Cisco advises that: "The IOS Firewall Feature set, also known as Cisco Secure Integrated Software, also known as Context Based Access Control, and introduced in IOS version 11.2P, has a vulnerability which permits traffic normally expected to be denied by the dynamic access control lists."
This vulnerability is documented as Cisco Bug ID CSCdv48261.
No other Cisco product is vulnerable.
This advisory is available at the http://www.cisco.com/warp/public/707/IOS-cbac-dynacl-pub.shtml