Short after the openssl Heartbleed vurnearability was publiced Cisco announced that Cisco ASA was NOT affected by Heartbleed because it runs an older version of OpenSSL.
Today, 2014-04-25, Cisco updated its Feature-list of Cisco ASA software versions with the long awaited v9.2.
But w000t? From now on Cisco ASA runs OpenSSL v1.0.1e (which IS affected by Heartbleed)! What´s happening. Cisco?
Edit. I posted this and sent the URL to one of my contacts at Cisco. Less than 2 hours later Cisco added a note to the Release Notes:
So. Cisco did NOT add heartbleed as a new feature in ASA v9.2. My guess is that they upgraded to 1.0.1e in a beta of 9.2 and before got aware of Heartbleed just days before releasing 9.2. And instead of upgrading OpenSSL to 1.0.1g they disabled SSL heartbeat.
So what I found was probably a bug in the documentation. 🙂
1. if you look at http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/release/notes/asarn92.html you will find the following.
The version of OpenSSL on the ASA will be updated to version 1.0.1e.
Note We disabled the heartbeat option, so the ASA is not vulnerable to the Heartbleed Bug.
2. Its not May yet 🙂
Thanks for your comment! When I wrote this post I also noticed Cisco and less than 2 hours later the release notes have been updated with this “we disabled the heartbeat option”. Amazing how quick things can happen. 🙂 the link “Feature-list” above gives you a locally stored copy of the release notes where the “disables option” is not mentioned, just as the screen shot above. 🙂
Never mind, the important thing is that the 9.2 release is not vurnerable!