[apops] Cisco Security Advisory: TCP State Manipulation Denial of Servic

  • To: apops at apops dot net
  • Subject: [apops] Cisco Security Advisory: TCP State Manipulation Denial of Service Vulnerabilities in Multiple Cisco Products
  • From: Cisco Systems Product Security Incident Response Team <psirt at cisco dot com>
  • Date: Tue, 08 Sep 2009 10:35:00 -0400
  • Cc: psirt at cisco dot com
  • Delivered-to: apops at mailman dot apnic dot net
  • List-archive: <http://mailman.apnic.net/mailing-lists/apops>
  • List-help: <mailto:apops-request@apops.net?subject=help>
  • List-id: Asia Pacific Operators Forum <apops.apops.net>
  • List-post: <mailto:apops@apops.net>
  • List-subscribe: <http://mailman.apnic.net/mailman/listinfo/apops>, <mailto:apops-request@apops.net?subject=subscribe>
  • List-unsubscribe: <http://mailman.apnic.net/mailman/listinfo/apops>, <mailto:apops-request@apops.net?subject=unsubscribe>
  • Prevent-nondelivery-report:
  • Reply-to: psirt@cisco.com
  • Sender: nobody@cisco.com
    • Hash: SHA1
      
      Cisco Security Advisory: TCP State Manipulation Denial of Service
      Vulnerabilities in Multiple Cisco Products
      
      Advisory ID: cisco-sa-20090908-tcp24
      
      Revision 1.0
      
      For Public Release 2009 September 8 1700 UTC (GMT)
      
      +---------------------------------------------------------------------
      
      Summary
      =======
      
      Multiple Cisco products are affected by denial of service (DoS)
      vulnerabilities that manipulate the state of Transmission Control
      Protocol (TCP) connections. By manipulating the state of a TCP
      connection, an attacker could force the TCP connection to remain in a
      long-lived state, possibly indefinitely. If enough TCP connections
      are forced into a long-lived or indefinite state, resources on a
      system under attack may be consumed, preventing new TCP connections
      from being accepted. In some cases, a system reboot may be necessary
      to recover normal system operation. To exploit these vulnerabilities,
      an attacker must be able to complete a TCP three-way handshake with a
      vulnerable system.
      
      In addition to these vulnerabilities, Cisco Nexus 5000 devices
      contain a TCP DoS vulnerability that may result in a system crash.
      This additional vulnerability was found as a result of testing the
      TCP state manipulation vulnerabilities.
      
      Cisco has released free software updates for download from the Cisco
      website that address these vulnerabilities. Workarounds that mitigate
      these vulnerabilities are available.
      
      This advisory is posted at:
      
      http://www.cisco.com/warp/public/707/cisco-sa-20090908-tcp24.shtml
      
      Affected Products
      =================
      
      Vulnerable Products
      +------------------
      
      The following Cisco products have a TCP implementation that is
      affected by these vulnerabilities. Refer to the Software Versions and
      Fixes section for information on fixed software.
      
      Cisco IOS Software
      
      To determine the Cisco IOS Software release that is running on a
      Cisco product, administrators can log into the device and issue the 
      "show version" command to display the system banner. The system banner
      confirms that the device is running Cisco IOS Software by displaying
      text similar to "Cisco Internetwork Operating System Software" or
      "Cisco IOS Software." The image name displays in parentheses,
      followed by "Version" and the Cisco IOS Software release name. Other
      Cisco devices do not have the "show version" command or may provide
      different output.
      
      The following example identifies a Cisco product that is running
      Cisco IOS Software Release 12.3(26) with an installed image name of
      C2500-IS-L:
      
          Router#show version
          Cisco Internetwork Operating System Software
          IOS (tm) 2500 Software (C2500-IS-L), Version 12.3(26), RELEASE SOFTWARE (fc2)
          Technical Support: http://www.cisco.com/techsupport
          Copyright (c) 1986-2008 by cisco Systems, Inc.
          Compiled Mon 17-Mar-08 14:39 by dchih
          <output truncated>
      
      The following example identifies a Cisco product that is running
      Cisco IOS Software Release 12.4(20)T with an installed image name of
      C1841-ADVENTERPRISEK9-M:
      
          Router#show version
          Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3)
          Technical Support: http://www.cisco.com/techsupport
          Copyright (c) 1986-2008 by Cisco Systems, Inc.
          Compiled Thu 10-Jul-08 20:25 by prod_rel_team
          <output truncated>
      
      Additional information about Cisco IOS Software release naming
      conventions is available in "White Paper: Cisco IOS Reference Guide"
      at the following link:
      
      http://www.cisco.com/warp/public/620/1.html
      
      Cisco IOS-XE Software
      
      The version of Cisco IOS-XE Software that is running on a Cisco
      product can be determined using the "show version" command from the
      Command Line Interface (CLI).
      
      Cisco CatOS Software
      
      The version of Cisco CatOS Software that is running on a Cisco
      product can be determined using the "show version" command from the
      CLI.
      
      Cisco Adaptive Security Appliance (ASA) and Cisco PIX
      
      Cisco ASA and Cisco PIX security appliances running versions 7.0,
      7.1, 7.2, 8.0, and 8.1 are affected when configured for any of the
      following features:
      
        * SSL VPNs
        * ASDM Administrative Access
        * Telnet Access
        * SSH Access
        * Cisco Tunneling Control Protocol (cTCP) for Remote Access VPNs
        * Virtual Telnet
        * Virtual HTTP
        * Transport Layer Security (TLS) Proxy for Encrypted Voice
          Inspection
        * Cut-Through Proxy for Network Access
      
      The version of software that is running on a Cisco ASA and Cisco PIX
      security appliances can be determined using the "show version" command
      from the CLI.
      
      Cisco NX-OS Software
      
      The version of Cisco NX-OS Software that is running on Cisco Nexus
      5000 and 7000 series devices can be determined using the "show version"
      command from the CLI.
      
      Scientific Atlanta Products
      
      Scientific Atlanta customers are instructed to contact Scientific
      Atlanta's Technical Support for questions regarding the impact,
      mitigation and remediation of the vulnerabilities discussed in this
      document.
      
      Contact information for Scientific Atlanta Technical Support can be
      found at the following web site:
      
      http://www.cisco.com/en/US/products/ps10459/serv_group_home.html
      
      Linksys Products
      
      Customers with Linksys products should contact the following email
      address for questions regarding the impact, mitigation and
      remediation of the vulnerabilities discussed in this document:
      
      security at linksys dot com
      
      Products Confirmed Not Vulnerable
      +--------------------------------
      
      The following Cisco products are not affected:
      
        * Cisco IOS XR
        * Cisco IOS Software Modularity
        * Cisco ASA and Cisco PIX Software version 8.2
        * Cisco PIX Software version 6.x and earlier
        * Cisco Firewall Services Module (FWSM)
        * Cisco Multilayer Distribution Switches (MDS)
        * Cisco Application Control Engine (ACE) Modules and Appliances
        * Cisco ACE XML Gateway
        * Cisco Access Control Server (ACS) Solution Engine
        * Cisco Guard
        * Cisco Security Monitoring, Analysis, and Response System (CS-MARS)
        * Cisco ONS 15000
        * Cisco Content Services Switches (CSS)
        * Cisco Wide Area Application Services (WAAS)
        * Cisco Wireless LAN Controller (WLC)
        * IronPort C, M, S and X Series Appliances
      
      Cisco PSIRT tested Cisco products that are based on Linux and
      Microsoft Windows operating systems and found that although TCP
      connections in a FINWAIT1 state may temporarily consume system
      resources the operating systems eventually clear the TCP connections.
      If enough system resources are consumed, a sustained DoS condition
      may be possible. This outcome is highly dependent on the
      configuration and usage of a system. For more information about how
      these vulnerabilities affect Microsoft Windows operating systems,
      please consult the following Microsoft website at the following link:
      
      http://go.microsoft.com/fwlink/?LinkId=155978
      
      No other Cisco products are currently known to be affected by these
      vulnerabilities.
      
      Details
      =======
      
      Multiple Cisco products are affected by DoS vulnerabilities in the
      TCP protocol. By manipulating the state of TCP connections, an
      attacker could force a system that is under attack to maintain TCP
      connections for long periods of time, or indefinitely in some cases.
      With a sufficient number of open TCP connections, the attacker may be
      able to cause a system to consume internal buffer and memory
      resources, resulting in new TCP connections being denied access to a
      targeted port or an entire system. A system reboot may be required to
      restore full system functionality. A full TCP three-way handshake is
      required to exploit these vulnerabilities.
      
