[tyingq]

Edit...this is wrong-> It's specific to Cisco ASA firewalls with a version level < 9.1(7), which was released in January of 2015.

Edit: Gelob, below, is right. There's a really unfortunate "read more" link that hides the important bits on Cisco's documentation and caused my confusion.

[Gelob]

That isn't true. There are versions of 9.2.x, 9.3.x etc that are vulnerable per the documentation. 9.1.7 is the only firmware released before this was announced (jan 18th) that contains a fix. Every other software version is vulnerable and requires an upgrade.

[EwanG]

Given the tendency for large enterprises to not upgrade unless there is time to do a full regression test, and then to prioritize creating new features over system maintenance, I wouldn't assume that means that there aren't quite a few of those still out there.

[feld]

People who have firewall needs and no skills hire people who know what Cisco products are, get someone to implement an ASA for them, and then it sits for years without any software updates. Maybe a rule update every now and then, but definitely no software updates.

[code777777]

Perhaps most do but I see a different trend these days. "The network" is a lot more important now since so many things are cloud-based.

Our networking group automated a deployment for the fix and contacted everyone that has ever bought an ASA from our company and updated them. We have ~400 ASAs across the country still have < 50 to go. There are still a few stragglers and the older ASAs need a bit more TLC.

Many of those clients have a maintenance agreement with us that includes these sorts of things and changes. All of them were updated and tested within 24 hours.

We did the same thing for the Juniper exploits (albeit we only had a handful).

EDIT: typos

[kjs3]

I can think of at least 8 of my clients (between 500 and 15000 employees, with probably 100 ASAs total) still on ASA version 8, much less 9. For some, the more critical in infrastructure, the less they want to update.