Cisco Cisco ASA 5580 Adaptive Security Appliance Release Notes
2
Release Notes for the Cisco ASA 5500 Series, Version 8.3(x)
OL-18971-01
Important Notes
Important Notes
•
Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability—Multiple
vulnerabilities have been fixed for clientless SSL VPN in ASA software, so you should upgrade your
software to a fixed version. See
vulnerabilities have been fixed for clientless SSL VPN in ASA software, so you should upgrade your
software to a fixed version. See
details about the vulnerability and a list of fixed ASA versions. Also, if you ever ran an earlier ASA
version that had a vulnerable configuration, then regardless of the version you are currently running,
you should verify that the portal customization was not compromised. If an attacker compromised
a customization object in the past, then the compromised object stays persistent after you upgrade
the ASA to a fixed version. Upgrading the ASA prevents this vulnerability from being exploited
further, but it will not modify any customization objects that were already compromised and are still
present on the system.
version that had a vulnerable configuration, then regardless of the version you are currently running,
you should verify that the portal customization was not compromised. If an attacker compromised
a customization object in the past, then the compromised object stays persistent after you upgrade
the ASA to a fixed version. Upgrading the ASA prevents this vulnerability from being exploited
further, but it will not modify any customization objects that were already compromised and are still
present on the system.
•
(For upgrading from Version 8.2 and earlier to Version 8.3(2) and later) NAT exemption (the nat 0
access-list command) is migrated to a twice NAT rule with the unidirectional keyword. The
unidirectional keyword only allows traffic on the source network to initiate connections. This
migration change was made to fix CSCtf89372. Upgrading to Version 8.3(1) does not add the
unidirectional keyword.
access-list command) is migrated to a twice NAT rule with the unidirectional keyword. The
unidirectional keyword only allows traffic on the source network to initiate connections. This
migration change was made to fix CSCtf89372. Upgrading to Version 8.3(1) does not add the
unidirectional keyword.
Note
Because NAT exemption is normally bidirectional, you might need to remove the
unidirectional keyword to restore the original function. Specifically, this change adversely
affects many VPN configurations that include NAT exemption rules (see CSCti36048 for
this new issue). To avoid manual intervention, we recommend upgrading to 8.3(1) first, and
then upgrade to a later release.
unidirectional keyword to restore the original function. Specifically, this change adversely
affects many VPN configurations that include NAT exemption rules (see CSCti36048 for
this new issue). To avoid manual intervention, we recommend upgrading to 8.3(1) first, and
then upgrade to a later release.
If you are impacted by this issue, you will see a syslog message like the following:
%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows;
Connection for icmp src Outside:192.168.1.5 dst inside:10.10.5.20 (type 8, code
0) denied due to NAT reverse path failure
•
To run Version 8.3 in a production environment, you need to upgrade the memory on the Cisco ASA
5505, 5510, 5520, or 5540. See the
5505, 5510, 5520, or 5540. See the
for more information.
If you do not install a memory upgrade, you receive the following message upon logging in:
***********************************************************************
**
** *** WARNING *** WARNING *** WARNING *** WARNING *** WARNING ***
**
** ----> Minimum Memory Requirements NOT Met! <----
**
** Installed RAM: 512 MB
** Required RAM: 2048 MB
** Upgrade part#: ASA5520-MEM-2GB=
**
** This ASA does not meet the minimum memory requirements needed to
** run this image. Please install additional memory (part number
** listed above) or downgrade to ASA version 8.2 or earlier.
** Continuing to run without a memory upgrade is unsupported, and
** critical system features will not function properly.
**
************************************************************************
*