How-To: Addressing Security Vulnerabilities on Cisco Switches in Engineered Systems

Asset ID:	1-71-2232764.1
Update Date:	2017-09-19
Keywords:

Solution Type Technical Instruction Sure

Solution 2232764.1 : How-To: Addressing Security Vulnerabilities on Cisco Switches in Engineered Systems

Applies to:

Exadata X5-2 Hardware - Version All Versions and later
Oracle SuperCluster T5-8 Hardware - Version All Versions and later
Oracle SuperCluster M7 Hardware - Version All Versions and later
SPARC SuperCluster T4-4 - Version All Versions and later
Exadata X6-8 Hardware - Version All Versions and later
Information in this document applies to any platform.

Goal

Engineered systems such as SuperCluster, Exadata and Exalogic contain a Cisco Ethernet switch (model 4948 or 4948E depending on the model of engineered system). Security scans may identify vulnerabilities associated with this switch, some of which require an update to the IOS software. This document provides information on determining if identified vulnerabilities affect the installed switch and if so, how to resolve them.

Because the Ethernet switches included in engineered systems are not manufactured by Oracle, support for them is limited to hardware only. Oracle has no control over the development of software used on the Cisco switches, to include tracking and patching bugs. Therefore, Oracle cannot provide direct downloads of Cisco’s software.

Solution

I. Determine the Model and IOS Version of Your Switch

1. Log in to the switch.

2. Issue the following command:

show version

The output will look similar to this:

thx1138-sw-ip1>show version
Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500e-IPBASEK9-M), Version 15.1(2)SG2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Thu 05-Sep-13 19:16 by prod_rel_team

ROM: 12.2(44r)SG12
xdt803sw-ip1 uptime is 2 years, 38 weeks, 2 days, 6 hours, 12 minutes
System returned to ROM by power-on
System restarted at 12:29:24 CDT Sat Apr 5 2014
System image file is "bootflash:cat4500e-ipbasek9-mz.151-2.SG2.bin"
Hobgoblin Revision 22, Fortooine Revision 1.40

Last reload reason: power-on

This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to export@cisco.com.

cisco WS-C4948E-F (MPC8548) processor (revision 8) with 1048576K bytes of memory.
Processor board ID CAT1747S265
MPC8548 CPU at 1GHz, Cisco Catalyst 4948E-F
Last reset from PowerUp
1 Virtual Ethernet interface
48 Gigabit Ethernet interfaces
4 Ten Gigabit Ethernet interfaces
511K bytes of non-volatile configuration memory.

Configuration register is 0x2102

The IOS software version is seen in the first line of output. In the above example, the version is 15.1(2)SG2.

The model of the switch is seen in the first line after the copyright warning. In the above example, the model is shown as cisco WS-C4948E-F (i.e. - a 4948E switch).

II. Determine IOS Software Versions Affected

1. Determine the Cisco Bug ID affecting the switch.

If you already know the Bug ID, go to step 2.

If you do not know the Bug ID, you will need to search the Cisco support site using the CVE of the vulnerability to get this number. Once you know the Bug ID, go to step 2.

2. View the Bug ID by navigating to https://quickview.cloudapps.cisco.com/quickview/bug/<CiscoBugId> where <CiscoBugId> is the Bug ID assigned by Cisco such as CSCug31561 or CSCum94811.

3. Read the Bug ID, paying particular attention to the Known Affected Releases section.

4. Compare the affected IOS software releases and any models mentioned with the IOS software currently used by your switch.

If your version is affected, go to Section III.

If your version is not affected, stop here. No further action is required.

III. Updating Affected IOS Software

As noted at the beginning of this document, Oracle is very limited on the amount of support provided for Cisco’s switches. Therefore, Oracle does not provide updated IOS software for the switches. This is the responsibility of Cisco because they are the switch manufacturer. However, because these Cisco switches are not modified by Oracle, the latest firmware from Cisco can be applied to these switches without any special tools or requirements from Oracle.

If you have determined that the version of IOS on your switch is affected by a vulnerability, the latest version of the IOS software will generally contain the fix. The latest software can be downloaded from the following link:

For Cisco 4948E-F-S Switches

http://www.cisco.com/c/en/us/support/switches/catalyst-4948e-f-ethernet-switch/model.html#~tab-downloads

For Cisco 4948 Switches

http://www.cisco.com/c/en/us/support/switches/catalyst-4948-switch/model.html#~tab-downloads

Once the software is downloaded, apply it using the instructions provided with it. Generally, updating the firmware will cause the switch to be be down/inaccessible while the update is being applied.

An account with Cisco is required to download the IOS software. It is the responsibility of the customer’s organization to obtain access to the Cisco support site either for themselves or their network team. Oracle does not provide any mechanism for accessing the site.

The following is from Doc ID 1485292.1:

“Oracle integrates the Cisco switch for a very specific set of functions (*) and not as general purpose network infrastructure. After EIS installation, the customer is free to replace the switch, modify the standard configuration, license different firmware options or re-purpose it outside of those functions. All of this is at the end customer's cost, risk, and configuration support. Oracle retains the hardware warranty for the supplied switch only.“

Summary: Oracle will support the hardware, but not the software. Additionally, if the customer replaces the Oracle-provided switch with another one, Oracle will not support it.

However, under some circumstances the Sun Network Ethernet Switches team can obtain the latest IOS software for the customer and attach it to the SR. To explore this option, ensure you have the output of the show version command for each switch affected then open a collab to request the latest IOS software be downloaded from Cisco.

     Product:                  <The Engineered System – i.e. Exadata X4-2 Half Rack>
     Component:             Collaborate
     Sub Component:      Ethernet Switch Issue

References

<NOTE:1485292.1> - Cisco Ethernet 4948/4948E Support page for Engineered Systems

Attachments

This solution has no attachment