CISCO-SA-CAT9K-ACL-L4K7VXGD

Vulnerable Products:

At the time of publication, this vulnerability affected Cisco Catalyst 9500X and 9600X Series Switches if they were running a vulnerable release of Cisco IOS XE Software and had an egress ACL configured on an SVI.

For information about which Cisco software releases are vulnerable, see the Fixed Software ["#fs"] section of this advisory. Determine the Device Configuration To determine whether an outbound ACL is configured on an SVI, use the show running-config | include interface Vlan|out$ command. The following example shows output on a device that has an egress ACL configured on an SVI:

Switch# Router# show running-config | include interface Vlan|out$ interface Vlan1 ip access-group 101 out Switch#Products Confirmed Not Vulnerable:

Only products listed in the Vulnerable Products ["#vp"] section of this advisory are known to be affected by this vulnerability.

Cisco has confirmed that this vulnerability does not affect the following Cisco products:

Catalyst 9500 Series Switches Catalyst 9600 Series Switches IOS Software IOS XR Software NX-OS SoftwareWorkarounds:

There is a workaround that addresses this vulnerability. Egress ACLs can be converted to ingress ACLs. However, depending on how many interfaces are configured with egress ACLs, the configuration changes required could be extensive.

While this workaround has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.Fixed Software:

Cisco considers any...