| |
|
Alert Type: | Updated * |
Bug Id: | CSCtk19132 | Title: | Nexus reset due to HA policy on multiple CDP process crash |
|
Status: | Fixed |
|
Severity: | 1 Catastrophic |
Description: * | Symptoms:
A Cisco Nexus 5000 may reset due to a HA policy if the CDP process crashes multiple times
Conditions:
This has been seen when processing a malformed CDP packet
Workaround:
Disable the CDP process
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.1/5:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:A/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2012-2469 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 4.1(3)N2(1a) |
|
Known Fixed Releases: | 5.0(2)N2(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCur30094 | Title: | Nexus 5000 : evaluation of SSLv3 POODLE vulnerability |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
This product includes a version of SSL that is affected by the vulnerability identified by the Common Vulnerability and Exposures (CVE) IDs:
CVE-2014-3505
CVE-2014-3506
CVE-2014-3507
CVE-2014-3508
CVE-2014-3510
CVE-2014-3566 (POODLE)
This bug has been opened to address the potential impact on this product.
Conditions:
The POODLE Security issue CVE-2014-3566 exists if we configure LDAP as part of DFA configuration
Something like this
fabric database type network
server protocol ldap ip 10.95.126.166 vrf management
Or
Onep is configured with "transport type tls ..." option
Or
vmtracker configuration
Workaround:
1. Avoid any "fabric database" configuration with keyword "enable-ssl".
For example:
fabric database type network
server protocol ldap ip 172.29.21.2 enable-ssl
2. Make sure the 'secure LDAP' option is unchecked when defining POAP template on DCNM.
3. Do not use onep
Further Problem Description:
A POODLE attack requires a man in the middle attack between the nexus5000/6000 switch (the LDAP client)
and the LDAP server. It would also require a protocol downgrade attack since, by default, nexus5000/6000
uses TLS protocol.
Current schedule for the fix :
- 7.1(1)N1(1) March or early April 2015 (was postponed from Feb 2015)
- 7.2 release April 2015
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the
time of evaluation are: 2.6/2.5
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C
The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
|
|
Last Modified: | 01-AUG-2015 |
|
Known Affected Releases: | 6.0(2)N3(0.91), 7.0(4)N1(1), 7.1(0)ZN(91.34), 7.2(0)N1(0.76), 7.2(0)N1(0.82), 7.2(0)N1(0.85), 7.2(0)N1(0.88), 7.2(0)VX(0.9), 7.2(0.1)PR(0.1), 7.9(0)ZD(0.4) |
|
Known Fixed Releases: * | 7.0(0)HSK(0.433), 7.0(0)KM(0.119), 7.0(0)KMS(0.11), 7.1(0)AV(0.74), 7.1(0)ES(0.18), 7.1(0)IB(122), 7.1(0)SIB(99.109), 7.1(1)N1(0.482), 7.1(1)N1(1), 7.1(1)ZD(0.19) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut59888 | Title: | After MAC Flap, MAC is not relearned correctly on one of the VPC Peers. |
|
Status: * | Terminated |
|
Severity: | 2 Severe |
Description: | Symptom:
After a short MAC-address flapping we can see on a VPC-Peer that
one VPC peer has the MAC address pointing to a single source interface
Other VPC peer has the MAC address pointing to the different source interface
Example:
Switch_A# sh mac add dy vlan 10
Legend:
* - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC
age - seconds since last seen,+ - primary entry using vPC Peer-Link
VLAN MAC Address Type age Secure NTFY Ports/SWID.SSID.LID
---------+-----------------+--------+---------+------+----+------------------
* 10 0000.0c07.ac00 dynamic 120 F F 333.0.0
Switch_B# sh mac add dy vlan 10
Legend:
* - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC
age - seconds since last seen,+ - primary entry using vPC Peer-Link
VLAN MAC Address Type age Secure NTFY Ports/SWID.SSID.LID
---------+-----------------+--------+---------+------+----+------------------
* 10 0000.0c07.ac00 dynamic 10 F F Po6
And traffic is sourced from source-mac 0000.0c07.ac00 only on Po6
Conditions:
2 Variations have been seen of the issue:
- MAC is wrong till MAX-age and corrects
- MAC is not cleared on MAX-age
This is only seen when only one leg of the VPC is receiving the traffic and one leg is not receiving *any* traffic from the affected source-mac address.
Workaround:
Clear the MAC manually
Further Problem Description:
|
|
Last Modified: | 03-AUG-2015 |
|
Known Affected Releases: | 6.0(2)N2(4) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuc72380 | Title: | Nexus 5500: IGMP Link Local Destination Packet Flooded |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
IGMP membership reports are looped within VLAN.
Conditions:
- Upstream vPC member port is IGMP mrouter port
- Destination address is link-local multicast address (i.e., 224.0.0.252)
- IGMP membership report for any address other than 0.0.0.0
Workaround:
Remove affected VLAN from peer-link. Traffic will still be forwarded by vPC primary due to graceful consistency check.
Further Problem Description:
|
|
Last Modified: | 04-AUG-2015 |
|
Known Affected Releases: | 5.1(3)N2(1a), 6.0(2)N2(4) |
|
Known Fixed Releases: * | 7.0(0)HSK(0.433), 7.0(0)KM(0.119), 7.0(0)KMS(0.11), 7.1(0)AV(0.74), 7.1(0)ES(0.18), 7.1(2)N1(0.548), 7.1(2)N1(1), 7.1(2)ZD(0.5), 7.1(2)ZN(0.7), 7.2(0)BA(0.12) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCts46521 | Title: | crash in igmp process @ igmp_snoop_orib_fill_source_update |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: * | Symptom:
Cisco Nexus 5000 switches may experience a device reload after receiving certain IGMP packets. Successful exploitation may cause a reload of the
affected device. Repeated exploitation could result in a sustained denial of service (DoS) condition.
Conditions:
Cisco Nexus 5000 configured with IGMP snooping. An attacker needs to be Layer 2 adjacent in order to trigger this vulnerability.
Workaround:
IGMP can be disabled as a workaround if not needed.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.1/5:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:A/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C &version=2.0
CVE ID CVE-2012-1357 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 5.0(3)N2(1) |
|
Known Fixed Releases: | 5.1(3)N1(1), 7.2(0)ZN(0.111) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtr58428 | Title: | Command Injection vulnerability with the | section command |
|
Status: | Other |
|
Severity: | 2 Severe |
Description: * | Symptom:
Cisco Nexus OS contains a vulnerability that could allow an authenticated,
local attacker to execute arbitrary commands on a targeted device. The
vulnerability is due to improper sanitization of user-supplied values to
command line interface commands.
An authenticated, local attacker could exploit the vulnerability by issuing
commands that contain malicious options on the device command line interface.
If successful, the attacker could gain elevated privileges on the targeted device.
Conditions:Injection can be done via either the less or the section sub command. Full
details below:
----------------------------------------------------------------------
NX-OS - "less" sub-command - Command injection / sanitization issues.
----------------------------------------------------------------------
Affected Products:
==================
The following products are affected by this vulnerability:
+-----------------------------------------------------------------+
| Affected Product | Cisco Bug | First Fixed |
| | ID | Release |
|-----------------------------------+------------+----------------|
| Cisco Nexus 7000 Series Switches | CSCtf40008 | 4.2(6) |
| | | 5.1(1) |
|-----------------------------------+------------+----------------|
| Cisco Nexus 5000 Series Switches | CSCtf40008 | 4.2(1)N2(1) |
|-----------------------------------+------------+----------------|
| Cisco Nexus 2000 Series Switches | CSCtf40008 | 4.1(1)N2(1) |
|-----------------------------------+------------+----------------|
| Cisco Nexus 1000V Series Switches | CSCtf40008 | 4.2(1)SV1(5.1) |
|-----------------------------------+------------+----------------|
| Cisco MDS 9000 Software | CSCtf40008 | 4.2(6) |
| | | 5.1(1) |
|-----------------------------------+------------+----------------|
| Cisco Unified Computing System | CSCtg18363 | 1.3(1c) |
| | | 1.4(1i) |
+-----------------------------------------------------------------+
The following are not affecfed by the "less" sub-command - command injection
vulnerability.
* Cisco Nexus 3000 Series Switches
* Cisco Nexus 4000 Series Switches
-------------------------------------------------------------------------
NX-OS - "section" sub-command - Command injection / sanitization issues.
-------------------------------------------------------------------------
Affected Products:
==================
The following products are affected by this vulnerability:
+--------------------------------------------------------------+
| Affected Product | Cisco Bug | First Fixed |
| | ID | Release |
|-----------------------------------+------------+-------------|
| Cisco Nexus 7000 Series Switches | CSCtr44645 | 5.2(1) |
|-----------------------------------+------------+-------------|
| Cisco Nexus 5000 Series Switches | CSCtr44645 | 5.1(3)N1(1) |
|-----------------------------------+------------+-------------|
| Cisco Nexus 3000 Series Switches | CSCts10188
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 5.0(3)N1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCte87709 | Title: | CDP with the long hostname crashes Nexus 5k |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: * | Symptom:
The mgmt port is connected to other switch with CDP enabled. When N5k receives the first CDP packet, it crashes. When N5k comes back up and
receives another CDP packet, it crashes again. It happens repeatedly.
