Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability—Multiple vulnerabilities have been
fixed for clientless SSL VPN in ASA software, so you should upgrade your software to a fixed version. See

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa

for details

about the vulnerability and a list of fixed ASA versions. Also, if you ever ran an earlier ASA version that had a
vulnerable configuration, then regardless of the version you are currently running, you should verify that the
portal customization was not compromised. If an attacker compromised a customization object in the past,
then the compromised object stays persistent after you upgrade the ASA to a fixed version. Upgrading the
ASA prevents this vulnerability from being exploited further, but it will not modify any customization objects
that were already compromised and are still present on the system.



EtherChannel configuration on the 4GE SSM disallowed—Interfaces on the 4GE SSM, including the built-in
module on the ASA 5550 (GigabitEthernet 1/x), are not supported as members of EtherChannels. However,
although not supported, configuration was not disallowed until 9.0(1). If you configured any 4GE SSM
interfaces as EtherChannel members, then upgrading to 9.0(1) or later will remove the channel-group
membership configuration from those interfaces. You must alter your interface configuration to comply with
supported interface types. (CSCtq62715)



ASA 9.1(3) features for the ASA CX require ASA CX Version 9.2(1).



Upgrading ASA Clustering from 9.0(1) or 9.1(1)—Due to many bug fixes, we recommend the 9.0(2) or 9.1(2)
release or later for ASA clustering. If you are running 9.0(1) or 9.1(1), you should upgrade to 9.0(2) or 9.1(2)
or later. Note that due to CSCue72961, hitless upgrading is not supported.