Title

The Cisco ACI must be running an operating system release that is currently supported by the vendor. (Cat I impact)

Discussion

Cisco ACIs running an unsupported operating system lack current security fixes required to mitigate the risks associated with recent vulnerabilities.

Check Content

To view the complete versions included in all the components of the fabric, from the CLI, type: apic1# configure apic1(config)# firmware apic1(config-firmware)# show version Refer to the Cisco APIC Upgrade/Downgrade Support Matrix for Cisco APIC upgrade and downgrade paths, available here: https://www.cisco.com/c/dam/en/us/td/docs/Website/datacenter/apicmatrix/index.html If the Cisco ACI fabric, leaf switches, or APIC components have an operating system release that is not currently supported by the vendor, this is a finding.

Fix Text

Refer to the Cisco APIC Upgrade/Downgrade Support Matrix for Cisco APIC upgrade and downgrade paths. Install a Cisco APIC Software Maintenance Upgrade Patch Using the GUI. Use the following procedure to install a software maintenance upgrade (SMU) patch on a Cisco APIC: 1. Add the firmware image that corresponds to the SMU patch to the Cisco APIC. The patch will be listed along with any other firmware images (SMU patches and otherwise). 2. Set up a controller firmware update. On the Version Selection screen, for the Update Type, choose "Software Maintenance Upgrade (Install)", then choose the SMU patch in the Select Firmware section. Installing a Switch Software Maintenance Upgrade Patch Using the GUI: SMU patch installation or uninstallation uses the same update group as a regular firmware upgrade. Because one node can belong to only one update group, when an SMU patch is applied to a specific node, remove that node from the existing group and create a new group that is dedicated to the node so that other nodes are not impacted. When performing a regular firmware upgrade for the entire fabric, delete the dedicated update group used for the SMU patch installation and add the node back to one of the original groups. If all the nodes in the existing group need the SMU patch, reuse the same update group without creating a new update group. 1. Add the firmware image that corresponds to the SMU patch to the Cisco APIC. The Cisco APIC lists the patch along with any other firmware images (SMU patches and otherwise). 2. Set up a node firmware update. On the Version Selection screen, for the Update Type, choose "Software Maintenance Upgrade (Install)", then choose the SMU patch in the Select Firmware section. Click "Begin Download" in the Confirmation screen to download the patch to the selected switches. The Firmware Updates tab in the Work pane displays. 3. In the Work pane, click the upgrade group created. The Node Firmware Update dialog displays with information for the upgrade group. 4. When the status for the switches is "Ready to Install", click "Actions". Install and Reload: The switches reboot after the SMU patch gets installed. Choose this action to install only one SMU patch, or if installing the final patch of multiple patches. Install and Skip Reload: The switches do not reboot after the SMU patch gets installed. Choose this action to install multiple SMU patches and if this patch is not the final patch. In this case, repeat this entire procedure for each additional patch and continue to choose Install and Skip Reload until the final patch is installed. For the final patch, choose Install and Reload. Optionally, choose "Install and Skip Reload" and manually reboot the switch after the patch gets installed.

Additional Identifiers

Rule ID: SV-271926r1067443_rule

Vulnerability ID: V-271926

Group Title: SRG-APP-000516-NDM-000351

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.