Conditions:
It happens when the remote switches or routers with CDP enabled has the extraordinary LONG hostname.
Workaround:
Disable CDP under the interface of the remote device where the mgmt port is connected to.
Further Problem Description:
None.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.1/6.1:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:A/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2011-0360 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 4.1(3)N2(1a) |
|
Known Fixed Releases: | 4.2(1)N1(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCto09813 | Title: | N5k: Remark in a ACL before a deny leaks traffic |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: * | Summary
A vulnerability exists in Cisco Nexus 5000 and 3000 Series Switches that may allow traffic to bypass deny statements in access control lists
(ACLs) that are configured on the device.
Cisco has released free software updates that address this vulnerability.
A workaround is available to mitigate this vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110907-nexus.shtml
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.1:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2011-2581 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 5.0(3)N1(1a) |
|
Known Fixed Releases: | 5.0(3)N2(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtx66087 | Title: | CDP crashes when receiving malformed packet |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: * | Symptoms:
Cisco Nexus 1000, 3000, 4000, 5000, and 7000 switches as well as Cisco Unified Computing System Fabric Interconnect devices may restart after receiving malformed Cisco Discovery Protocol (CDP) Packets. An adjacent attacker, with the ability to submit malformed CDP traffic to an affected device could cause a denial of service condition while the device reloads or fails over to a redundant Supervisor card if so equipped.
Conditions:
Cisco Nexus Switches running an affected version of NX-OS.
Cisco Unified Computing System, Fabric Interconnect devices running an affected version of UCS Software.
Workaround:
Disable CDP on the affecte device, the CDP protocol is enabled by default.
NX-OS:
no cdp enable
UCS:
Add the 'disable cdp' command to all Network Control Policies
Further Problem Description:
This issue was identified through internal hardening efforts on the NX-OS platform.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.1/5:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:A/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2012-1322 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 5.0(3)N2(2) |
|
Known Fixed Releases: | 5.1(3)N2(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCte90364 | Title: | File System Access |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: * | Symptoms:
A vulnerability exists in NX-OS which allows an authenticated, local attacker to read or write arbitrary files in volatile storage. A successful exploit could
allow the attacker to gain unauthorized access to sensitive files on the device, or to overwrite arbitrary files in volatile storage.
Conditions:
Devices running affected versions of NX-OS are vulnerable.
Workaround:
None
Further Problem Description:
This issue was discovered in internal security testing and has been resolved in all current versions of affected software.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are
5.2/4.3:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:L/AC:L/Au:S/C:C/I:P/A:N/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2011-4490 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 4.1(3)N2(1a) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtx54794 | Title: | Specific SNMP GET request causes 'vlan_mgr' to crash on Nexus switches |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: * | Symptoms:
Cisco Nexus 1000v, Nexus 3000, Nexus 5000, and Nexus 7000 devices contain a denial of service vulnerability within the SNMP subsystem. An
authenticated, remote attacker could submit a request to an affected device designed to trigger a null pointer dereference error that results in a crash
and reload of the affected device.
Conditions:
Cisco Nexus 1000v, Nexus 3000, Nexus 5000, and Nexus 7000 devices running an affected version of Cisco NX-OS Software.
Workaround:
None.
Further Problem Description:
None.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are
6.8/6.5:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:S/C:N/I:N/A:C/E:F/RL:U/RC:C&version=2.0
CVE ID CVE-2012-4125 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 5.0(3)N2(2a) |
|
Known Fixed Releases: | 5.1(3)N2(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtj62291 | Title: | Nexus 5000: switch reloaded upon [show vlan] |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: * | Symptom:
When an authenticated user issues the 'show vlan' command on the cli, the Nexus
5000 may crash and reload.
Conditions:
This issue may occur when more than 1000 VLANs and Virtual Ethernet Ports
(VETH) have been configured on a device running affected software.
Workaround:
None.
Further Problem Description:
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following
CVSS version 2 score. The Base and Temporal CVSS scores as of
the time of evaluation are 4.6/4.0:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:H/RL:O/RC:C&version=2.0
CVE ID CVE-2011-0370 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at
the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 4.2(1)N2(1) |
|
Known Fixed Releases: | 4.0(4)SV1(3c), 4.2(1)N2(1b), 4.2(7.96)S0, 5.0(2)N1(1), 5.0(5)S9, 5.0(6.7)S0, 5.1(1.57)S0 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuc19558 | Title: | RADIUS insufficient attribute length check |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: * | Symptom:
Cisco NXOS contains a vulnerability in the RADIUS authentication code.
Conditions:
Malformed packets are returned from a RADIUS authentication server.
Workaround:
None.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2012-6377 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Further Problem Description:
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 5.2(1)N1(1) |
|
Known Fixed Releases: | 6.0(2)N2(4.63), 6.0(2)N2(5) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCte62753 | Title: | Command Injection in admin CLI |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: * | Symptoms:
A vulnerability exists in affected versions of NX-OS which could allow an authenticated local attacker to inject shell commands. A successful exploit
would allow an attacker to gain elevated privileges on the underlying operating system.
Conditions:
Devices running affected versions of NX-OS are vulnerable.
Workaround:
None
Further Problem Description:
This issue was discovered in internal security testing and has been resolved in all current versions of affected software.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are
6.8/5.6:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:L/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2011-4235 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 4.0(1a)N2(1), 4.1(3)N2(1a) |
|
Known Fixed Releases: | 4.2(1)N1(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu13486 | Title: | Traffic issue in some vrf on setup with 100 vrf |
|
Status: * | Terminated |
|
Severity: | 2 Severe |
Description: * | Symptom:
asm multicast issue for some vrf in scaled setup
Conditions:
when asm traffic started for 100 vrfs each with 50 s,g
Workaround:
do not start for so many at the same time
Further Problem Description:
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 7.2(0)N1(0.186) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCta72709 | Title: | Disabling IGMP snooping causes flood to all FEX port with trunk on FEX |
|
Status: | Terminated |
|
Severity: | 2 Severe |
Description: * | Symptom:
On Cisco Nexus 5000 Series switches with a Cisco Nexus 2000 Series Fabric Extenders (FEX) installed,
unregistered IP multicast packets on one VLAN are forwarded to other VLANs where IGMP snooping is disabled.
Conditions:
1. The Cisco Nexus 5000 Series has a Nexus 2000 FEX installed.
2. There are multiple VLANs configured on the Nexus 2000 FEX.
3. IGMP snooping is disabled on the VLAN where the traffic is forwarded to.
Affects the following Nexus Products with the Cisco Nexus 2000 FEX installed:
* Cisco Nexus 5548P Switch prior to integration of Cisco Bug ID CSCtk03738.
* Cisco Nexus 5020 Switch for all versions. Currently no plan to address in 5020 platforms.
* Cisco Nexus 5010 Switch for all versions. Currently no plan to address in 5010 platforms.
Workaround:
Serveral potential workarounds exist for this vulnerability:
* Static IGMP entries
Enable IGMP snooping, then use static IGMP entries to add multicast receiver to the switch MAC table if
the host is unable to send IGMP group membership report.
* Single VLAN per FEX
Ensuring that trunking is disabled for the FEX uplink port and have a single VLAN assigned to the FEX.
* Upgrade end host applications
Upgrade host application to support IGMP protocol so it can automatically send IGMP join/leave report
without static configuration on the switch.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS
scores as of the time of evaluation are 3.3/3.1:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:A/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C&version=2.0
CVE ID CVE-2011-0397 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 4.1(3)N1(0.185) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu03271 | Title: | Module/FEX gets into failure state with the NF Errors |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
The messages 'nfp: ACL abort fails' or 'nfp: ACL commit fails' appears on the console multiple times. This could be followed by fex modules going offline
Conditions:
ISSU of n6000 with netflow feature enabled from 7.2(0)N1(1) to a higher release version can cause this issue.
Reload of a 7.2(0)N1(1) n6000 with netflow feature enabled also can cause this issue very rarely.
Workaround:
To avoid the issue, please remove netflow feature and configure it again once the ISSU or reload is done.
Further Problem Description:
|
|
Last Modified: | 13-AUG-2015 |
|
Known Affected Releases: | 7.2(0)N1(0.170) |
|
Known Fixed Releases: * | 7.2(1)N1(0.282), 7.2(1)N1(1), 7.2(1)ZN(0.46) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCur14826 | Title: | WRL 5: GNU Bourne Shell "Shellshock" Vulnerability for kernel migration |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
The following Cisco products with NXOS:
N7K
include a version of Bash that may be affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs:
CVE-2014-6271
CVE-2014-6277
CVE-2014-6278
CVE-2014-7169
CVE-2014-7186
CVE-2014-7187
Conditions:
Not applicable
Workaround:
Not applicable
Further Problem Description:
Additional details about those vulnerabilities can be found at http://cve.mitre.org/cve/cve.html
PSIRT Evaluation:
The Cisco PSIRT has evaluated those issues and they do not meet the criteria for PSIRT ownership or involvement. Those issues will be addressed via normal resolution channels.
