Headline
CVE-2022-20844: Cisco Security Advisory: Cisco Software-Defined Application Visibility and Control on Cisco vManage Static Username and Password Vulnerability
A vulnerability in authentication mechanism of Cisco Software-Defined Application Visibility and Control (SD-AVC) on Cisco vManage could allow an unauthenticated, remote attacker to access the GUI of Cisco SD-AVC using a default static username and password combination. This vulnerability exists because the GUI is accessible on self-managed cloud installations or local server installations of Cisco vManage. An attacker could exploit this vulnerability by accessing the exposed GUI of Cisco SD-AVC. A successful exploit could allow the attacker to view managed device names, SD-AVC logs, and SD-AVC DNS server IP addresses.
When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Fixed Releases
At the time of publication, the release information in the following table(s) was accurate. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.
The left column lists Cisco software releases, and the right column indicates whether a release was affected by the vulnerabilities that are described in this advisory and which release included the fix for these vulnerabilities.
Cisco vManage Release
First Fixed Release
18.3 and earlier
Not affected.
18.4
Not affected.
19.2
Not affected.
20.1
Not affected.
20.3.2 through 20.3.4
Not affected.
20.3.4.1
20.3.4.2
20.3.5Migrate to a fixed release.
20.4
Migrate to a fixed release.
20.5
Migrate to a fixed release.
20.6
20.6.31
20.7
20.7.21
20.8
20.8.11
20.9
20.9.1
1. Upgrading to Release 20.6.3, 20.7.2, or 20.8.1 causes the SD-AVC container to shut down. To enable the SD-AVC container, do the following:
- Enable SD-AVC.
- Reboot vManage.
- Reboot vManage a second time.
Note: The vulnerability described in this advisory is associated with the vulnerability described in Cisco Security Advisory cisco-sa-sdwan-avc-NddSGB8. Cisco recommends that administrators take into account both vulnerabilities when planning for a software upgrade.
The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.