      Network devices are not directly impacted by TCP state manipulation
      DoS attacks transiting a device; however, network devices that
      maintain the state of TCP connections may be impacted. If the
      attacker can establish enough TCP connections through a transit
      device that maintains TCP state, device resources may be exhausted
      and prevent the device from processing new TCP connections, resulting
      in a DoS condition. If an affected device that forwards traffic (that
      is, routes) in a network is the target of a TCP state manipulation
      attack, the attacker could cause a network-impacting DoS condition.
      
      Cisco IOS Software
      
      All Cisco IOS Software versions are affected by this vulnerability. A
      device running Cisco IOS Software that is under attack will have
      numerous hung TCP connections in the FINWAIT1 state. The "show tcp
      brief" command can be used to display the hung TCP connections. The
      following is example output showing an attack in progress.
      
          Router#show tcp brief | include FIN
          63D697C4  192.168.1.10.80            192.168.1.20.38479         FINWAIT1
          63032A28  192.168.1.10.80            192.168.1.20.54154         FINWAIT1
          645F8068  192.168.1.10.80            192.168.1.20.56287         FINWAIT1
          630323F4  192.168.1.10.80            192.168.1.20.6372          FINWAIT1
          63D69190  192.168.1.10.80            192.168.1.20.23489         FINWAIT1
      
      The vulnerabilities for Cisco IOS Software are documented in Cisco
      Bug ID CSCsv04836.
      
      Cisco IOS-XE Software
      
      All Cisco IOS-XE Software versions are affected by this
      vulnerability. A device running Cisco IOS-XE Software that is under
      attack will have numerous hung TCP connections in the FINWAIT1 state.
      The "show tcp brief" command can be used to display the hung TCP
      connections. The following is example output showing an attack in
      progress.
      
          Router#show tcp brief | include FIN
          63D697C4  192.168.1.10.80            192.168.1.20.38479         FINWAIT1
          63032A28  192.168.1.10.80            192.168.1.20.54154         FINWAIT1
          645F8068  192.168.1.10.80            192.168.1.20.56287         FINWAIT1
          630323F4  192.168.1.10.80            192.168.1.20.6372          FINWAIT1
          63D69190  192.168.1.10.80            192.168.1.20.23489         FINWAIT1
      
      The vulnerabilities for Cisco IOS-XE Software are documented in Cisco
      Bug ID CSCsv07712.
      
      Cisco CatOS Software
      
      All Cisco CatOS Software versions are affected by these
      vulnerabilities. A device running Cisco CatOS Software that is under
      attack will have numerous hung TCP connections in the FIN_WAIT_1
      state. The "show netstat" command can be used to display the hung TCP
      connections. The following is example output showing an attack in
      progress.
      
          Console> (enable) show netstat
          Active Internet connections (including servers)
          Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
          tcp        0     83  192.168.1.10.23        192.168.1.20.46056       FIN_WAIT_1
          tcp        0     83  192.168.1.10.23        192.168.1.20.16305       FIN_WAIT_1
          tcp        0     83  192.168.1.10.23        192.168.1.20.14628       FIN_WAIT_1
          tcp        0     83  192.168.1.10.23        192.168.1.20.7275        FIN_WAIT_1
          tcp        0     83  192.168.1.10.23        192.168.1.20.39559       FIN_WAIT_1
      
      The vulnerabilities for Cisco CatOS Software are documented in Cisco
      Bug ID CSCsv66169.
      
      Cisco ASA and Cisco PIX Software
      
      All Cisco ASA and Cisco PIX Software versions are affected by these
      vulnerabilities. A device running Cisco ASA and Cisco PIX Software
      that is under attack will have numerous TCP connections in the
      established state. The "show asp table socket" command can be used to
      display the TCP connections. The following is example output showing
      a potential attack in progress.
      
          FIREWALL# show asp table socket | grep ESTAB
          TCP       123a8a6c  192.168.1.10:80           192.168.1.20:46181    ESTAB
          TCP       123e6d54  192.168.1.10:80           192.168.1.20:29546    ESTAB
          TCP       1244f78c  192.168.1.10:80           192.168.1.20:40271    ESTAB
          TCP       124f8d2c  192.168.1.10:80           192.168.1.20:46599    ESTAB
          TCP       12507f2c  192.168.1.10:80           192.168.1.20:5607     ESTAB
      
      It is possible for normal traffic to cause established TCP
      connections to appear on Cisco ASA or PIX devices, especially VPN
      connections terminated to the device. In order to confirm if
      established TCP connections are part of an attack, administrators
      should use a monitoring point outside the firewall such as a packet
      sniffer or Netflow collection agent to examine the profile of the
      suspicious TCP connections and determine if an attack is occurring.
      
      Note: The show asp table socket command was introduced in Cisco ASA
      and Cisco PIX Software 8.0(1).
      
      Further detail about hung TCP connections can be found with "show conn
      detail all long" command. The IP address used to qualify the example
      below is the address of the firewall interface under attack.
      
          FIREWALL# show conn detail all long | grep 192.168.1.10
          TCP outside:192.168.1.20/62345 (192.168.1.20/62345) NP Identity Ifc:192.168.1.10/80 (192.168.1.10/80), flags UB, idle 0s, uptime 0s, timeout 1m0s, bytes 0
          TCP outside:192.168.1.20/56268 (192.168.1.20/56268) NP Identity Ifc:192.168.1.10/80 (192.168.1.10/80), flags UB, idle 0s, uptime 0s, timeout 1m0s, bytes 0
          TCP outside:192.168.1.20/63445 (192.168.1.20/63445) NP Identity Ifc:192.168.1.10/80 (192.168.1.10/80), flags UB, idle 0s, uptime 0s, timeout 1m0s, bytes 0
          TCP outside:192.168.1.20/49151 (192.168.1.20/49151) NP Identity Ifc:192.168.1.10/80 (192.168.1.10/80), flags UB, idle 0s, uptime 0s, timeout 1m0s, bytes 0
          TCP outside:192.168.1.20/57147 (192.168.1.20/57147) NP Identity Ifc:192.168.1.10/80 (192.168.1.10/80), flags UB, idle 0s, uptime 0s, timeout 1m0s, bytes 0
      
      Note: Both troubleshooting commands referenced about will display TCP
      connections that are terminated to a firewall interface and
      transiting through the firewall.
      
      The vulnerabilities for Cisco ASA and Cisco PIX Software are
      documented in Cisco Bug ID CSCsv02768.
      
      Cisco NX-OS Software
      
      All Cisco Nexus 5000 and 7000 platforms running Cisco NX-OS Software
      are affected by these vulnerabilities. A Nexus 5005 or 7000 device
      running Cisco NX-OS Software that is under attack will have numerous
      hung TCP connections in the FIN_WAIT_1 state. The "show tcp connection
      detail" command can be used to display the hung TCP connections. The
      following is example output showing an attack in progress.
      
          NEXUS# show tcp connection detail | include FIN
          
            State: FIN_WAIT_1
            State: FIN_WAIT_1
            State: FIN_WAIT_1
            State: FIN_WAIT_1
            State: FIN_WAIT_1
      
      The hung TCP connection vulnerabilities for Nexus 5000 and Nexus 7000
      devices are documented in Cisco Bug ID CSCsv08325 and Cisco Bug ID CSCsv08579
      respectively.
      
      While investigating the TCP state manipulation vulnerabilities, it
      was discovered that Cisco NX-OS on Nexus 5000 platforms may be
      vulnerable to a system crash when receiving a specific sequence of
      TCP packets. This vulnerability is documented in Cisco Bug ID 
      CSCsv08059 and has been assigned CVE identifier CVE-2009-0627.
      
      The TCP state manipulation vulnerabilities have been assigned Common
      Vulnerabilities and Exposures (CVE) identifier CVE-2008-4609.
      
      Vulnerability Scoring Details
      =============================
      
      Cisco has provided scores for the vulnerabilities in this advisory
      based on the Common Vulnerability Scoring System (CVSS). The CVSS
      scoring in this Security Advisory is done in accordance with CVSS
      version 2.0.
      
      CVSS is a standards-based scoring method that conveys vulnerability
      severity and helps determine urgency and priority of response.
      
      Cisco has provided a base and temporal score. Customers can then
      compute environmental scores to assist in determining the impact of
      the vulnerability in individual networks.
      
