Q1: Which version should one upgrade to get a complete fix?
A: The customer should move to 12.0ES03 to get a complete fix for the vulnerability.
Q2: What versions are vulnerable?
A: All versions prior to 12.0ES03 are vulnerable. 12.5 is not impacted by this vulnerability.
Q3: What should a customer do if they don't wish to upgrade to 12.0ES03?
A: The customer should move to 1162ES06 to get a fix for defect CSCvq58289 [Bug-Preview for CSCvq58289] and block port 6999 on the firewall. The port should be blocked towards both UCCX nodes if it is HA deployment. (Blocking a port on firewall does ensure higher security but is not bullet proof solution if some attacker manages to get past the firewall)
Q4: What is the impact of blocking port 6999 on the firewall?
A: Port 6999 RMI is used for intracluster communication and also for clients like RTR, script editor. So if customers have RTR or script editor that communicates through the firewall they won't be able to use these clients.
Q5: Why defect CSCvq58235 fix can't be ported to 11.x?
A: Fixing the problem requires upgrading the apache common collection(ACC) libraries. UCCX 11.x has many components using ACC libraries, and this dependency for all components can not be fulfilled in version 11.6.2.
Hi , so as far as i understand , if the UCCX is not exposed to external ( WAN or Internet) this problem is mitigate, and if we don’t have HA is more unlikely to have port 6999 open to internet and the attacker have to be inside the network . Is this correct?
I understand the gravity of the situation, but we are considering internally migrating our affected customers, and in some cases it can be quite laborious, especially those that are prior to releases 12 because of the smart license, the migration from CAD to the finesse agent and maybe we have to upgrade the CUCM / TSP. So I ask the previous questions about the firewall port , to see if I can mitigate the problem in any customer.
We are facing the same situation and would like confirmation that if UCCX is not exposed to the external (WAN\Internet) with ports *6999* open this is only a vulnerability from the internal LAN. We are developing a project scope to have this upgrade completed but will be a lengthy process.
Hi Guys, I need help. I was downgrading the Xrv9k from 6.6.2 to 6.6.4 which is installed on UCS M5. I followed the cisco Guided method by using the tftp server and install on it by console. After activation the xrv9k the server rebooted automatically...
I struggled to find a suitable contact option for this minor error, so if this is the incorrect place for resolving the issue, I hope I can be pointed towards a more suitable space. As stated in the titleThere is a minor error on the NetAcad: Cyberse...