Symptom
On August 17, 2021, BlackBerry released a security advisory, QNX-2021-001, that disclosed an integer overflow vulnerability in the following BlackBerry software releases:
QNX Software Development Platform (SDP) 6.5.0SP1 and earlier
QNX OS for Medical 1.1 and earlier
QNX OS for Safety 1.0.1 and earlier
identified by CVE ID: CVE-2021-22156.
Conditions
Cisco has evaluated the impact of the vulnerability on Cisco Channelized Shared Port Adapters and concluded that whilst it has affected code; there is no known exploit vector. See Further Problem Description for more details.
Following is a list of non End of Life Cisco Circuit Channelized Shared Port Adapters (SPA):
SPA-8XT3/E3
SPA-8XCHT1/E1-V2
SPA-2XT3/E3-V2
SPA-4XT3/E3-V2
SPA-2XCT3/DS0-V2
SPA-4XCT3/DS0-V2
SPA-1CHSTM1/OC3V2
These SPA are available for both IOS-XE (ASR1000 Series Routers) and IOS-XR (ASR9000 Series running 32-Bit IOS-XR).
Further Problem Description
The SPA code is a compiled binary that is then bundled in with either Cisco IOS-XR or Cisco IOS-XE software. In order to exploit this vulnerability an attacker would have to able to run a binary calling the vulnerable routines. Whilst the underlying software on the SPA does contain the vulnerable code; there is no known exploit vectors.
This issue will be addressed via normal resolution channels.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
https://tools.cisco.com/security/center/resources/security_vulnerability_policy.html