If you believe that there is new information that would cause a change in the severity of those issues, please contact psirt@cisco.com for another evaluation.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 0.1 |
|
Known Fixed Releases: * | 7.0(0)FFW(0.11), 7.0(0)HSK(0.509), 7.0(0)KM(0.87) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv07607 | Title: | N5k/N6k - No login possible to device when root directory is full |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
N5k/N6k switches may not be accessible remotely or locally due to no space available in Root directory.
Authentication is unsuccessful both remotely or locally when this happen, even when issue is not with credentials. Following error message may appear on Syslog server:
%DAEMON-3-SYSTEM_MSG: Unable to create temporary user xxxxxxxx. Error 0x404a000a (16777216)
Conditions:
Issue is seen when debugs are enabled without redirecting to a logfile. Debugs thus are automatically redirected to "startupdebug" file which can grow as much as space available in Root directory.
Debugs are currently seen persistent and they still exist post reload and filling up startupdebug file. Once Root directory runs out of space no more login to box is possible.
- "dir log:" CLI could be used to check for startupdebug file
- show debug, would show active debugs running.
Workaround:
Disable debugs and do not run them to eternity.
Use debug logfile <> to redirect logs to a non-system file. This file is limited to 4MB and is overridden once full.
If you hit these symptoms, please check "show debug" to see if debugs are enabled, if yes, then disable them.
Further Problem Description:
It is possible even with debug logfile <> enabled with debugs running, post reload debugs still persist and now written to startupdebug file.
Traffic forwarded through the switch or even control plane is not impacted. Only login to the switch is not possible.
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 7.0(5)N1(1a), 7.1(1)N1(1) |
|
Known Fixed Releases: * | 7.0(7)N1(0.292), 7.0(7)N1(1), 7.0(7)ZN(0.187), 7.1(3)N1(0.608), 7.1(3)N1(1), 7.1(3)ZN(0.13), 7.2(1)N1(0.265), 7.2(1)N1(1), 7.2(1)ZN(0.29) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv67865 | Title: | IBM: Switch port in "Link not Connected" state with Aix 7.1 host |
|
Status: | Other |
|
Severity: | 2 Severe |
Description: | Symptom:
After an upgrade to NX-OS 7.0(6)N1(1) or 7.1(1)N1(1) or 7.2(0)N1(1), interfaces on Nexus 5548P and N55-M16P module might go down or start flapping. It could be few days after the upgrade before they can go down or start flapping.
Conditions:
Seen in Nexus Nexus 5548P or 16P Gigabit Ethernet Module N55-M16P after an upgrade to NX-OS
7.0(6)N1(1) or 7.1(1)N1(1) or 7.2(0)N1(1) . This bug does not apply to Nexus 5548UP, Nexus 6000/5600 or N55-M16UP GEM
Workaround:
Once switch is in this state, it will need to be reloaded to recover. However, after an upgrade or reload, following debug command can be enabled to avoid running into this issue
debug hardware internal carmel dom-thread disable
Note that the command is not saved in NVRAM and needs to be applied on subsequent reloads. An EEM script can be used to automatically configure this after reloads.
event manager applet dom-disable
event syslog pattern "MOD_STATUS_ONLINE"
action 1 cli debug hardware internal carmel dom-thread disable
action 2 syslog priority alerts msg Disabling DOM monitoring
Prior to upgrading the switch to a fixed NX-OS version, remove the EEM script from the running configuration.
Further Problem Description:
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 7.2(0)N1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv15524 | Title: | Unable to bring UP FC interface between N5K & MDS |
|
Status: | Other |
|
Severity: | 2 Severe |
Description: | Symptom:
Some of the Fibre Channel interfaces on a N55-M16UP module are error disabled (port reinit limit reached) after reloading of the N5K switch.
Conditions:
These are the conditions that could introduce the problem :
(1) upgrade from NX-OS 5.2(1)N1(5) to 6.0(2)N2(3), and
(2) reload of N55-M16UP
Check the following commands to verify if you're hitting the bug
N5K-TEMP# show platform afm errors | i "afm_module_inserted"
N5K-TEMP# show platform afm errors | i "ERROR: Label allocation"
Workaround:
No Workaround
Further Problem Description:
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 6.0(2)N2(3) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuo02240 | Title: | N5K carmelusd core |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Nexus 5500 switch crash due to carmelusd hap reset. There is a memory leak from Carmel USD driver.
Conditions:
a) Apply and remove HIF storm policer configuration to HIF interface
b) Apply HIF storm policer configuration and flap HIF interfaces
Workaround:
None.
Further Problem Description:
AVL tree is used to add HIF storm policer information to Carmel/Bigsur database
when user applies HIF storm policer to HIF interface. Memory allocated for HIF
storm policer is not properly deallocated when HIF policer is deleted fron AVL
tree. 280 bytes of heap memory is not getting properly deallocated when HIF storm policer is removed from interface.
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 6.0(2)N2(3), 7.0(6)N1(1.6), 7.2(0)N1(0.192) |
|
Known Fixed Releases: * | 7.0(6)N1(1.8), 7.0(6)N1(2s), 7.0(7)N1(0.293), 7.0(7)N1(1), 7.0(7)ZN(0.188), 7.1(3)N1(0.608), 7.1(3)N1(1), 7.1(3)ZN(0.13), 7.2(1)N1(0.287), 7.2(1)N1(1) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuh30885 | Title: | CTS:RBACL Update and Programming Fails in Certain Scenarios. |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: |
Symptom:
RBACL SGT, DGT programming fails under certain conditions.
Conditions:
When cells corresponding to different DGT's get downloaded or many cells (>10) for same DGT are downloaded from ISE with RBACL enforcement enabled on vlan's.
Workaround:
Disable/enable feature cts and reconfigure cts.
More Info:
Higher the number of SGT, DGT pairs downloaded plus the vlan's on which rbacl enforcement is enabled, more likely the issue will be hit.
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 6.0(2)N2(0.137) |
|
Known Fixed Releases: | 6.0(2)N3(0.73), 6.0(2)N3(1), 7.0(0)N1(1.3), 7.0(0)N1(2), 7.0(0)ZN(1.2), 7.1(0)ZN(0.183) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtx97987 | Title: | IP-connectivity broken with /30-subnets between 6500 and N5K in vpc |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: * | Symptom:
In triangular setup connecting a 6500(possibly any switch), to a pair of N5500 in vpc with L3-module.
1 physical connection goes to each N5K, forming a port-channel on 6500 and vpc-port-channel on N5K.
______N5K-Sec
/ ||
6500 ||
\______N5K-Pri
we create 1 vlan per logical connection:
6500<->N5K-Pri
6500<->N5K-Sec
N5K-Pri<->N5K-Sec (over peer link)
so we enable 2 vlans on the port-channel
and 3 on the vpc-peer-link.
Conditions:
5.0(3)N1(1c) , 5.1(3)N1(1)
when using /30 addresses, found that mac learning is not working fully from N5K-Pri to N5K-sec,
when etherchannel-loadbalancing on 6500 is choosing physical link to N5K-Pri to reach SVI on N5K-Sec.
mac-address of SVI on 6500 doesn't get learned on N5K-Sec
Workaround:
using /29 addresses this problem is not present
Further Problem Description:
|
|
Last Modified: | 26-AUG-2015 |
|
Known Affected Releases: | 5.0(3)N1(1c), 5.1(3)N1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuc26047 | Title: | Nexus 5k/6k reset due to Kernel Panic |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: * | Symptom:
A Nexus5000/6000 switch will reset with a kernel panic. The process seen when the kernel panic occurs can vary and is not specific to any particular service. If this issue is suspected, collect the output for 'show logging onboard stack-trace' and contact TAC to verify this.
Conditions:
This has been seen on a N5k/N6K platform. There are no specific conditions to hit the problem currently.
Workaround:
None at this time.
Further Problem Description:
|
|
Last Modified: | 26-AUG-2015 |
|
Known Affected Releases: | 5.0(3)N2(2b), 5.2(1)N1(3), 6.0(2)N2(2) |
|
Known Fixed Releases: | 5.2(1)N1(7.132), 5.2(1)N1(8), 6.0(2)N2(5.85), 6.0(2)N2(6), 7.0(1)ZN(0.716), 7.0(6)N1(0.219), 7.0(6)N1(1), 7.1(0)N1(0.309), 7.1(0)N1(1), 7.1(0)ZN(0.395) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv59999 | Title: | vlan_mgr Memory Leak on VLAN Addition\Removal |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Memory leak under the allocators "VLAN_MGR_MEM_vlan_port_affected_notif_p" and "VLAN_MGR_MEM_if_info_t" in the output of "show vlan internal mem-stats detail"
Conditions:
Seems to occur when allocating VLANs in "mode fabric", working on narrowing down the specific triggers and prerequisite conditions.
Workaround:
No known workaround to prevent the leak. A reload will clear any leaked memory on the switch.