      Cisco has provided an FAQ to answer additional questions regarding
      CVSS at:
      
      http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
      
      Cisco has also provided a CVSS calculator to help compute the
      environmental impact for individual networks at:
      
      http://intellishield.cisco.com/security/alertmanager/cvss
      
      CSCsv04836 - Connections getting stuck at FINWAIT1 state
      
      CVSS Base Score - 7.8
      
      Access Vector           - Network
      Access Complexity       - Low
      Authentication          - None
      Confidentiality Impact  - None
      Integrity Impact        - None
      Availability Impact     - Complete
      
      CVSS Temporal Score - 6.4
      
      Exploitability          - Functional
      Remediation Level       - Official-Fix
      Report Confidence       - Confirmed
      
      CSCsv07712 - Connections getting stuck at FINWAIT1 state
      
      CVSS Base Score - 7.8
      
      Access Vector           - Network
      Access Complexity       - Low
      Authentication          - None
      Confidentiality Impact  - None
      Integrity Impact        - None
      Availability Impact     - Complete
      
      CVSS Temporal Score - 6.4
      
      Exploitability          - Functional
      Remediation Level       - Official-Fix
      Report Confidence       - Confirmed
      
      CSCsv66169 - TCP Connections get stuck in FINWAIT1 state
      
      CVSS Base Score - 7.8
      
      Access Vector           - Network
      Access Complexity       - Low
      Authentication          - None
      Confidentiality Impact  - None
      Integrity Impact        - None
      Availability Impact     - Complete
      
      CVSS Temporal Score - 6.4
      
      Exploitability          - Functional
      Remediation Level       - Official-Fix
      Report Confidence       - Confirmed
      
      CSCsv02768 - TCP connections getting stuck in FINWAIT1 state
      
      CVSS Base Score - 7.8
      
      Access Vector           - Network
      Access Complexity       - Low
      Authentication          - None
      Confidentiality Impact  - None
      Integrity Impact        - None
      Availability Impact     - Complete
      
      CVSS Temporal Score - 6.4
      
      Exploitability          - Functional
      Remediation Level       - Official-Fix
      Report Confidence       - Confirmed
      
      CSCsv08325 - TCP connections may get stuck in any state after ESTAB indefinitely
      
      CVSS Base Score - 7.8
      
      Access Vector           - Network
      Access Complexity       - Low
      Authentication          - None
      Confidentiality Impact  - None
      Integrity Impact        - None
      Availability Impact     - Complete
      
      CVSS Temporal Score - 6.4
      
      Exploitability          - Functional
      Remediation Level       - Official-Fix
      Report Confidence       - Confirmed
      
      CSCsv08579 - TCP connections get stuck in FINWAIT1 state indefinitely
      
      CVSS Base Score - 7.8
      
      Access Vector           - Network
      Access Complexity       - Low
      Authentication          - None
      Confidentiality Impact  - None
      Integrity Impact        - None
      Availability Impact     - Complete
      
      CVSS Temporal Score - 6.4
      
      Exploitability          - Functional
      Remediation Level       - Official-Fix
      Report Confidence       - Confirmed
      
      CSCsv08059 - NEXUS 5000 crashes after certain TCP packets
      
      CVSS Base Score - 7.8
      
      Access Vector           - Network
      Access Complexity       - Low
      Authentication          - None
      Confidentiality Impact  - None
      Integrity Impact        - None
      Availability Impact     - Complete
      
      CVSS Temporal Score - 6.4
      
      Exploitability          - Functional
      Remediation Level       - Official-Fix
      Report Confidence       - Confirmed
      
      Impact
      ======
      
      Successful exploitation of the TCP state manipulation vulnerabilities
      may result in a DoS condition where new TCP connections are not
      accepted on an affected system. Repeated exploitation may result in a
      sustained DoS condition. A reboot may be required to recover affected
      systems.
      
      In addition, Cisco Nexus 5000 systems may crash upon receiving a
      specific sequence of TCP packets.
      
      Software Versions and Fixes
      ===========================
      
      When considering software upgrades, also consult:
      
      http://www.cisco.com/go/psirt
      
      and any subsequent advisories to determine exposure and a
      complete upgrade solution.
      
      In all cases, customers should exercise caution to be certain the
      devices to be upgraded contain sufficient memory and that current
      hardware and software configurations will continue to be supported
      properly by the new release. If the information is not clear, contact
      the Cisco Technical Assistance Center (TAC) or your contracted
      maintenance provider for assistance.
      
      Cisco IOS Software
      
      Each row of the Cisco IOS software table (below) names a Cisco IOS
      release train. If a given release train is vulnerable, then the
      earliest possible releases that contain the fix (along with the
      anticipated date of availability for each, if applicable) are listed
      in the "First Fixed Release" column of the table. The "Recommended
      Release" column indicates the releases which have fixes for all the
      published vulnerabilities at the time of this Advisory. A device
      running a release in the given train that is earlier than the release
      in a specific column (less than the First Fixed Release) is known to
      be vulnerable. Cisco recommends upgrading to a release equal to or
      later than the release in the "Recommended Releases" column of the
      table.
      
