Lasso SAML Implementation Vulnerability Affecting Cisco Products: June 2021

The following table lists Cisco products that are affected by the vulnerabilities that are described in this advisory. If a future release date is indicated for software, the date provided represents an estimate based on all information known to Cisco as of the Last Updated date at the top of the advisory. Availability dates are subject to change based on a number of factors, including satisfactory testing results and delivery of other priority features and fixes. If no version or date is listed for an affected component (indicated by a blank field and/or an advisory designation of Interim), Cisco is continuing to evaluate the fix and will update the advisory as additional information becomes available. After the advisory is marked Final, customers should refer to the associated Cisco bug(s) for further details.

Product Cisco Bug ID Fixed Release Availability
Cisco Adaptive Security Appliance (ASA) Software
Affected features: Clientless WebVPN and AnyConnect VPN (only when SSO is enabled)
CSCvx73164 9.8.4.38 (Jun 2021)
9.12.4.24 (available)
9.14.3 (Jun 2021)
9.15.1.15 (available)
9.16.1.3 (available)
Cisco Content Security Management Appliance (SMA)
Affected feature: Web-based management interface (only when SSO is enabled)
CSCvx73156 13.8.1 (available)
14.1.0 (Jul 2021)
Cisco Email Security Appliance (ESA)
Affected feature: Web-based management interface (only when SSO is enabled)
CSCvx73154 14.0.0-692 GD (available)
Cisco FXOS Software CSCvx73164 2.2.2.149 (Jul 2021)
2.3.1.216 (Jul 2021)
2.6.1.230 (Jul 2021)
2.7.1.143 (available)
2.8.1.152 (available)
2.9.1.143 (available)

Cisco Web Security Appliance (WSA)

CSCvx73157 14.0.1 (Sep 2021)

Cisco Firepower Threat Defense (FTD) Software
Affected feature: AnyConnect VPN (only when SSO is enabled)1

CSCvx73164 6.4.0.12 (available)
6.6.5 (Jul 2021)
6.7.0.2 (available)
7.0.0 (available)
Cisco Prime Collaboration Assurance CSCvx73162 12.1 SP4 ES (TBD)

1. The AnyConnect VPN is configurable only through FlexConfig for Cisco FTD releases earlier than Release 6.7.

The Cisco software releases listed in the following table have reached end of software maintenance. Customers are advised to migrate to a supported release that includes the fix for this vulnerability.

Cisco Software End-of-Life Releases
ASA Software 9.7 and earlier
9.9
9.10
9.13
FXOS Software 2.4.1
2.7.1
FTD Software 6.0.1 and earlier
6.2.0
6.2.1
6.5

Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.

Cisco has confirmed that this vulnerability does not affect the following products and services:

Network and Content Security Devices

  • Cisco AMP Virtual Private Cloud Appliance

Network Management and Provisioning

  • Cisco Prime Collaboration Provisioning

Unified Computing

  • Cisco UCS B-Series M5 Blade Servers
  • Cisco UCS C-Series M5 Rack Servers – Managed

Video, Streaming, TelePresence, and Transcoding Devices

  • Cisco Video Surveillance Media Server
  • Cisco Video Surveillance Operations Manager
  • Cisco Vision Dynamic Signage Director

Common Vulnerabilityies and Exposures

Contact us to get started

CVE-2022-36310 : AIRSPAN AIRVELOCITY 1500 PRIOR 15.18.00.2511 SNMPD INHERENTLY DANGEROUS FUNCTION

CVE-2022-36310 : AIRSPAN AIRVELOCITY 1500 PRIOR 15.18.00.2511 SNMPD INHERENTLY DANGEROUS FUNCTION

Description Airspan AirVelocity 1500 software prior to version 15.18.00.2511 had NET-SNMP-EXTEND-MIB enabled on its snmpd service, enabling an attacker with

CVE-2022-2814 : SOURCECODESTER SIMPLE AND NICE SHOPPING CART SCRIPT /MKSHOPE/LOGIN.PHP MSG CROSS SITE SCRIPTING

CVE-2022-2814 : SOURCECODESTER SIMPLE AND NICE SHOPPING CART SCRIPT /MKSHOPE/LOGIN.PHP MSG CROSS SITE SCRIPTING

Description A vulnerability has been found in SourceCodester Simple and Nice Shopping Cart Script and classified as problematic. Affected by

CVE-2022-37397 : YUGABYTEDB 2.6.1 LDAP AUTHENTICATION CONFIG

CVE-2022-37397 : YUGABYTEDB 2.6.1 LDAP AUTHENTICATION CONFIG

Description An issue was discovered in the YugabyteDB 2.6.1 when using LDAP-based authentication in YCQL with Microsoft’s Active Directory. When