Further Problem Description:
|
|
Last Modified: | 28-AUG-2015 |
|
Known Affected Releases: | 7.0(5)N1(1) |
|
Known Fixed Releases: * | 7.0(7)N1(0.296), 7.0(7)N1(1), 7.0(7)ZN(0.198), 7.1(3)N1(0.616), 7.1(3)N1(1), 7.1(3)ZN(0.22), 7.2(1)N1(0.293), 7.2(1)N1(1), 7.2(1)ZN(0.57) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv92830 | Title: | RADIUS login only assigned network-operator role |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: * | Symptom:
A previously working AAA authenticated user who is configured for non network-operator privileges (such as network-admin) only receives network-operator privileges. This user is no longer able to configure the switch via CLI or SNMP.
The CLI user will show as having 'network-operator' role:
switch# show user-account fieldsupport
user:fieldsupport
roles:network-operator
Also, if the SNMP user exists, it will show as having 'network-operator' role:
switch# show snmp user fieldsupport
______________________________________________________________
SNMP USERS
______________________________________________________________
User Auth Priv(enforce) Groups
____ ____ _____________ ______
fieldsupport md5 des(no) network-operator
Conditions:
This issue only affects logins that meet all of the following conditions:
1) are authenticated remotely via RADIUS
2) have multiple Vendor Specific Attributes (VSAs) defined as a single Cisco-AVPair, eg, shell and SNMP version 3 settings:
shell:roles="operations-user fieldsupport" snmpv3:auth=SHA priv=AES-128
This issue does not occur if the 'shell:roles' VSA is defined alone (even with multiple roles assigned).
Workaround:
On the AAA server, create a separate RADIUS policy for users that splits Cisco-AVPairs into true attribute pairs, eg:
Cisco-AVPair #1: shell:roles="operations-user fieldsupport"
Cisco-AVPair #2: snmpv3:auth=SHA priv=AES-128
Assign this policy conditionally on the requesting RADIUS client IP address (ie, the switch mgmt0 IP address).
If the RADIUS server does not support conditional assignment of policies by RADIUS client IP address then an alternate method is possible. Create a local user on the switch with local role assignment which will override the remotely supplied role using the following commands:
switch(config)# no username
switch(config)# username password ! role fieldsupport
Further Problem Description:
|
|
Last Modified: | 31-AUG-2015 |
|
Known Affected Releases: | 7.2(1)N1(0.1) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu14439 | Title: | DFE Tuning: Servers not Sending Traffic after Microflap |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: * | Symptom:
Switch doesn't see traffic from the serer. Server doesn't receive anything from the switch (including broadcasts):
Ethernet1/45 is up
RX
0 unicast packets 0 multicast packets 0 broadcast packets
0 input packets 0 bytes
TX
0 unicast packets 10613 multicast packets 0 broadcast packets
10613 output packets 1152256 bytes
Conditions:
- Nexus 55xxUP
- Microflap occurred
Workaround:
Flap the interface by issuing a 'shut / no shut'
Further Problem Description:
CSCuj86736 was implemented in an earlier code to restart DFE tuning if link faults are seen and disappear within debounce timeout. In this case link status will remain in UP state if link recovers within link debounce timeout.
In rare cases where the DFE tuning is not successful, the Nexus 55xxUP ASIC sends remote faults to Server. The server will not send any data packets to Switch as per IEEE standards when these faults are received. This is the reason Packet counters do not increase. In 7.0(7)N1(1) and later code, the Nexus 55xxUP will identify this scenario and force the interface to flap.
|
|
Last Modified: | 31-AUG-2015 |
|
Known Affected Releases: | 7.0(5)N1(1) |
|
Known Fixed Releases: | 7.0(7)N1(0.297), 7.0(7)N1(1), 7.0(7)ZN(0.200) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuu48350 | Title: | Nexus5k: configuration lines missing after the NX-OS upgade |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
On Cisco Nexus 5000 (N5K) when the user tried to create a user with a specific role an error of the form -
usermod: user does not exist.
Conditions:
Cisco Nexus devices running an affected version of NXOS software.
Workaround:
None.
Further Problem Description:
None.
PSIRT Evaluation:
The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal
resolution channels.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another
evaluation.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 05-AUG-2015 |
|
Known Affected Releases: | 7.0(3)N1(0.28), 7.1(2)N1(0.528), 7.2(1)N1(0.5) |
|
Known Fixed Releases: | 7.0(7)ZN(0.122), 7.1(2)N1(0.567), 7.1(2)N1(1), 7.1(2)ZN(0.27), 7.2(1)N1(0.28), 7.2(1)N1(1), 7.3(0)N1(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCur31350 | Title: | Multiple Vulnerabilities in OpenSSL - August 2014 |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
This product includes a version of SSL that is affected by the vulnerability identified by the Common Vulnerability and Exposures (CVE) IDs:
CVE-2014-3505
CVE-2014-3506
CVE-2014-3507
CVE-2014-3508
CVE-2014-3510
CVE-2014-3566 (POODLE)
This bug has been opened to address the potential impact on this product.
Conditions:
The POODLE Security issue CVE-2014-3566 exists if we configure LDAP as part of DFA configuration
Something like this
fabric database type network
server protocol ldap ip 10.95.126.166 vrf management
Or
Onep is configured with "transport type tls ..." option
Or
vmtracker configuration
Workaround:
1. Avoid any "fabric database" configuration with keyword "enable-ssl".
For example:
fabric database type network
server protocol ldap ip 172.29.21.2 enable-ssl
2. Make sure the 'secure LDAP' option is unchecked when defining POAP template on DCNM.
3. Do not use onep
Further Problem Description:
A POODLE attack requires a man in the middle attack between the nexus5000/6000 switch (the LDAP client)
and the LDAP server. It would also require a protocol downgrade attack since, by default, nexus5000/6000
uses TLS protocol.
Current schedule for the fix :
- 7.1(1)N1(1) March or early April 2015 (was postponed from Feb 2015)
- 7.2 release April 2015
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the
time of evaluation are: 2.6/2.5
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C
The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
|
|
Last Modified: | 31-AUG-2015 |
|
Known Affected Releases: | 6.0(2)N3(0.91), 7.2(0)VX(0.9), 7.2(0.1)PR(0.1), 9.4(1)N1(6.8) |
|
Known Fixed Releases: * | 5.2(1)N1(9), 6.0(2)N2(7), 7.0(7)N1(1), 7.1(2)N1(1), 7.2(1)N1(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtu10585 | Title: | CDP memory leak on device id |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: * | Symptoms:
Cisco Nexus devices contain a memory leak vulnerability. An unauthenticated, adjacent attacker can trigger a 1 byte memory leak by submitting a
maliciously crafted CDP packet to the affected device.
Conditions:
Cisco Nexus devices running an affected version of NX-OS Software.
Workaround:
If not required, Disabling CDP is an effective mitigation for this issue.
Further Problem Description:
This issue was identified during an internal security audit of Cisco Nexus and related devices.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are
3.3/2.7:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:A/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C&version=2.0
No CVE ID has been assigned to this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 5.0(3)N2(2) |
|
Known Fixed Releases: | 5.1(3)N1(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCua39143 | Title: | Command injection with SSH keypair functionality |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: * | Symptoms:
Cisco Nexus devices contain a local command injection vulnerability within the SSH key generation configuration commands of the CLI. An authenticated, local attacker could
inject commands that are subsequently executed on the underlying operating system with elevated privileges.
The vulnerability exists due to a failure to properly sanitize all user supplied input prior to using it to execute commands on the underlying operating system. An attacker with
administrative level privileges on an affected device could inject arbitrary commands that are then executed on the underlying operating system with elevated privileges.
Conditions:
Cisco Nexus devices running an affected version of Cisco NX-OS software.
Workaround:
None.
Further Problem Description:
This vulnerability can only be exploited by an administrator with sufficient privileges to execute the affected commands.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.8/5.6:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:L/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2012-4139 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 5.1(3)N2(1) |
|
Known Fixed Releases: | 6.0(2)N1(1) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuj46729 | Title: | tac-pac not vrf aware on N5K |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
There is no option to specify a vrf name, while running the tac-pac command.
Conditions:
N/A
Workaround:
N/A
Further Problem Description:
Enhancement
|
|
Last Modified: | 31-AUG-2015 |
|
Known Affected Releases: | 5.2(1)N1(5) |
|
Known Fixed Releases: | 7.0(0)N1(1) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCua08693 | Title: | Incorrect PFC Operational mode after reload |
|
Status: | Other |
|
Severity: | 3 Moderate |
Description: | Symptom:
On Nexus 5000/5500 switch, after upgrading the NX-OS release to 5.1.3.N2.1 pfc is no more enabled for the ports.
