The Cisco ACI must be running an operating system release that is currently supported by the vendor.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-271926 | CACI-ND-000011 | SV-271926r1114339_rule | High |
| Description |
| Cisco ACIs running an unsupported operating system lack current security fixes required to mitigate the risks associated with recent vulnerabilities. |
| STIG | Date |
| Cisco ACI NDM Security Technical Implementation Guide | 2025-06-13 |
Details
| Check Text (C-75976r1114338_chk) |
| To view the current firmware versions installed on the controllers and switches, type the following command from configuration mode: apic1# configure apic1(config)# firmware apic1(config-firmware)# show version Alternatively, in the GUI navigate to Admin >> Firmware. Refer to the Cisco APIC Upgrade/Downgrade Support Matrix for Cisco APIC upgrade and downgrade paths. If the Cisco ACI fabric, leaf switches, or APIC components have an operating system release that is not currently supported by the vendor, this is a finding. |
| Fix Text (F-75883r1114212_fix) |
| Refer to the Cisco APIC Upgrade/Downgrade Support Matrix for Cisco APIC upgrade and downgrade paths. Install a Cisco APIC Software Maintenance Upgrade Patch Using the GUI. Use the following procedure to install a software maintenance upgrade (SMU) patch on a Cisco APIC: 1. Add the firmware image that corresponds to the SMU patch to the Cisco APIC. The patch will be listed along with any other firmware images (SMU patches and otherwise). 2. Set up a controller firmware update. On the Version Selection screen, for the Update Type, choose "Software Maintenance Upgrade (Install)", then choose the SMU patch in the Select Firmware section. Installing a Switch Software Maintenance Upgrade Patch Using the GUI: SMU patch installation or uninstallation uses the same update group as a regular firmware upgrade. Because one node can belong to only one update group, when an SMU patch is applied to a specific node, remove that node from the existing group and create a new group that is dedicated to the node so that other nodes are not impacted. When performing a regular firmware upgrade for the entire fabric, delete the dedicated update group used for the SMU patch installation and add the node back to one of the original groups. If all the nodes in the existing group need the SMU patch, reuse the same update group without creating a new update group. 1. Add the firmware image that corresponds to the SMU patch to the Cisco APIC. The Cisco APIC lists the patch along with any other firmware images (SMU patches and otherwise). 2. Set up a node firmware update. On the Version Selection screen, for the Update Type, choose "Software Maintenance Upgrade (Install)", then choose the SMU patch in the Select Firmware section. Click "Begin Download" in the Confirmation screen to download the patch to the selected switches. The Firmware Updates tab in the Work pane displays. 3. In the Work pane, click the upgrade group created. The Node Firmware Update dialog displays with information for the upgrade group. 4. When the status for the switches is "Ready to Install", click "Actions". Install and Reload: The switches reboot after the SMU patch gets installed. Choose this action to install only one SMU patch, or if installing the final patch of multiple patches. Install and Skip Reload: The switches do not reboot after the SMU patch gets installed. Choose this action to install multiple SMU patches and if this patch is not the final patch. In this case, repeat this entire procedure for each additional patch and continue to choose Install and Skip Reload until the final patch is installed. For the final patch, choose Install and Reload. Optionally, choose "Install and Skip Reload" and manually reboot the switch after the patch gets installed. |