Cisco IOS and IOS XE Software IOx Application Hosting Environment Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Cisco IOx application hosting environment within Cisco IOS and Cisco IOS XE Software. This vulnerability allows an unauthenticated, remote attacker to send crafted HTTP requests that cause the IOx application hosting environment to stop responding. As a result, the IOx process must be manually restarted to restore services. The vulnerability arises from improper handling of HTTP requests.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing the Cisco IOx application hosting environment to become unresponsive.

Remediation

Cisco has released software updates to address this vulnerability. For devices that do not require the Cisco IOx application hosting environment, it is recommended to disable IOx using the 'no iox' configuration command. If IOx is needed, the HTTP server can be disabled with the 'no ip http server' and 'no ip http secure-server' commands. Customers should consult the Cisco IOS and IOS XE Software Checker for information on fixed releases.