This is the symptom of the problem:
lct-n5kup# sh int priority-flow-control
============================================================
Port Mode Oper(VL bmap) RxPPP TxPPP
============================================================
Ethernet1/1 Auto On (8) 0 0
After updating to version to 5.1(3)N1(1)
the port will never set pfc to on:
ct-n5kup(config-if)# sh int priority-flow-control
============================================================
Port Mode Oper(VL bmap) RxPPP TxPPP
============================================================
Ethernet1/1 Auto Off 0 0
Conditions:
Nexus 5000/5500 switch running 5.1.3.N2.1 release
Workaround:
Downgrade to NX-OS release 5.0.3.N2.2b or earlier
Further Problem Description:
Bug Fix:
|
|
Last Modified: | 31-AUG-2015 |
|
Known Affected Releases: | 5.1(3)N2(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu27754 | Title: | N55xx "reload power-cycle" is not resetting ADM |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
N55xx "reload power-cycle" is not resetting ADM
Conditions:
Execute "reload power-cycle"
Workaround:
manually power cycle the switch
Further Problem Description:
|
|
Last Modified: | 28-AUG-2015 |
|
Known Affected Releases: | 6.0(2)N2(6), 7.1(1)N1(1) |
|
Known Fixed Releases: * | 7.1(3)N1(0.616), 7.1(3)N1(1), 7.1(3)ZN(0.22) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCur18043 | Title: | N6K "ntp access-group peer" wont show up in running config |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
"ntp access-group peer" wont show up in running config if "ntp access-group serve-only" is configured
Conditions:
show run ntp will show both "ntp access-group peer " and "ntp access-group serve-only", but the "ntp access-group peer " is missing from general show run
Workaround:
show run ntp
Further Problem Description:
|
|
Last Modified: | 28-AUG-2015 |
|
Known Affected Releases: | 7.1(1)N1(0.444) |
|
Known Fixed Releases: * | 7.0(7)ZN(0.108), 7.1(2)N1(0.554), 7.1(2)N1(1), 7.1(2)ZD(0.10), 7.1(2)ZN(0.13), 7.2(1)D1(0.65), 7.2(1)N1(0.294), 7.2(1)N1(1), 7.2(1)ZD(0.57), 7.2(1)ZN(0.58) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCun16332 | Title: | Nexus2232PP FEX hangs when 1G optics are present in certain host ports |
|
Status: * | Terminated |
|
Severity: | 3 Moderate |
Description: * | Symptom:
A Nexus 2232 FEX with 1G optics inserted in host ports prior to bringing the FEX online causes it to hang. Due to this, the FEX fabric interfaces on the parent Nexus 5000, 6000 or 7000 switch do not come up due to which the FEX fails to download the image and come Online.
Conditions:
A Nexus 2232 FEX which has 1G optics inserted in host ports prior to it associating to a parent Nexus 5000, 6000 or 7000 switch.
Workaround:
Remove all 1G optics from the host interfaces and then connect the FEX uplinks to the parent Nexus 5000, 6000 or 7000 switch. After the FEX comes online, the 1G optics can be put back into the host ports.
Further Problem Description:
|
|
Last Modified: | 27-AUG-2015 |
|
Known Affected Releases: | 7.0(0)N1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuj36247 | Title: | 5-7 seconds traffic convergence upond vPC+ switch recovers from a reload |
|
Status: | Other |
|
Severity: | 3 Moderate |
Description: | Symptom:
When one of the vPC+ peer switch is recovering from a reload, 5-7 seconds traffic re-convergence was observed. Traffic loss start soon after fabricpath adjacency have re-established but prior to vPC+ re-established.
Conditions:
Spine nodes are n7k and leaf nodes are n5k vPC+ peer. n2k FEXs are connected to the parent n5k switches. There are bidirectional layer2 and layer3 traffic sending/receiving between leaf nodes.
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 27-AUG-2015 |
|
Known Affected Releases: | 5.2(1)N1(5) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCum17923 | Title: | N5k should not send ELS_RSCN upon mgmt port changes on a connected MDS |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
In a scenario like the following:
mds ------- n5k ------ end device
when you make config changes on int mgmt0 of the mds switch, the mds sends a SW_RSCN to n5k and the n5k in turn sends an ELS_RSCN to end devices. That ELS_RSCN may trigger a logout of the end device from the fabric.
Also, when the mgmt port of the n5k itself changes, the n5k sends ELS_RSCNs to end devices, which again may trigger a log out from the fabric.
Conditions:
N5k is in switching mode (non NPV mode).
Workaround:
None.
Further Problem Description:
This is modify the behavior of the n5k in the scenario above. In particular:
a. the n5k should not send ELS_RSCNs to end devices when receiving a SW_RSCN from a connected MDS switch that sent it because its mgmt port was changed
b. there should be a knob on n5k in order to enable or disable sending ELS_RSCNs to end devices when the mgmt port of the n5k itself changes. Something like what was introduced in MDS platform recently:
# configuration terminal
(config)# [no] rscn permit type nport event switch-config [vsan ]
|
|
Last Modified: | 27-AUG-2015 |
|
Known Affected Releases: | 5.2(1)N1(6), 6.0(2)N2(1) |
|
Known Fixed Releases: * | 7.1(3)N1(0.615), 7.1(3)N1(1), 7.1(3)ZN(0.21), 7.3(0)BZN(0.7), 7.3(0)N1(0.45), 7.3(0)N1(1), 7.3(0)ZN(0.50) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCty07159 | Title: | tar CLI command allows arbitrary file access |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: * | Cisco NX-OS software contains a directory traversal vulnerability within the command line interface that could allow a local, authenticated
attacker to access arbitrary files on the device. An attacker could leverage the ''tar'' command to read files by archiving the file to a
location that they can directly access file contents. The ''tar'' command can also be used to un-archive a user created file to any location in
the filesystem, thus creating or overwriting arbitrary files.
The following Cisco Nexus devices are affected:
Cisco Nexus 7000 Series
Cisco Nexus 5000 Series
Cisco Nexus 3000 Series
Cisco Nexus 1000V Series
Conditions:
Device is running an affected version of Cisco NX-OS software.
Workaround:
Restrict access to trusted users.
Further Problem Description:
This issue was discovered during internal testing by Cisco.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are :
4.3/4.1
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:L/AC:L/Au:S/C:P/I:P/A:P/E:F/RL:U/RC:C&version=2.0
CVE ID CVE-2012-4131 has been assigned to document this issue.
Additional details about the vulnerability described here can be found at:
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2012-4131
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 5.0(3)N2(2a) |
|
Known Fixed Releases: | 6.0(2)N1(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCts56664 | Title: | Command injection vulnerability in NX-OS 'ethanalyzer' command |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: * |
Symptom:
Cisco Nexus 5000 series and Cisco Unified Computing System fabric interconnect devices contain a command injection vulnerability. This issue could
allow a local, authenticated attacker to execute commands on the underlying operating system with elevated privileges.
The issue exists when parsing user supplied input passed to the ethanalyzer command.
The following NX-OS Based products are affected:
Nexus 5000
Cisco Unified Computing System Fabric Interconnect Devices
Conditions:
Cisco Nexus and UCS Fabric Interconnect devices running an affected version of NX-OS softare.
Workaround:
Restrict access to trusted users only.
Further Problem Description:
This issue was identified during an internal security audit of Cisco Nexus and UCS devices.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are
6.8/5.6:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:L/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2012-4103 has been assigned to document this issue.
Additional details about the vulnerability described here can be found at:
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2012-4103
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 5.0(3)N2(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtx83729 | Title: | CDP memory leak on repeated TLVs |
|
Status: | Other |
|
Severity: | 3 Moderate |
Description: * | Symptoms:
Cisco Nexus 1000, 3000, 4000, 5000, and 7000 switches may leak memory when processing malformed Cisco Discovery Protocol (CDP) Packets, this can lead to an eventual reload of the switch. An adjacent attacker, with the ability to submit malformed CDP traffic to an affected device could cause a denial of service condition while the device reloads or fails over to a redundant Supervisor card if so equipped.
Conditions:
Cisco Nexus Switches running an affected version of NX-OS.
Workaround:
Disable CDP on the affecte device, the CDP protocol is enabled by default.
NX-OS:
no cdp enable
Further Problem Description:
This issue was identified through internal hardening efforts on the NX-OS platform.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.7/4.8:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:A/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:U/RC:C&version=2.0
CVE ID CVE-2012-1323 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 5.0(3)N2(2b) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCua71557 | Title: | CLI file redirection write vulnerability |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: * | Symptom:
Symptoms:
Cisco Nexus 7000 and Nexus 5000 devices contain a local arbitrary write redirection issue. This vulnerability could allow a local, authenticated attacker to create files in any location they may have access too. This could allow them to write malicious script files into locations that may later be inadvertently accessed by an administrator.
Conditions:
Conditions:
Cisco Nexus devices running an affected version of NXOS Software.
Workaround:
Conditions:
Cisco Nexus devices running an affected version of NXOS Software.
Further Problem Description:
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.6/3.8:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:L/AC:L/Au:S/C:N/I:C/A:N/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2012-4141 has been assigned to document this issue.
