Vulnerable Products:

At the time of publication, this vulnerability affected Cisco IOS XR Software if it had BGP confederation configured.

For information about which Cisco software releases were vulnerable at the time of publication, see the Fixed Software ["#fs"] section of this advisory. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.

Determine the Device Configuration

To determine whether the device has BGP confederation configured, use the show running-config router bgp EXEC CLI command. If the router is configured for BGP, this command will return output. For the device to be considered vulnerable, the bgp confederation peers configuration command must also be present in the output, as shown in the following example:

show running-config router bgp

router bgp 64500 . . . bgp confederation peersProducts Confirmed Not Vulnerable:

Only products listed in the Vulnerable Products ["#vp"] section of this advisory are known to be affected by this vulnerability.

Cisco has confirmed that this vulnerability does not affect the following Cisco products:

IOS Software IOS XE Software NX-OS SoftwareWorkarounds:

There is a workaround that addresses this vulnerability. This vulnerability exists partly because the BGP AS_CONFED_SEQUENCE attribute is 255 AS numbers or greater. The workaround is to restrict this BGP attribute to 254 or fewer AS numbers. This can be accomplished by using a routing policy that drops BGP updates with long AS path lengths on the confederation peers:

route-policy max-asns if as-path length ge 254 then drop else pass endif end-policy router bgp 64500 bgp confederation peers 64501 64502 ! bgp confederation identifier 64511 neighbor 192.168.0.1 remote-as 64501 address-family ipv4 unicast policy max-asns in policy max-asns out

For more information on Cisco IOS XR Routing Policy Language (RPL), see...