      +-----------------------------------------+
      |   Major    |  Availability of Repaired  |
      |  Release   |          Releases          |
      |------------+----------------------------|
      |  Affected  | First Fixed  | Recommended |
      | 12.0-Based |   Release    |   Release   |
      |  Releases  |              |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.0       | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.0DA     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            |              | 12.4(15)T10 |
      |            |              |             |
      |            |              | 12.4(20)T4  |
      |            | Vulnerable;  |             |
      | 12.0DB     | first fixed  | 12.4(22)T3  |
      |            | in 12.4T     |             |
      |            |              | 12.4(24)T2; |
      |            |              | Available   |
      |            |              | on          |
      |            |              | 23-OCT-2009 |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.0DC     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            |              | 12.0(33)S5  |
      |            |              |             |
      |            | 12.0(33)S3   | 12.0(32)    |
      | 12.0S      |              | S14;        |
      |            | 12.0(32)S12  | Available   |
      |            |              | on          |
      |            |              | 25-SEP-2009 |
      |------------+--------------+-------------|
      |            |              | 12.0(33)S5  |
      |            |              |             |
      |            | Vulnerable;  | 12.0(32)    |
      | 12.0SC     | first fixed  | S14;        |
      |            | in 12.0S     | Available   |
      |            |              | on          |
      |            |              | 25-SEP-2009 |
      |------------+--------------+-------------|
      |            |              | 12.0(33)S5  |
      |            |              |             |
      |            | Vulnerable;  | 12.0(32)    |
      | 12.0SL     | first fixed  | S14;        |
      |            | in 12.0S     | Available   |
      |            |              | on          |
      |            |              | 25-SEP-2009 |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.0SP     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            |              | 12.0(33)S5  |
      |            |              |             |
      |            | Vulnerable;  | 12.0(32)    |
      | 12.0ST     | first fixed  | S14;        |
      |            | in 12.0S     | Available   |
      |            |              | on          |
      |            |              | 25-SEP-2009 |
      |------------+--------------+-------------|
      |            |              | 12.0(33)S5  |
      |            |              |             |
      |            | Vulnerable;  | 12.0(32)    |
      | 12.0SX     | first fixed  | S14;        |
      |            | in 12.0S     | Available   |
      |            |              | on          |
      |            |              | 25-SEP-2009 |
      |------------+--------------+-------------|
      |            | 12.0(32)SY8  | 12.0(32)    |
      |            |              | SY9a        |
      |            | 12.0(32)SY9a |             |
      | 12.0SY     |              | 12.0(32)    |
      |            | 12.0(32)SY10 | SY10;       |
      |            | ; Available  | Available   |
      |            | on           | on          |
      |            | 25-SEP-2009  | 25-SEP-2009 |
      |------------+--------------+-------------|
      |            |              | 12.0(33)S5  |
      |            |              |             |
      |            |              | 12.0(32)    |
      | 12.0SZ     | 12.0(30)SZ10 | S14;        |
      |            |              | Available   |
      |            |              | on          |
      |            |              | 25-SEP-2009 |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.0T      | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            |              | 12.4(15)T10 |
      |            |              |             |
      |            |              | 12.4(20)T4  |
      |            | Vulnerable;  |             |
      | 12.0W      | first fixed  | 12.4(22)T3  |
      |            | in 12.4T     |             |
      |            |              | 12.4(24)T2; |
      |            |              | Available   |
      |            |              | on          |
      |            |              | 23-OCT-2009 |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      | 12.0WC     | first fixed  |             |
      |            | in 12.4T     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.0WT     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.0XA     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.0XB     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.0XC     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.0XD     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.0XE     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      | 12.0XF     | first fixed  |             |
      |            | in 12.4      |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.0XG     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.0XH     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(25b)   |
      | 12.0XI     | first fixed  |             |
      |            | in 12.4      | 12.4(23b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.0XJ     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.0XK     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.0XL     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.0XM     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.0XN     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.0XQ     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            |              | 12.4(15)T10 |
      |            |              |             |
      |            |              | 12.4(20)T4  |
      |            | Vulnerable;  |             |
      | 12.0XR     | first fixed  | 12.4(22)T3  |
      |            | in 12.4T     |             |
      |            |              | 12.4(24)T2; |
      |            |              | Available   |
      |            |              | on          |
      |            |              | 23-OCT-2009 |
      |------------+--------------+-------------|
      |            |              | 12.4(15)T10 |
      |            |              |             |
      |            |              | 12.4(20)T4  |
      |            | Vulnerable;  |             |
      | 12.0XS     | first fixed  | 12.4(22)T3  |
      |            | in 12.4T     |             |
      |            |              | 12.4(24)T2; |
      |            |              | Available   |
      |            |              | on          |
      |            |              | 23-OCT-2009 |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.0XT     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.0XV     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |  Affected  | First Fixed  | Recommended |
      | 12.1-Based |   Release    |   Release   |
      |  Releases  |              |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.1       | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.1AA     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.1AX     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.1(22)    |
      | 12.1AY     | first fixed  | EA13        |
      |            | in 12.1EA    |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.1(22)    |
      | 12.1AZ     | first fixed  | EA13        |
      |            | in 12.1EA    |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.1CX     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.1DA     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.1DB     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.1DC     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.1E      | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      | 12.1EA     | 12.1(22)EA13 | 12.1(22)    |
      |            |              | EA13        |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.1EB     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.1EC     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.1EO     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.1EU     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.1EV     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.1EW     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.1EX     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      | 12.1EY     | 12.2(44)EY   | 12.2(46)EY  |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.1EZ     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.1GA     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.1GB     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.1T      | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.1XA     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.1XB     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.1XC     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.1XD     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.1XE     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.1XF     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.1XG     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.1XH     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.1XI     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.1XJ     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.1XL     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.1XM     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.1XP     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.1XQ     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.1XR     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            |              | 12.4(15)T10 |
      |            |              |             |
      |            |              | 12.4(20)T4  |
      |            | Vulnerable;  |             |
      | 12.1XS     | first fixed  | 12.4(22)T3  |
      |            | in 12.4T     |             |
      |            |              | 12.4(24)T2; |
      |            |              | Available   |
      |            |              | on          |
      |            |              | 23-OCT-2009 |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.1XT     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.1XU     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.1XV     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.1XW     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.1XX     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.1XY     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.1XZ     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.1YA     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.1YB     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.1YC     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.1YD     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            |              | 12.4(15)T10 |
      |            |              |             |
      |            |              | 12.4(20)T4  |
      |            | Vulnerable;  |             |
      | 12.1YE     | first fixed  | 12.4(22)T3  |
      |            | in 12.4T     |             |
      |            |              | 12.4(24)T2; |
      |            |              | Available   |
      |            |              | on          |
      |            |              | 23-OCT-2009 |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.1YF     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.1YH     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.1YI     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.1(22)    |
      | 12.1YJ     | first fixed  | EA13        |
      |            | in 12.1EA    |             |
      |------------+--------------+-------------|
      |  Affected  | First Fixed  | Recommended |
      | 12.2-Based |   Release    |   Release   |
      |  Releases  |              |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.2       | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.2B      | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.2BC     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.2BW     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.2BX     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.2BY     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.2BZ     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.2CX     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.2CY     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            |              | 12.2(28)    |
      |            | Vulnerable;  | SB14;       |
      | 12.2CZ     | first fixed  | Available   |
      |            | in 12.2SB    | on          |
      |            |              | 20-OCT-2009 |
      |------------+--------------+-------------|
      |            |              | 12.4(25b)   |
      | 12.2DA     | 12.2(12)DA14 |             |
      |            |              | 12.4(23b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.2DD     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.2DX     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2EW     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2EWA    | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2EX     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Releases     |             |
      |            | prior to     |             |
      |            | 12.2(44)EY   | 12.2(50)SE3 |
      |            | are          |             |
      | 12.2EY     | vulnerable,  | 12.2(52)SE; |
      |            | release 12.2 | Available   |
      |            | (44)EY and   | on          |
      |            | later are    | 13-OCT-2009 |
      |            | not          |             |
      |            | vulnerable   |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2EZ     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2FX     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2FY     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2FZ     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2IRA    | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2IRB    | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      | 12.2IRC    | 12.2(33)IRC  |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      | 12.2IXA    | migrate to   |             |
      |            | any release  |             |
      |            | in 12.2IXH   |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      | 12.2IXB    | migrate to   |             |
      |            | any release  |             |
      |            | in 12.2IXH   |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      | 12.2IXC    | migrate to   |             |
      |            | any release  |             |
      |            | in 12.2IXH   |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      | 12.2IXD    | migrate to   |             |
      |            | any release  |             |
      |            | in 12.2IXH   |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      | 12.2IXE    | migrate to   |             |
      |            | any release  |             |
      |            | in 12.2IXH   |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      | 12.2IXF    | migrate to   |             |
      |            | any release  |             |
      |            | in 12.2IXH   |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      | 12.2IXG    | migrate to   |             |
      |            | any release  |             |
      |            | in 12.2IXH   |             |
      |------------+--------------+-------------|
      | 12.2IXH    | 12.2(18)IXH  |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2JA     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.2JK     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.2MB     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            |              | 12.4(25b)   |
      | 12.2MC     | 12.2(15)MC2m |             |
      |            |              | 12.4(23b)   |
      |------------+--------------+-------------|
      |            |              | 12.2(28)    |
      |            | Vulnerable;  | SB14;       |
      | 12.2S      | first fixed  | Available   |
      |            | in 12.2SB    | on          |
      |            |              | 20-OCT-2009 |
      |------------+--------------+-------------|
      |            |              | 12.2(31)    |
      |            | 12.2(28)SB13 | SB16        |
      |            |              |             |
      |            | 12.2(31)SB14 | 12.2(28)    |
      | 12.2SB     |              | SB14;       |
      |            | 12.2(33)SB1b | Available   |
      |            |              | on          |
      |            | 12.2(34)SB2  | 20-OCT-2009 |
      |            |              |             |
      |            |              | 12.2(33)SB7 |
      |------------+--------------+-------------|
      |            |              | 12.2(28)    |
      |            | Vulnerable;  | SB14;       |
      | 12.2SBC    | first fixed  | Available   |
      |            | in 12.2SB    | on          |
      |            |              | 20-OCT-2009 |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2SCA    | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      | 12.2SCB    | 12.2(33)SCB1 | 12.2(33)    |
      |            |              | SCB4        |
      |------------+--------------+-------------|
      |            | 12.2(44)SE5  | 12.2(50)SE3 |
      |            |              |             |
      | 12.2SE     | 12.2(46)SE2  | 12.2(52)SE; |
      |            |              | Available   |
      |            | 12.2(50)SE   | on          |