Additional details about the vulnerability described here can be found at:
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2012-4141
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 5.0(3)N2(2b) |
|
Known Fixed Releases: | 6.0(2)A1(1), 6.0(2)N1(1), 6.0(2)U1(1), 9.3(1)ZD4.8, 9.3(1)ZE1.2, 9.3(1)ZM0.80 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCte90384 | Title: | NX-OS arbitrary command injection in admin CLI |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: * | Symptoms:
A vulnerability exists in NX-OS which can allow an authenticated, local attacker to execute arbitrary commands on an affected system. A successful
exploit would allow an attacker to gain unauthorized access to the underlying operating system.
Conditions:
Devices running affected versions of NX-OS software are vulnerable.
Workaround:
None
Further Problem Description:
This issue was discovered in internal security testing and has been resolved in all current versions of affected software.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are
6.8/5.6:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:L/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2011-4240 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 4.1(3)N2(1a) |
|
Known Fixed Releases: | 4.2(1)N1(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtn87115 | Title: | Nexus 5000: 5.0(3)N1(1a) show queuing interface might crash the switch |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: * | Symptom:
A Nexus 5000 switch running 5.0(3)N1(a) with a N5K-M1060 FC expansion module
installed and feature FCOE enabled might crash when command show queuing
interface or show queuing interface fcx/y is issued.
Conditions:
The switch has a N5K-M1060 FC expansion module and feature fcoe is enabled.
Workaround:
Do not issue above commands but use command show queuing interface Ethernet
1/x instead.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are
4.4/3.6:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:L/AC:M/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2011-0965 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 5.0(3)N1(1a) |
|
Known Fixed Releases: | 5.0(3)N1(1b) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtr76417 | Title: | memory leak in port profile (ppm) process associated with libavl() |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: * | Symptom:
Memory leak seen in port profile (ppm) process associated with libavl()
PPM process will crash and system will reload once Memalloc goes to 250MB
Conditions:
When switch has a switch-profile configured with atleast one command and a ''show
running''/ ''show running switch-profile'' or ''show running diff''
commands are executed.
Workaround:
1. Not configure switch-profile
2. Have a planned reload of the box when memalloc gets close to 250 MB. -
Check memory used by ppm process using
show process memory | grep port-profile
If either MemAlloc / RSS Memory is close is 250 MB, system should be reloaded.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.8/2.3:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:M/C:N/I:N/A:P/E:F/RL:OF/RC:C&version=2.0
No CVE ID has been assigned to this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 5.0(3)N2(1) |
|
Known Fixed Releases: | 5.0(3)N2(2), 9.9(0)BS(0.13) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCur04684 | Title: | RX CRC errors on Nexus L3 (routed) interface |
|
Status: * | Terminated |
|
Severity: | 3 Moderate |
Description: * | Symptom:
CRC errors are observed on TX of L3 interface on N5K and RX of upstream device
Same number of CRC errors and Giants is observed on RX of Upstream device L3 interface.
Same number of CRC errors and Jumbo frames is observed on TX of N5K L3 interface.
Conditions:
Possibly Nexus 5k with routed interface (no switchport) configured and Jumbo mtu qos config applied.
Workaround:
unknown at the moment
Further Problem Description:
|
|
Last Modified: | 11-AUG-2015 |
|
Known Affected Releases: | 5.1(3)N2(1c) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuo01637 | Title: | Nexus5k : Network-operator role can view sensitive configuration |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: * | Symptom:
Cisco Nexus devices contain an information disclosure issue that could allow an authenticated, local attacker to gain access to sensitive information.
The affected devices do not perform sufficient sanitization of configuration files when they are viewed by a user that has been assigned the Network-
Operator role. This could allow an attacker to gain access to the password hashes of locally configured users.
Conditions:
Cisco Nexus devices running an affected version of NXOS software.
Workaround:
Restrict access to trusted users only.
Further Problem Description:
None.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are
4/3.3:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:S/C:P/I:N/A:N/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2012-4090 has been assigned to document this issue.
Additional details about the vulnerability described here can be found at:
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2012-4090
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 11-AUG-2015 |
|
Known Affected Releases: | 5.2(1)N1(7) |
|
Known Fixed Releases: | 5.2(1)N1(7.131), 5.2(1)N1(8), 6.0(2)N2(4.70), 6.0(2)N2(5), 7.0(7)ZN(0.108), 7.1(0)N1(0.212), 7.1(0)N1(1), 7.1(0)ZN(0.315), 7.2(0)ZN(0.93) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuh15128 | Title: | POE is not supported on Nexus 5000 or 5500 switches |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: * | Hi,
Removed POE instances from the document as mentioned in the bug.
Updated doc URL for reference:
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/layer2/b_Cisco_Nexus_5000_Series_NX-OS_.html
Thanks and regards,
Vanitha
Symptom:
Conditions:
Workaround:
Further Problem Description:
|
|
Last Modified: | 12-AUG-2015 |
|
Known Affected Releases: | 5.1(3)N1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv68924 | Title: | Nexus 56128P rlir hap reset during ISSU |
|
Status: | Open |
|
Severity: | 3 Moderate |
Description: | Symptom:
Switch reset during ISSU upgrade from 7.1(0)N1(1b) to 7.1(1)N1(1).
%$ VDC-1 %$ %USER-2-SYSTEM_MSG: CLIS: loading cmd files begin - clis
%$ VDC-1 %$ %RLIR-2-PSS_FAILED: RLIR PSS operation failed: Open failed for RLIR runtime context: No such file or directory
%$ VDC-1 %$ %RLIR-2-INIT_FAILED: RLIR Init failed: Unable to initialize PSS
%$ VDC-1 %$ %RSCN-2-PSS_FAILED: RSCN PSS operation failed: Open failed for SCR Table: No such file or directory
%$ VDC-1 %$ %RSCN-2-INIT_FAILED: RSCN Init failed: Unable to initialize PSS
%$ VDC-1 %$ %FCDOMAIN-2-EPORT_ISOLATED: %$VSAN 11%$ Isolation of interface san-port-channel 19 (reason: other side Eport indicates isolation)
%$ VDC-1 %$ %FCDOMAIN-2-EPORT_ISOLATED: %$VSAN 13%$ Isolation of interface san-port-channel 19 (reason: other side Eport indicates isolation)
%$ VDC-1 %$ %USER-2-SYSTEM_MSG: CLIS: loading cmd files end - clis
%$ VDC-1 %$ %USER-2-SYSTEM_MSG: CLIS: init begin - clis
[ 79.888078] Shutdown Ports..
[ 79.922428] writing reset reason 16, rlir hap reset
Reason: Reset triggered due to HA policy of Reset
System version: 7.1(1)N1(1)
Service: rlir hap reset
Conditions:
Not all the conditions are known at this time. This problem has been observed on cisco Nexus 56128P.
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 14-AUG-2015 |
|
Known Affected Releases: | 7.1(0)N1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuj86736 | Title: | Need to optimize DFE tuning in 55xxUP series switches - RX CRC Errors |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: * | Symptom:
Ingress CRCs seen on Nexus 55xxUP switches when using twinax cabling.
Conditions:
Nexus 55xx.
May occur after rapid link flaps.
Workaround:
shut/no shut the interface experiencing this issue.
May require several repetitions.
Further Problem Description:
This problem can be verified from carmel ASIC on Nexus 5500 series switches.
Nexus# show hardware internal carmel eye
+-------+------------+-------------+------------+----------------------------+--+--+--+--+--+--+--+--+--+--+
| Port | Eye Height | Eye Width | Raw values | Time measured |St|20|21|22|23|24|25|26|2E|2F|
+-------+------------+-------------+------------+----------------------------+--+--+--+--+--+--+--+--+--+--+
(...)
Eth 1/7 |37 mv| 359 mUI | c/ 17 | 08/13/2014 14:25:19.743224 |00|00|00|00|00|00|00|00|00|00|
Eye hight of 37 mv is below expectations.
Nexus# show hardware internal carmel eye
+-------+------------+-------------+------------+----------------------------+--+--+--+--+--+--+--+--+--+--+
| Port | Eye Height | Eye Width | Raw values | Time measured |St|20|21|22|23|24|25|26|2E|2F|
+-------+------------+-------------+------------+----------------------------+--+--+--+--+--+--+--+--+--+--+
Eth 1/1 |106 mv| 734 mUI | 22/ 2f | 09/11/2014 08:29:28.379302 |a9|d7|86|18|30|57|86|18|88|00|
Eye height of 106 mv is within expected results.
Similar bug exists on UCS and it tracked under - CSCuo76425
|
|
Last Modified: | 14-AUG-2015 |
|
Known Affected Releases: | 5.2(1)N1(6), 6.0(2)N2(3) |
|
Known Fixed Releases: | 5.2(1)N1(7), 6.0(2)N2(5.94), 6.0(2)N2(6), 7.0(1)ZN(0.495), 7.0(4)N1(0.132), 7.0(4)N1(1), 7.1(0)N1(0.268), 7.1(0)N1(1), 7.1(0)ZN(0.363) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCta78541 | Title: | "show system error-id list" CLI core VSH on FEX |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: * | Symptom:
The following steps cause the issue:
attach fex 102
show system error-id list
This causes VSH to crash and generate a core. The fex doesn't reload and the core does not impact the functionality of the FEX.
