Cisco has published a security update to patch a critical vulnerability in the virtual service container for Cisco's operating system IOS XE.
What is the vulnerability?
The vulnerability, tracked as CVE-2019-12643, exists in the REST API virtual service container for IOS XE operating system.
The specific conditions include:
What is the impact?
The vulnerability impacts the following products:
However, Cisco has confirmed that Cisco IOS Software, Cisco IOS XR Software, or Cisco NX-OS Software are not impacted.
Cisco has released the latest version 16.09.03 of the REST API virtual device container ("iosxe-remote-mgmt.16.09.03.ova"), which patches the authentication bypass vulnerability.
To further protect customers, Cisco released a hardened version of the IOS XE software that prevents installation or activation of a vulnerable container device.
“Cisco has also released a hardened Cisco IOS XE Software release that prevents installation or activation of a vulnerable container on a device. If the device was already configured with an active vulnerable container, the IOS XE Software upgrade will deactivate the container, making the device not vulnerable. In that case, to restore the REST API functionality, customers should upgrade the Cisco REST API virtual service container to a fixed software release,” security advisory read.