      |            |              | 13-OCT-2009 |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2SEA    | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2SEB    | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2SEC    | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2SED    | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2SEE    | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2SEF    | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2SEG    | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      | 12.2SG     | 12.2(50)SG   | 12.2(53)SG1 |
      |------------+--------------+-------------|
      |            |              | 12.2(31)    |
      |            |              | SGA11;      |
      | 12.2SGA    | 12.2(31)SGA9 | Available   |
      |            |              | on          |
      |            |              | 04-DEC-2009 |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.2SL     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Releases     |             |
      |            | prior to     |             |
      |            | 12.2(29)SM5  |             |
      |            | are          |             |
      | 12.2SM     | vulnerable,  | 12.2(29)SM5 |
      |            | release 12.2 |             |
      |            | (29)SM5 and  |             |
      |            | later are    |             |
      |            | not          |             |
      |            | vulnerable   |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2SO     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      | 12.2SQ     | 12.2(44)SQ2  |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2SRA    | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            |              | 12.2(33)    |
      |            |              | SRD3        |
      |            |              |             |
      | 12.2SRB    | 12.2(33)     | 12.2(33)    |
      |            | SRB5a        | SRC5;       |
      |            |              | Available   |
      |            |              | on          |
      |            |              | 29-OCT-2009 |
      |------------+--------------+-------------|
      |            |              | 12.2(33)    |
      |            |              | SRC5;       |
      | 12.2SRC    | 12.2(33)SRC3 | Available   |
      |            |              | on          |
      |            |              | 29-OCT-2009 |
      |------------+--------------+-------------|
      | 12.2SRD    | 12.2(33)SRD1 | 12.2(33)    |
      |            |              | SRD3        |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2STE    | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.2SU     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2SV     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2SVA    | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2SVC    | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2SVD    | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      | 12.2SVE    | 12.2(29)SVE1 |             |
      |------------+--------------+-------------|
      |            |              | 12.4(15)T10 |
      |            |              |             |
      |            |              | 12.4(20)T4  |
      |            | Vulnerable;  |             |
      | 12.2SW     | first fixed  | 12.4(22)T3  |
      |            | in 12.4T     |             |
      |            |              | 12.4(24)T2; |
      |            |              | Available   |
      |            |              | on          |
      |            |              | 23-OCT-2009 |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization | 12.2(18)    |
      |            | per the      | SXF17;      |
      | 12.2SX     | instructions | Available   |
      |            | in Obtaining | on          |
      |            | Fixed        | 30-SEP-2009 |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization | 12.2(18)    |
      |            | per the      | SXF17;      |
      | 12.2SXA    | instructions | Available   |
      |            | in Obtaining | on          |
      |            | Fixed        | 30-SEP-2009 |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization | 12.2(18)    |
      |            | per the      | SXF17;      |
      | 12.2SXB    | instructions | Available   |
      |            | in Obtaining | on          |
      |            | Fixed        | 30-SEP-2009 |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization | 12.2(18)    |
      |            | per the      | SXF17;      |
      | 12.2SXD    | instructions | Available   |
      |            | in Obtaining | on          |
      |            | Fixed        | 30-SEP-2009 |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization | 12.2(18)    |
      |            | per the      | SXF17;      |
      | 12.2SXE    | instructions | Available   |
      |            | in Obtaining | on          |
      |            | Fixed        | 30-SEP-2009 |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            |              | 12.2(18)    |
      |            | 12.2(18)     | SXF17;      |
      | 12.2SXF    | SXF16        | Available   |
      |            |              | on          |
      |            |              | 30-SEP-2009 |
      |------------+--------------+-------------|
      |            |              | 12.2(33)    |
      |            |              | SXH6;       |
      | 12.2SXH    | 12.2(33)SXH5 | Available   |
      |            |              | on          |
      |            |              | 30-OCT-2009 |
      |------------+--------------+-------------|
      | 12.2SXI    | 12.2(33)SXI1 | 12.2SXI2a   |
      |------------+--------------+-------------|
      |            |              | 12.2(28)    |
      |            | Vulnerable;  | SB14;       |
      | 12.2SY     | first fixed  | Available   |
      |            | in 12.2SB    | on          |
      |            |              | 20-OCT-2009 |
      |------------+--------------+-------------|
      |            |              | 12.2(28)    |
      |            | Vulnerable;  | SB14;       |
      | 12.2SZ     | first fixed  | Available   |
      |            | in 12.2SB    | on          |
      |            |              | 20-OCT-2009 |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.2T      | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2TPC    | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(25b)   |
      | 12.2XA     | first fixed  |             |
      |            | in 12.4      | 12.4(23b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.2XB     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.2XC     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.2XD     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.2XE     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.2XF     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.2XG     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.2XH     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.2XI     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.2XJ     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.2XK     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.2XL     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.2XM     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2XN     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Please see   |             |
      | 12.2XNA    | Cisco IOS-XE |             |
      |            | Software     |             |
      |            | Availability |             |
      |------------+--------------+-------------|
      |            | Please see   |             |
      | 12.2XNB    | Cisco IOS-XE |             |
      |            | Software     |             |
      |            | Availability |             |
      |------------+--------------+-------------|
      |            | Please see   |             |
      | 12.2XNC    | Cisco IOS-XE |             |
      |            | Software     |             |
      |            | Availability |             |
      |------------+--------------+-------------|
      |            | Please see   |             |
      | 12.2XND    | Cisco IOS-XE |             |
      |            | Software     |             |
      |            | Availability |             |
      |------------+--------------+-------------|
      |            |              |             |
      |------------+--------------+-------------|
      |            |              | 12.2(50)    |
      |            |              | SG5;        |
      | 12.2XO     | 12.2(52)XO   | Available   |
      |            |              | on          |
      |            |              | 28-SEP-2009 |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.2XQ     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.2XR     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.2XS     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.2XT     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.2XU     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.2XV     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.2XW     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.2YA     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2YB     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2YC     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2YD     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2YE     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2YF     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2YG     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2YH     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2YJ     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2YK     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2YL     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.2YM     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2YN     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2YO     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            |              | 12.4(15)T10 |
      |            |              |             |
      |            |              | 12.4(20)T4  |
      |            | Vulnerable;  |             |
      | 12.2YP     | first fixed  | 12.4(22)T3  |
      |            | in 12.4T     |             |
      |            |              | 12.4(24)T2; |
      |            |              | Available   |
      |            |              | on          |
      |            |              | 23-OCT-2009 |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2YQ     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2YR     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2YS     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2YT     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2YU     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2YV     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2YW     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2YX     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2YY     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2YZ     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization | 12.2(18)    |
      |            | per the      | SXF17;      |
      | 12.2ZA     | instructions | Available   |
      |            | in Obtaining | on          |
      |            | Fixed        | 30-SEP-2009 |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2ZB     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2ZC     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2ZD     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.2ZE     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.2ZF     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.2ZG     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.2ZH     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2ZJ     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2ZL     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.2ZM     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2ZP     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2ZU     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            |              | 12.2(28)    |
      |            | Vulnerable;  | SB14;       |
      | 12.2ZX     | first fixed  | Available   |
      |            | in 12.2SB    | on          |
      |            |              | 20-OCT-2009 |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.2ZY     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      | 12.2ZYA    | 12.2(18)ZYA1 | 12.2(18)    |
      |            |              | ZYA2        |
      |------------+--------------+-------------|
      |  Affected  | First Fixed  | Recommended |
      | 12.3-Based |   Release    |   Release   |
      |  Releases  |              |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(25b)   |
      | 12.3       | first fixed  |             |
      |            | in 12.4      | 12.4(23b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(25b)   |
      | 12.3B      | first fixed  |             |
      |            | in 12.4      | 12.4(23b)   |
      |------------+--------------+-------------|
      |            | 12.3(21a)BC9 | 12.3(21a)   |
      | 12.3BC     |              | BC9         |
      |            | 12.3(23)BC6  |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.3BW     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.3EU     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.3JA     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.3JEA    | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.3JEB    | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      | 12.3JEC    | 12.3(8)JEC3  |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.3JED    | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.3JK     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.3JL     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.3JX     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.3T      | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.3TPC    | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            |              | 12.4(15)T10 |
      |            |              |             |
      |            |              | 12.4(20)T4  |
      |            | Vulnerable;  |             |
      | 12.3VA     | first fixed  | 12.4(22)T3  |
      |            | in 12.4T     |             |
      |            |              | 12.4(24)T2; |
      |            |              | Available   |
      |            |              | on          |
      |            |              | 23-OCT-2009 |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.3XA     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.3XB     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.3XC     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.3XD     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.3XE     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.3XF     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.3XG     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.2(33)SB7 |
      | 12.3XI     | first fixed  |             |
      |            | in 12.2SB    | 12.2(31)    |
      |            |              | SB16        |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(15)XR7 |
      | 12.3XJ     | first fixed  |             |
      |            | in 12.4XR    | 12.4(22)XR  |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.3XK     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.3XL     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.3XQ     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.3XR     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.3XS     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            |              | 12.4(15)T10 |
      |            |              |             |
      |            |              | 12.4(20)T4  |
      |            | Vulnerable;  |             |
      | 12.3XU     | first fixed  | 12.4(22)T3  |
      |            | in 12.4T     |             |
      |            |              | 12.4(24)T2; |
      |            |              | Available   |
      |            |              | on          |
      |            |              | 23-OCT-2009 |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(15)XR7 |
      | 12.3XW     | first fixed  |             |
      |            | in 12.4XR    | 12.4(22)XR  |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.3XX     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.3XY     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.3XZ     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.3YA     | first fixed  |             |
      |            | in 12.4      | 12.4(25b)   |
      |------------+--------------+-------------|
      |            |              | 12.4(15)T10 |
      |            |              |             |
      |            |              | 12.4(20)T4  |
      |            | Vulnerable;  |             |
      | 12.3YD     | first fixed  | 12.4(22)T3  |
      |            | in 12.4T     |             |
      |            |              | 12.4(24)T2; |
      |            |              | Available   |
      |            |              | on          |
      |            |              | 23-OCT-2009 |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(15)XR7 |
      | 12.3YF     | first fixed  |             |
      |            | in 12.4XR    | 12.4(22)XR  |
      |------------+--------------+-------------|
      |            |              | 12.4(15)T10 |
      |            |              |             |
      |            |              | 12.4(20)T4  |
      |            | Vulnerable;  |             |
      | 12.3YG     | first fixed  | 12.4(22)T3  |
      |            | in 12.4T     |             |
      |            |              | 12.4(24)T2; |
      |            |              | Available   |
      |            |              | on          |
      |            |              | 23-OCT-2009 |
      |------------+--------------+-------------|
      |            |              | 12.4(15)T10 |
      |            |              |             |
      |            |              | 12.4(20)T4  |
      |            | Vulnerable;  |             |