Workaround:
None.
|
|
Last Modified: | 15-AUG-2015 |
|
Known Affected Releases: | 4.1(3)N1(0.188) |
|
Known Fixed Releases: | 4.1(3)N2(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus19543 | Title: | DOC: NX-OS upgrade by changing boot variables & reload is not supported |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Configuration loss and other forwarding problems can be seen in Nexus 5000/5500/5600/6000 if switch
was upgraded by changing boot variables and reload.
This bug is filed to remove the "Upgrading a Dual-Homed FEX Access Layer" section from documentation, which suggests changing boot variables manually and to insert a warning not to do this instead:
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/upgrade/521_N1_8/n5k_upgrade_downgrade_521.html#pgfId-641802
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5500/sw/upgrade/602_N2_5/n5500_upgrade_downgrade_602.html#pgfId-641802
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5600/sw/upgrade/704_N1_1/n5600_upgrade_downgrade_700.html#pgfId-641802
Conditions:
Nexus 5000/5500/5600/6000 switch was upgraded by changing boot variables and reload.
Workaround:
If a switch was upgraded by changing boot variables and reloading, workaround is to do a "write erase" ,
reload and re-apply the configuration.
Further Problem Description:
Also refer to CSCuo34379 ("N5K/6K:NX-OS upgrade by changing bootvariables & reload is not supported").
|
|
Last Modified: | 18-AUG-2015 |
|
Known Affected Releases: * | 5.2(1)N1(8a), 6.0(2)N2(5), 7.0(1)N1(2), 7.0(4)N1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv08448 | Title: | Cisco Nexus 5000 VDC Authenticated Privilege Escalation Vulnerability |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
A vulnerability in Command Line Interface (CLI) parser of the Cisco Nexus Operating
System (NX-OS) devices could allow an authenticated, local attacker to perform a
privilege escalation at the CLI.
The vulnerability is due to improper input validation of special characters within
filenames. An attacker could exploit this vulnerability by authenticating at the local
shell and writing a file to disk with certain special characters. The attacker could then
use that file with other CLI commands to obtain an shell prompt at their current
privilege level. An exploit could allowthe attacker to read/write files and perform
other privileged commands.
Conditions:
Device running with default configuration running an affected version of
software.
Workaround:
The user has to be authenticated so use care when distributing ''admin''
credentials to only trusted sources.
Further Problem Description:
Credit:
Cisco would like to thank Jens Krabbenhoeft for discovering and reporting this vulnerability.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are
4.3/4.1:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:L/AC:L/Au:S/C:P/I:P/A:P/E:F/RL:U/RC:C&version=2.0
CVE ID CVE-2015-4237 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 7.2(0)ZZ(99.1) |
|
Known Fixed Releases: * | 7.0(7)N1(0.291), 7.0(7)N1(1), 7.0(7)ZN(0.186), 7.1(3)N1(0.608), 7.1(3)N1(1), 7.1(3)ZN(0.13), 7.2(1)N1(0.253), 7.2(1)N1(1), 7.2(1)ZN(0.18) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv83420 | Title: | Fwm Memleak in fwm_ppf_enable_default_sup_redir |
|
Status: | Open |
|
Severity: | 3 Moderate |
Description: | Symptom:
Memleak
Conditions:
during fwm init
Workaround:
none
Further Problem Description:
none
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 7.3(0.83) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuj16995 | Title: | N5k: Inband drops after enabling ERSPAN session |
|
Status: * | Terminated |
|
Severity: | 3 Moderate |
Description: | Symptom:
Random inband traffic drops after enabling ERSPAN-source session on Nexus 5500 switch.
Affected inband traffic is traffic destined to the switch SVI address of the VLAN used to send the ERSPAN traffic and which ingresses via the VPC peer-link.
Conditions:
This was observed on Nexus 5500 switch after an upgrade from 5.0(3)N1(1c) to 5.2(1)N1(3). Switches that had other upgrade paths may be affected as well.
Workaround:
Use a dedicated VLAN for sending the ERSPAN replicated traffic, other than the VLAN used for management purposes. Another workaround is to use the mgmt0 interface for management purposes.
Further Problem Description:
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 5.2(1)N1(3) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv83438 | Title: | Fwm memleak: acl_install_uninstall |
|
Status: | Open |
|
Severity: | 3 Moderate |
Description: | Symptom:
Memleak
Conditions:
during init
Workaround:
none
Further Problem Description:
none
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 7.3(0.83) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCul49154 | Title: | flow match stats displaying 0 for default drop flow |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
The flows statistics for the openflow-agent installed default flow is not available.
Conditions:
The default drop functionality works as expected but the flow statistics is not incremented. This is applicable for the default-drop flow installed by the Cisco XNC controller in proactive mode and the default flows installed using the 'default-miss cascade <>' command.
Workaround:
none
Further Problem Description:
Install proactive flows in DUT with help of cisco one controller. Check the flows are installed and aces are present in DUT
O2-96-F19# show openflow switch 1 flows
Logical Switch Id: 1
Total flows: 1
Flow: 1 <<<<<<< Match:
Actions: drop
Priority: 0
Table: 0
Cookie: 0x0
Duration: 2981.29s
Number of packets: 0
Number of bytes: 0
O2-96-F19#
O2-96-F19#
O2-96-F19#
O2-96-F19# show ip access-lists
IPV4 ACL onep-acl-16
statistics per-entry
268431361 deny ip any any priority -1 [match=0] <<<<<<<<<<<< ace for default drop
O2-96-F19#
Now send traffic stream and check whether packets are being dropped and counters are updated accordingly.
O2-96-F19# show platform afm info group-config id 41 asic 2
Current running group id counter: 42
Group 41 configuration for asic id 2:
Label Table: [ifacl]-[valid:1, size:2048, used:8]
In use labels:
0-3,6,1024,65534-65535
Label:1024 group:41, logical operators:
TCAM entries [ifacl tcam]:
K-keyType, L-label, B-bindcheck, DH-L2DA, CT-cdceTrnst
L(IF-ifacl V-vacl Q-qos R-rbacl)
[3191]> K:IP (3/0) IN v4 L-[IF-7ff/401 ]
[3191] SA:00000000/00000000 DA:00000000/00000000
[3191]-> prio:7 stats:0 DROP
count:[0]-handle[44001cf044001d6]
[3192]> K:ALL (0/0) IN L-[IF-400/400 ]
[3192]-> prio:7 stats:1792 DROP
count:[17615730341]-handle[ffffffffffffffff] <<<<<<
O2-96-F19#
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 6.0(2)N3(0.356) |
|
Known Fixed Releases: | 7.0(1)N1(0.132), 7.0(1)N1(1), 7.0(1)ZN(0.191) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCur05609 | Title: | CLIs missing after upgrade from 5.2.1.N1.1 to 7.0.4.N1.1 Build 167 |
|
Status: | Open |
|
Severity: | 3 Moderate |
Description: | Symptom:
CLIs missing after upgrade from 5.2.1.N1.1 to 7.0.4.N1.1 Build 167
Conditions:
Upgrade from 5.2.1.N1.1 to 7.0.4.N1.1 Build 167
Workaround:
None
Further Problem Description:
I am seeing the following CLIs missing in the config when doing upgrade from 5.2.1.N1.1 to Iluka MR3 7.0.4.N1.1 Build 167.
Vodafone Specific CLIs:
logging level feature-mgr 0
class-map type qos class-fcoe
class-map type qos match-all test
class-map type queuing class-fcoe
match qos-group 1
class-map type queuing class-all-flood
match qos-group 2
class-map type queuing class-ip-multicast
match qos-group 2
class class-default
class-map type network-qos class-fcoe
match qos-group 1
class-map type network-qos class-all-flood
match qos-group 2
class-map type network-qos class-ip-multicast
match qos-group 2
My switch specific CLIs:
crypto key param rsa label dcnmCAKey modulus 512 exportable
The full config file as present before and after upgrade are attached.
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 7.0(4)N1(0.167) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuq61530 | Title: | Secure LDAP does not work over LDAPS port |
|
Status: | Open |
|
Severity: | 3 Moderate |
Description: | Symptom:
secure ldap connection over LDAPS (636) port to query / download from LDAP server doesnt work. An example configuration is shown below:
fabric database type network
server protocol ldap ip 8.0.100.23 port 636 vrf management enable-ssl
db-table ou=networks,dc=cisco,dc=com key-type 1
fabric database type profile
server protocol ldap ip 8.0.100.23 port 636 vrf management enable-ssl
db-table ou=profiles,dc=cisco,dc=com
fabric database type partition
server protocol ldap ip 8.0.100.23 port 636 vrf management enable-ssl
db-table ou=partitions,dc=cisco,dc=com
Conditions:
Workaround:
Do not use port 636.
Further Problem Description:
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 7.1(0)N1(0.291) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCue33173 | Title: | ipsg does not work with pvlan isolated trunk |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
If user does non-disruptive ISSU upgrade from old version to the new version with the fix, and if the DHCP IPSG was previously configured for PVLAN Isolated Trunk port (very unlikely though, because the feature was not working and blocking all traffic), the DHCP IPSG may still not work after upgrade.
