fc interface
Status:
Open
Severity:
5 Cosmetic
Description:

Symptom:
Not able to change fspf cost of a fc interface.

Conditions:
Will be updated once root cause is found.

Workaround:
Will be updated once root cause is found.

Further Problem Description:

Last Modified:
20-AUG-2015
Known Affected Releases:
7.2(0.1)
Known Fixed Releases:
Alert Type:
New
Bug Id:
CSCuu19422
Title:
Runts on N2K-C2348UPQ-10G on not connected interface
Status:
Open
Severity:
5 Cosmetic
Description:

Symptom:
Input errors observed on not connected interfaces with 1000base-LH SFP of N2K-C2348UPQ-10G

Conditions:
not connected interface on SFP 1000base-LH

Workaround:
shutdown not connected interfaces

Further Problem Description:

Last Modified:
20-AUG-2015
Known Affected Releases:
7.0(5)N1(1a)
Known Fixed Releases:
Alert Type:
New
Bug Id:
CSCur95371
Title:
Vxlan not working on N5696-M4C
Status:
Open
Severity:
6 Enhancement
Description:

Symptom:
Vxlan config: ping failed to remote gateway port, please add Vxlan support to N5696-MC4

Conditions:
This problem only happens on N5696-M4C

Workaround:
no work around

Further Problem Description:

Last Modified:
20-AUG-2015
Known Affected Releases:
7.1(0)N1(0.418)
Known Fixed Releases:
Alert Type:
New
Bug Id:
CSCuv57298
Title:
Make "no trunk protocol enable" a hidden command.
Status:
Open
Severity:
6 Enhancement
Description:

Symptom:
no trunk protocol enable not displayed in show running-config and [no] trunk protocol enable not displayed in show running-config all

Conditions:
All

Workaround:
Use the show trunk protocol to see if EPP is enabled or disabled.

Further Problem Description:
When trunk protocol is disabled the following SYS message is issued:

%EPP-5-EPP_TRUNK_PROTOCOL_STATUS: epp trunk protocol is disabled on switch

If trunk protocol is disabled then no new port-channels will activate and no new
VSANs can be added to trunks. Existing trunks (both TE and TF) continue to function normally.

Trunk protocol(EPP) should normally never be disabled.

Last Modified:
22-AUG-2015
Known Affected Releases:
5.2(1)N1(9)
Known Fixed Releases:
Alert Type:
Updated *
Bug Id:
CSCtx24025
Title:
Enh: Request SSH 5.9 on Nexus5000 to avoid SSH DoS Vulnerability report
Status:
Other
Severity:
6 Enhancement
Description: *

Symptom:
Nessus scanner with version 4.4.1 or above will report DOS vulnerability error for Nexus5000 running with 5.1(3) or below:

The SSH server on the remote host has multiple denial of service vulnerabilities.

And request the ssh service on Nexus 5000 to be upgraded to 5.9 or above to avoid CVE-2010-4755.

Conditions:
Nexus5000 with 5.1(3) is running SSH 5.5, which will trigger these report. If this vulnerability is be exploited the SSH process would terminate
tearing down all currently established SSH sessions. The SSH process would restart automatically and SSH sessions could be re-established. This
re-establishing can be automatic or manual, depending on how they are initially established and processes surrounding them.

Workaround:
N/A

PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/3.8:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:S/C:N/I:N/A:P/E:F/RL:U/RC:C&version=2.0
CVE ID CVE-2010-4755 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

Last Modified:
06-AUG-2015
Known Affected Releases:
5.1(3)N1(1)
Known Fixed Releases:

Find additional information in Bug Search index.

 

2013 Cisco and/or its affiliates. All rights reserved. Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks

 

没有评论:

发表评论