      | 12.3YH     | first fixed  | 12.4(22)T3  |
      |            | in 12.4T     |             |
      |            |              | 12.4(24)T2; |
      |            |              | Available   |
      |            |              | on          |
      |            |              | 23-OCT-2009 |
      |------------+--------------+-------------|
      |            |              | 12.4(15)T10 |
      |            |              |             |
      |            |              | 12.4(20)T4  |
      |            | Vulnerable;  |             |
      | 12.3YI     | first fixed  | 12.4(22)T3  |
      |            | in 12.4T     |             |
      |            |              | 12.4(24)T2; |
      |            |              | Available   |
      |            |              | on          |
      |            |              | 23-OCT-2009 |
      |------------+--------------+-------------|
      |            |              | 12.4(15)T10 |
      |            |              |             |
      |            |              | 12.4(20)T4  |
      |            | Vulnerable;  |             |
      | 12.3YJ     | first fixed  | 12.4(22)T3  |
      |            | in 12.4T     |             |
      |            |              | 12.4(24)T2; |
      |            |              | Available   |
      |            |              | on          |
      |            |              | 23-OCT-2009 |
      |------------+--------------+-------------|
      |            |              | 12.4(15)T10 |
      |            |              |             |
      |            |              | 12.4(20)T4  |
      |            | Vulnerable;  |             |
      | 12.3YK     | first fixed  | 12.4(22)T3  |
      |            | in 12.4T     |             |
      |            |              | 12.4(24)T2; |
      |            |              | Available   |
      |            |              | on          |
      |            |              | 23-OCT-2009 |
      |------------+--------------+-------------|
      |            |              | 12.4(23b)   |
      | 12.3YM     | 12.3(14)YM13 |             |
      |            |              | 12.4(25b)   |
      |------------+--------------+-------------|
      |            | Vulnerable;  | 12.4(23b)   |
      | 12.3YQ     | first fixed  |             |
      |            | in 12.4T     | 12.4(25b)   |
      |------------+--------------+-------------|
      |            |              | 12.4(15)T10 |
      |            |              |             |
      |            |              | 12.4(20)T4  |
      |            | Vulnerable;  |             |
      | 12.3YS     | first fixed  | 12.4(22)T3  |
      |            | in 12.4T     |             |
      |            |              | 12.4(24)T2; |
      |            |              | Available   |
      |            |              | on          |
      |            |              | 23-OCT-2009 |
      |------------+--------------+-------------|
      |            |              | 12.4(15)T10 |
      |            |              |             |
      |            |              | 12.4(20)T4  |
      |            | Vulnerable;  |             |
      | 12.3YT     | first fixed  | 12.4(22)T3  |
      |            | in 12.4T     |             |
      |            |              | 12.4(24)T2; |
      |            |              | Available   |
      |            |              | on          |
      |            |              | 23-OCT-2009 |
      |------------+--------------+-------------|
      |            |              | 12.4(15)T10 |
      |            |              |             |
      |            |              | 12.4(20)T4  |
      |            | Vulnerable;  |             |
      | 12.3YU     | first fixed  | 12.4(22)T3  |
      |            | in 12.4T     |             |
      |            |              | 12.4(24)T2; |
      |            |              | Available   |
      |            |              | on          |
      |            |              | 23-OCT-2009 |
      |------------+--------------+-------------|
      |            |              | 12.4(15)XR7 |
      | 12.3YX     | 12.3(14)YX14 |             |
      |            |              | 12.4(22)XR  |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.3YZ     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            |              | 12.4(15)T10 |
      |            |              |             |
      |            |              | 12.4(20)T4  |
      |            | Vulnerable;  |             |
      | 12.3ZA     | first fixed  | 12.4(22)T3  |
      |            | in 12.4T     |             |
      |            |              | 12.4(24)T2; |
      |            |              | Available   |
      |            |              | on          |
      |            |              | 23-OCT-2009 |
      |------------+--------------+-------------|
      |  Affected  | First Fixed  | Recommended |
      | 12.4-Based |   Release    |   Release   |
      |  Releases  |              |             |
      |------------+--------------+-------------|
      |            | 12.4(18d)    |             |
      |            |              | 12.4(25b)   |
      | 12.4       | 12.4(23a)    |             |
      |            |              | 12.4(23b)   |
      |            | 12.4(25)     |             |
      |------------+--------------+-------------|
      |            | 12.4(22)GC1  |             |
      | 12.4GC     |              | 12.4(24)GC1 |
      |            | 12.4(24)GC1  |             |
      |------------+--------------+-------------|
      |            | 12.4(16b)JA1 |             |
      | 12.4JA     |              |             |
      |            | 12.4(21a)JA  |             |
      |------------+--------------+-------------|
      | 12.4JDA    | 12.4(10b)    |             |
      |            | JDA3         |             |
      |------------+--------------+-------------|
      | 12.4JDC    | 12.4(10b)JDC |             |
      |------------+--------------+-------------|
      | 12.4JDD    | 12.4(10b)JDD |             |
      |------------+--------------+-------------|
      | 12.4JK     | 12.4(3)JK4   |             |
      |------------+--------------+-------------|
      | 12.4JL     | 12.4(3)JL1   |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.4JMA    | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.4JMB    | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      | 12.4JX     | 12.4(21a)JX  |             |
      |------------+--------------+-------------|
      |            | 12.4(11)MD7  | 12.4(11)MD9 |
      |            |              |             |
      | 12.4MD     | 12.4(15)MD2  | 12.4(15)MD3 |
      |            |              |             |
      |            | 12.4(22)MD   | 12.4(22)MD1 |
      |------------+--------------+-------------|
      | 12.4MDA    | 12.4(22)MDA  | 12.4(22)    |
      |            |              | MDA1        |
      |------------+--------------+-------------|
      | 12.4MR     | 12.4(19)MR2  | 12.4(19)MR3 |
      |------------+--------------+-------------|
      |            |              | 12.4(15)T10 |
      |            |              |             |
      |            |              | 12.4(20)T4  |
      |            |              |             |
      | 12.4SW     | 12.4(15)SW3  | 12.4(22)T3  |
      |            |              |             |
      |            |              | 12.4(24)T2; |
      |            |              | Available   |
      |            |              | on          |
      |            |              | 23-OCT-2009 |
      |------------+--------------+-------------|
      |            | 12.4(5)T5e   | 12.4(15)T10 |
      |            |              |             |
      |            | 12.4(15)T6a  | 12.4(20)T4  |
      |            |              |             |
      | 12.4T      | 12.4(22)T1   | 12.4(22)T3  |
      |            |              |             |
      |            | 12.4(20)T2   | 12.4(24)T2; |
      |            |              | Available   |
      |            | 12.4(24)T    | on          |
      |            |              | 23-OCT-2009 |
      |------------+--------------+-------------|
      |            |              | 12.4(15)T10 |
      |            |              |             |
      |            |              | 12.4(20)T4  |
      |            | Vulnerable;  |             |
      | 12.4XA     | first fixed  | 12.4(22)T3  |
      |            | in 12.4T     |             |
      |            |              | 12.4(24)T2; |
      |            |              | Available   |
      |            |              | on          |
      |            |              | 23-OCT-2009 |
      |------------+--------------+-------------|
      |            |              | 12.4(15)T10 |
      |            |              |             |
      |            |              | 12.4(20)T4  |
      |            | Vulnerable;  |             |
      | 12.4XB     | first fixed  | 12.4(22)T3  |
      |            | in 12.4T     |             |
      |            |              | 12.4(24)T2; |
      |            |              | Available   |
      |            |              | on          |
      |            |              | 23-OCT-2009 |
      |------------+--------------+-------------|
      |            |              | 12.4(15)T10 |
      |            |              |             |
      |            |              | 12.4(20)T4  |
      |            | Vulnerable;  |             |
      | 12.4XC     | first fixed  | 12.4(22)T3  |
      |            | in 12.4T     |             |
      |            |              | 12.4(24)T2; |
      |            |              | Available   |
      |            |              | on          |
      |            |              | 23-OCT-2009 |
      |------------+--------------+-------------|
      |            |              | 12.4(15)T10 |
      |            |              |             |
      |            |              | 12.4(20)T4  |
      |            |              |             |
      | 12.4XD     | 12.4(4)XD12  | 12.4(22)T3  |
      |            |              |             |
      |            |              | 12.4(24)T2; |
      |            |              | Available   |
      |            |              | on          |
      |            |              | 23-OCT-2009 |
      |------------+--------------+-------------|
      |            |              | 12.4(15)T10 |
      |            |              |             |
      |            |              | 12.4(20)T4  |
      |            |              |             |
      | 12.4XE     | 12.4(6)XE4   | 12.4(22)T3  |
      |            |              |             |
      |            |              | 12.4(24)T2; |
      |            |              | Available   |
      |            |              | on          |
      |            |              | 23-OCT-2009 |
      |------------+--------------+-------------|
      |            |              | 12.4(15)T10 |
      |            |              |             |
      |            |              | 12.4(20)T4  |
      |            | Vulnerable;  |             |
      | 12.4XF     | first fixed  | 12.4(22)T3  |
      |            | in 12.4T     |             |
      |            |              | 12.4(24)T2; |
      |            |              | Available   |
      |            |              | on          |
      |            |              | 23-OCT-2009 |
      |------------+--------------+-------------|
      |            |              | 12.4(15)T10 |
      |            |              |             |
      |            |              | 12.4(20)T4  |
      |            |              |             |
      | 12.4XG     | 12.4(9)XG4   | 12.4(22)T3  |
      |            |              |             |
      |            |              | 12.4(24)T2; |
      |            |              | Available   |
      |            |              | on          |
      |            |              | 23-OCT-2009 |
      |------------+--------------+-------------|
      |            |              | 12.4(15)T10 |
      |            |              |             |
      |            |              | 12.4(20)T4  |
      |            | Vulnerable;  |             |
      | 12.4XJ     | first fixed  | 12.4(22)T3  |
      |            | in 12.4T     |             |
      |            |              | 12.4(24)T2; |
      |            |              | Available   |
      |            |              | on          |
      |            |              | 23-OCT-2009 |
      |------------+--------------+-------------|
      |            |              | 12.4(15)T10 |
      |            |              |             |
      |            |              | 12.4(20)T4  |
      |            | Vulnerable;  |             |
      | 12.4XK     | first fixed  | 12.4(22)T3  |
      |            | in 12.4T     |             |
      |            |              | 12.4(24)T2; |
      |            |              | Available   |
      |            |              | on          |
      |            |              | 23-OCT-2009 |
      |------------+--------------+-------------|
      | 12.4XL     | 12.4(15)XL4  |             |
      |------------+--------------+-------------|
      |            |              | 12.4(15)T10 |
      |            |              |             |
      |            |              | 12.4(20)T4  |
      |            |              |             |
      | 12.4XM     | 12.4(15)XM3  | 12.4(22)T3  |
      |            |              |             |
      |            |              | 12.4(24)T2; |
      |            |              | Available   |
      |            |              | on          |
      |            |              | 23-OCT-2009 |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.4XN     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.4XP     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            |              | 12.4(15)T10 |
      |            |              |             |
      |            |              | 12.4(20)T4  |
      |            |              |             |
      | 12.4XQ     | 12.4(15)XQ2  | 12.4(22)T3  |
      |            |              |             |
      |            |              | 12.4(24)T2; |
      |            |              | Available   |
      |            |              | on          |
      |            |              | 23-OCT-2009 |
      |------------+--------------+-------------|
      |            | 12.4(15)XR4  |             |
      | 12.4XR     |              | 12.4(15)XR7 |
      |            | 12.4(22)XR   |             |
      |------------+--------------+-------------|
      |            |              | 12.4(15)T10 |
      |            |              |             |
      |            |              | 12.4(20)T4  |
      |            | Vulnerable;  |             |
      | 12.4XT     | first fixed  | 12.4(22)T3  |
      |            | in 12.4T     |             |
      |            |              | 12.4(24)T2; |
      |            |              | Available   |
      |            |              | on          |
      |            |              | 23-OCT-2009 |
      |------------+--------------+-------------|
      |            | Vulnerable;  |             |
      |            | Contact your |             |
      |            | support      |             |
      |            | organization |             |
      |            | per the      |             |
      | 12.4XV     | instructions |             |
      |            | in Obtaining |             |
      |            | Fixed        |             |
      |            | Software     |             |
      |            | section of   |             |
      |            | this         |             |
      |            | advisory     |             |
      |------------+--------------+-------------|
      |            |              | 12.4(15)T10 |
      |            |              |             |
      |            |              | 12.4(20)T4  |
      |            |              |             |
      | 12.4XW     | 12.4(11)XW10 | 12.4(22)T3  |
      |            |              |             |
      |            |              | 12.4(24)T2; |
      |            |              | Available   |
      |            |              | on          |
      |            |              | 23-OCT-2009 |
      |------------+--------------+-------------|
      |            |              | 12.4(20)T4  |
      |            |              |             |
      |            |              | 12.4(22)T3  |
      | 12.4XY     | 12.4(15)XY4  |             |
      |            |              | 12.4(24)T2; |
      |            |              | Available   |
      |            |              | on          |
      |            |              | 23-OCT-2009 |
      |------------+--------------+-------------|
      |            |              | 12.4(15)T10 |
      |            |              |             |
      |            |              | 12.4(20)T4  |
      |            |              |             |
      | 12.4XZ     | 12.4(15)XZ2  | 12.4(22)T3  |
      |            |              |             |
      |            |              | 12.4(24)T2; |
      |            |              | Available   |
      |            |              | on          |
      |            |              | 23-OCT-2009 |
      |------------+--------------+-------------|
      |            |              | 12.4(15)T10 |
      |            |              |             |
      |            |              | 12.4(20)T4  |
      |            |              |             |
      | 12.4YA     | 12.4(20)YA2  | 12.4(22)T3  |
      |            |              |             |
      |            |              | 12.4(24)T2; |
      |            |              | Available   |
      |            |              | on          |
      |            |              | 23-OCT-2009 |
      |------------+--------------+-------------|
      | 12.4YB     | 12.4(22)YB   | 12.4(22)YB4 |
      |------------+--------------+-------------|
      | 12.4YD     | 12.4(22)YD   | 12.4(22)YD1 |
      |------------+--------------+-------------|
      | 12.4YE     | 12.4(22)YE   | 12.4(22)YE1 |
      +-----------------------------------------+
      