Conditions:
Non-disruptive ISSU upgrade with IPSG previously configured on PVLAN Isolated Trunk port.
Workaround:
After ISSU upgrade, if IPSG on PVLAN Isolated Trunk port was previously configured, user needs to unconfigure and reconfigure it to make it work.
Further Problem Description:
|
|
Last Modified: | 21-AUG-2015 |
|
Known Affected Releases: | 6.0(2)N1(1) |
|
Known Fixed Releases: | 7.0(2)N1(0.161), 7.0(2)N1(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv82719 | Title: | Unable to login with new passwd reset from switch(boot) prompt |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Originally there were following Issues
The admin password updated from Kickstart bootcli never got applied in following cases.
1) Without doing a previous write erase, come to kickstart boot promot and do a admin-password change. Then load system image.
The updated password was never applied.
2) Following procedure does not work always. (It works sometime as seen in tests)
Copy Running Cfg (This will have Pass 2), Write Erase, Boot Kickstart, Enter Admin Pass 1, Enter Another Admin Pass 2, Login with Pass 2, Copy stored Running Config to Startup Config and Reload, At Kickstart Boot Prompt Change Admin Pass 1
At switch login prompt, Pass 2 works and Pass1 does not work.
3) Following procedure does not work always (It works sometime as seen in tests)
Copy Running Cfg (This will have Pass 2), Write Erase, Boot Kickstart, Enter Admin Pass 2 at switch Login, Login with Pass 2, Copy stored Running Config to Startup Config and Reload, At Kickstart Boot Prompt Change Admin Pass 1
At switch login prompt, Pass 2 works and Pass1 does not work.
Prior to CSCuo63609/CSCut79464 for N5K all the 3 cases did not work.
Resolution with CSCut79464
With CSCut79464
Case 1) works always
Case 2) & 3) works sometimes. Not consistent.
Conditions:
With CSCut79464
Case 1) works always
Case 2) & 3) works sometimes. Not consistent.
Workaround:
The change admin password now works from kickstart without a write erase. Which is Case 1 above.
Customers who to change the admin password after write erase can always configure the new password after when System Software is loaded for the first time.
Further Problem Description:
|
|
Last Modified: | 24-AUG-2015 |
|
Known Affected Releases: | 7.2(0)N1(0.165) |
|
Known Fixed Releases: * | 7.0(7)N1(0.297), 7.0(7)N1(1), 7.0(7)ZN(0.200), 7.1(3)N1(0.608), 7.1(3)N1(1), 7.1(3)ZN(0.13), 7.2(1)N1(0.287), 7.2(1)N1(1), 7.2(1)ZN(0.51) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCty38446 | Title: | vPC: STP unexpectedly blocked due to %STP-2-L2GW_BACKBONE_BLOCK: |
|
Status: | Terminated |
|
Severity: | 3 Moderate |
Description: | Symptom:
STP interface unexpectedly blocked due to %STP-2-L2GW_BACKBONE_BLOCK
Traffic might be affected for a few seconds.
Conditions:
The issue happens just after boots up. It was observed on Nexus 5000 and Nexus 6000 switches.
Workaround:
Apply an "STP pseudo-information priority" better than the bridge root priority
vlan 1-100
mode fabricpath
spanning-tree pathcost method long
spanning-tree pseudo-information
vlan 1-100 root priority 4096 <<<----
So 4096 above should be lower than the root bridge priority.
Further Problem Description:
Shortly after bootup, the Nexus FP edge switch uses its physical STP switch ID instead of the FP shared STP switch ID
|
|
Last Modified: | 25-AUG-2015 |
|
Known Affected Releases: | 5.1(3)N1(1a) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuw01048 | Title: | Enhancement: Add commands to show tech-support |
|
Status: | Open |
|
Severity: | 4 Minor |
Description: | Symptom:
This is an enhancement request to add the commands ....
show tech-support fc
show running-config ipqos all
...to ...
show tech
and
show tech details
Conditions:
Workaround:
Issue the commands separately.
Further Problem Description:
|
|
Last Modified: | 30-AUG-2015 |
|
Known Affected Releases: | 7.0(7)N1(0.9) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCul56313 | Title: | xcvr_enable_proton_dom_caching: Error |
|
Status: | Open |
|
Severity: | 4 Minor |
Description: | Symptom:
show interface transceiver details output gives the following truncated output with errors :
as1-nme.bllon# show int e1/20 transceiver details
Error reading from SFP <<<---------------------------
Ethernet1/20
transceiver is present
type is Fabric Extender Transceiver
name is CISCO-FINISAR
part number is FTLX8570D3BCL-C2
revision is A
serial number is FNS17510TZQ
nominal bitrate is 10300 MBit/sec
Link length supported for 50/125um OM3 fiber is 100 m
Link length supported for 62.5/125um fiber is 10 m
cisco id is --
cisco extended id number is 4 <<< -----------------------------
Also all the output below the arrow portion is not visible here such as the signal strength etc.
Conditions:
Customer's issue was noticed on the following platforms, however other platforms and software code versions might also be affected.
HW: N5K-C5596UP
SW: n5000-uk9.5.2.1.N1.6.bin
Workaround:
None.
Further Problem Description:
|
|
Last Modified: | 26-AUG-2015 |
|
Known Affected Releases: | 6.0(2)N3(0.358) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtl87089 | Title: | show tech-support to include show processes cpu history |
|
Status: | Fixed |
|
Severity: | 4 Minor |
Description: * | Symptom:
show processes cpu history is currently not part of the show tech-support output
Conditions:
run a show tech-support on the switch
Workaround:
run manually show processes cpu history
Further Problem Description:
|
|
Last Modified: | 28-AUG-2015 |
|
Known Affected Releases: | 5.0(2)N2(1) |
|
Known Fixed Releases: * | 7.0(5)N1(1) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCut94326 | Title: | Nexus 5596UP as FC switch: cannot change FSPF cost under fc interface |
|
Status: | Open |
|
Severity: | 5 Cosmetic |
Description: | Symptom:
Not able to change fspf cost of a fc interface.
Conditions:
Will be updated once root cause is found.
Workaround:
Will be updated once root cause is found.
Further Problem Description:
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 7.2(0.1) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuu19422 | Title: | Runts on N2K-C2348UPQ-10G on not connected interface |
|
Status: | Open |
|
Severity: | 5 Cosmetic |
Description: | Symptom:
Input errors observed on not connected interfaces with 1000base-LH SFP of N2K-C2348UPQ-10G
Conditions:
not connected interface on SFP 1000base-LH
Workaround:
shutdown not connected interfaces
Further Problem Description:
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 7.0(5)N1(1a) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCur95371 | Title: | Vxlan not working on N5696-M4C |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: | Symptom:
Vxlan config: ping failed to remote gateway port, please add Vxlan support to N5696-MC4
Conditions:
This problem only happens on N5696-M4C
Workaround:
no work around
Further Problem Description:
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 7.1(0)N1(0.418) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv57298 | Title: | Make "no trunk protocol enable" a hidden command. |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: | Symptom:
no trunk protocol enable not displayed in show running-config and [no] trunk protocol enable not displayed in show running-config all
Conditions:
All
Workaround:
Use the show trunk protocol to see if EPP is enabled or disabled.
Further Problem Description:
When trunk protocol is disabled the following SYS message is issued:
%EPP-5-EPP_TRUNK_PROTOCOL_STATUS: epp trunk protocol is disabled on switch
If trunk protocol is disabled then no new port-channels will activate and no new
VSANs can be added to trunks. Existing trunks (both TE and TF) continue to function normally.
Trunk protocol(EPP) should normally never be disabled.
|
|
Last Modified: | 22-AUG-2015 |
|
Known Affected Releases: | 5.2(1)N1(9) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtx24025 | Title: | Enh: Request SSH 5.9 on Nexus5000 to avoid SSH DoS Vulnerability report |
|
Status: | Other |
|
Severity: | 6 Enhancement |
Description: * | Symptom:
Nessus scanner with version 4.4.1 or above will report DOS vulnerability error for Nexus5000 running with 5.1(3) or below:
The SSH server on the remote host has multiple denial of service vulnerabilities.
And request the ssh service on Nexus 5000 to be upgraded to 5.9 or above to avoid CVE-2010-4755.
Conditions:
Nexus5000 with 5.1(3) is running SSH 5.5, which will trigger these report. If this vulnerability is be exploited the SSH process would terminate
tearing down all currently established SSH sessions. The SSH process would restart automatically and SSH sessions could be re-established. This
re-establishing can be automatic or manual, depending on how they are initially established and processes surrounding them.
Workaround:
N/A
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/3.8:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:S/C:N/I:N/A:P/E:F/RL:U/RC:C&version=2.0
CVE ID CVE-2010-4755 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 5.1(3)N1(1) |
|
Known Fixed Releases: | |
|
|
| |
2013 Cisco and/or its affiliates. All rights reserved. 
没有评论:
发表评论