      Cisco IOS-XE Software
      
      +---------------------------------------+
      | IOS-XE Release | First Fixed Release  |
      |----------------+----------------------|
      | 2.1.x          | 2.2.3                |
      |----------------+----------------------|
      | 2.2.x          | 2.2.3                |
      |----------------+----------------------|
      | 2.3.x          | Not Vulnerable       |
      |----------------+----------------------|
      | 2.4.x          | Not Vulnerable       |
      +---------------------------------------+
      
      Cisco CatOS Software
      
      +---------------------------------------+
      |     Affected     |    First Fixed     |
      |     Releases     |      Release       |
      |------------------+--------------------|
      | 7.x              | 7.6(24a)           |
      |------------------+--------------------|
      | 8.x              | 8.7(2a)            |
      +---------------------------------------+
      
      Cisco ASA and Cisco PIX Software
      
      +---------------------------------------+
      |     Affected     |    First Fixed     |
      |     Releases     |      Release       |
      |------------------+--------------------|
      | 7.0              | 7.0(8.6)           |
      |------------------+--------------------|
      | 7.1              | 7.1(2.81)          |
      |------------------+--------------------|
      | 7.2              | 7.2(4.30)          |
      |------------------+--------------------|
      | 8.0              | 8.0(4.28)          |
      |------------------+--------------------|
      | 8.1              | 8.1(2.19)          |
      |------------------+--------------------|
      | 8.2              | Not Vulnerable     |
      +---------------------------------------+
      
      Cisco NX-OS Software
      
      +---------------------------------------+
      |     Affected     |    First Fixed     |
      |     Releases     |      Release       |
      |------------------+--------------------|
      | Cisco Nexus 5000 | 4.0(1a)N2(1)       |
      |------------------+--------------------|
      | Cisco Nexus 7000 | 4.1(4)             |
      +---------------------------------------+
      
      Workarounds
      ===========
      
      It is possible to mitigate these vulnerabilities with the following
      workarounds.
      
      Cisco IOS Software
      
      The Cisco Guide to Harden Cisco IOS Devices provides examples of many
      useful techniques to mitigate against the TCP state manipulation
      vulnerabilities. These include:
      
        * Infrastructure Access Control Lists (iACL)
        * Receive Access Control Lists (rACL)
        * Transit Access Control Lists (tACL)
        * VTY Access Control Lists
        * Control Plane Policing (CoPP)
        * Control Plane Protection (CPPr)
        * Management Plane Policing (MPP)
      
      For more information on the topics listed above, consult the Cisco
      Guide to Harden Cisco IOS Devices at the following link:
      
      http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml
      
      Cisco CatOS Software
      
      Cisco CatOS software provides VLAN Access Control Lists (VACL) to
      mitigate against the TCP state manipulation vulnerabilities. For more
      information on configuring VACLs on CatOS 7.x software versions,
      please consult the following link:
      
      http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/catos/7.x/configuration/guide/acc_list.html
      
      For more information on configuring VACLs on CatOS 8.x software
      versions, please consult the following link:
      
      http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/catos/8.x/configuration/guide/acc_list.html
      
      Cisco ASA and Cisco PIX Software
      
      Cisco ASA and Cisco PIX Software provide a method to expire stalled
      half-closed TCP connections that helps mitigate against the TCP state
      manipulation vulnerabilities. This method protects against attacks
      directed to a firewall and devices protected by a firewall. The 
      "timeout half-closed" command will expire TCP sessions that have
      remained in a half-closed state beyond a user-configured timeout.
      
          FIREWALL(config)# timeout half-closed 0:5:0
      
      This command will set the TCP half-closed timeout to the smallest
      permitted value of five minutes. For more information on the TCP
      half-closed timeout, please consult the following link:
      
      http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/t.html#wp1500148
      
      Cisco Nexus Software
      
      Cisco Nexus software provides several ACL methods to mitigate against
      the TCP state manipulation vulnerabilities. For more information on
      configuring ACLs on Nexus 5000 systems, please consult the following
      link:
      
      http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli_rel_4_0_1a/sec_ipacls.html
      
      For more information on configuring ACLs on Nexus 7000 systems,
      please consult the following link:
      
      http://www.cisco.com/en/US/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_nx-os-cfg.html
      
      Cisco Applied Mitigation Bulletin
      
      Additional mitigations that can be deployed on Cisco devices within
      the network are available in the Cisco Applied Mitigation Bulletin
      companion document for this advisory, which is available at the
      following link:
      
      http://www.cisco.com/warp/public/707/cisco-amb-20090908-tcp24.shtml
      
      Obtaining Fixed Software
      ========================
      
      Cisco has released free software updates that address these
      vulnerabilities. Prior to deploying software, customers should
      consult their maintenance provider or check the software for feature
      set compatibility and known issues specific to their environment.
      
      Customers may only install and expect support for the feature sets
      they have purchased. By installing, downloading, accessing or
      otherwise using such software upgrades, customers agree to be bound
      by the terms of Cisco's software license terms found at:
      
      http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
      
      or as otherwise set forth at Cisco.com Downloads at:
      
      http://www.cisco.com/public/sw-center/sw-usingswc.shtml
      
      Do not contact psirt at cisco dot com or security-alert at cisco dot com for
      software upgrades.
      
      Customers with Service Contracts
      +-------------------------------
      
      Customers with contracts should obtain upgraded software through
      their regular update channels. For most customers, this means that
      upgrades should be obtained through the Software Center on Cisco's
      worldwide website at:
      
      http://www.cisco.com
      
      Customers using Third Party Support Organizations
      +------------------------------------------------
      
      Customers whose Cisco products are provided or maintained through
      prior or existing agreements with third-party support organizations,
      such as Cisco Partners, authorized resellers, or service providers
      should contact that support organization for guidance and assistance
      with the appropriate course of action in regards to this advisory.
      
      The effectiveness of any workaround or fix is dependent on specific
      customer situations, such as product mix, network topology, traffic
      behavior, and organizational mission. Due to the variety of affected
      products and releases, customers should consult with their service
      provider or support organization to ensure any applied workaround or
      fix is the most appropriate for use in the intended network before it
      is deployed.
      
      Customers without Service Contracts
      +----------------------------------
      
      Customers who purchase direct from Cisco but do not hold a Cisco
      service contract, and customers who purchase through third-party
      vendors but are unsuccessful in obtaining fixed software through
      their point of sale should acquire upgrades by contacting the Cisco
      Technical Assistance Center (TAC). TAC contacts are as follows.
      
        * +1 800 553 2447 (toll free from within North America)
        * +1 408 526 7209 (toll call from anywhere in the world)
        * e-mail: tac at cisco dot com
      
      Customers should have their product serial number available and be
      prepared to give the URL of this notice as evidence of entitlement to
      a free upgrade. Free upgrades for non-contract customers must be
      requested through the TAC.
      
      Refer to:
      http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
      
      for additional TAC contact information, including localized telephone
      numbers, and instructions and e-mail addresses for use in various
      languages.
      
      Exploitation and Public Announcements
      =====================================
      
      The Cisco PSIRT is not aware of any public announcements or malicious
      use of the vulnerability described in this advisory.
      
      The TCP state manipulation vulnerabilities were reported to Cisco by
      Robert E. Lee and Jack Louis of Outpost24. The Cisco Nexus 5000
      vulnerability was discovered by Cisco.
      
      Status of this Notice: FINAL
      ============================
      
      THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
      KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
      MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
      INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
      AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
      DOCUMENT AT ANY TIME.
      
      A stand-alone copy or Paraphrase of the text of this document that
      omits the distribution URL in the following section is an
      uncontrolled copy, and may lack important information or contain
      factual errors.
      
      Distribution
      ============
      
      This advisory is posted on Cisco's worldwide website at:
      
      http://www.cisco.com/warp/public/707/cisco-sa-20090908-tcp24.shtml
      
      In addition to worldwide web posting, a text version of this notice
      is clear-signed with the Cisco PSIRT PGP key and is posted to the
      following e-mail and Usenet news recipients.
      
        * cust-security-announce at cisco dot com
        * first-bulletins at lists dot first dot org
        * bugtraq at securityfocus dot com
        * vulnwatch at vulnwatch dot org
        * cisco at spot dot colorado dot edu
        * cisco-nsp at puck dot nether dot net
        * full-disclosure at lists.grok dot org dot uk
        * comp.dcom.sys.cisco at newsgate dot cisco dot com
      
      Future updates of this advisory, if any, will be placed on Cisco's
      worldwide website, but may or may not be actively announced on
      mailing lists or newsgroups. Users concerned about this problem are
      encouraged to check the above URL for any updates.
      
      Revision History
      ================
      
      +----------------------------------------+
      | Revision |                   | Initial |
      | 1.0      | 2009-September-08 | public  |
      |          |                   | release |
      +----------------------------------------+
      
      Cisco Security Procedures
      =========================
      
      Complete information on reporting security vulnerabilities in Cisco
      products, obtaining assistance with security incidents, and
      registering to receive security information from Cisco, is available
      on Cisco's worldwide website at:
      
      http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
      
      This includes instructions for press inquiries regarding Cisco
      security notices. All Cisco security advisories are available at:
      
      http://www.cisco.com/go/psirt
      -----BEGIN PGP SIGNATURE-----
      
      iD8DBQFKpmqc86n/Gc8U/uARArnQAJ4iK9a4jII3ItWKUvAVgQo0N6KAfgCcDc1i
      05+ITgtJJF8WI4iOrovU2Ik=
      =cUrI
      -----END PGP SIGNATURE-----