cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13612
Views
60
Helpful
29
Replies

CSCwa47388 - CCX Log4j

joshua.gertig
Level 1
Level 1

When will we know what versions are affected? Also, will this be resolvable via a .cop file patch, or entire SU upgrade only? 

29 Replies 29

darthnugget
Level 1
Level 1

Chances are 12.6 CCX will be vulnerable. It could be a cop patch to fix to disable service classes that are vulnerable. Unless Cisco uses those specific services, then we should expect an SU release. 

Anupam_Dewedi
Cisco Employee
Cisco Employee

We have a the products affected tracked here : 

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd

 

Also for UCCX here is the bug which tracks the developments : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47388

 

Any updates will be updated under these links.  So far, 11.x UCCX has been marked not vulnerable however 12.5X UCCX has been marked as Vulnerable. 

where did you see 11.x is marked as not vulnerable, I have CCX with 11.6.2.10000-38 willing to know if it's affected or not...

 

thank you

I'm not seeing it either, nor am I seeing anything related to UCCX 12.5.    I'm also curious why the vulnerability header says "Evaluation of cra for Log4j RCE".   CRA has been end of life for a while. 

Is UCCX 12.0 vulnerable?

Anupam_Dewedi
Cisco Employee
Cisco Employee

We will have the info updated soon on the bug. Our product team has so far confirmed uccx 11.x servers to be safe from the vulnerability.

 

In the meantime you can subscribe to this bug to receive updates by email, by doing the following :

 

Please click where it says “Notifications “. Then you just need to add your email address and you will be receiving updates of this bug.

is v11.x affected?

the bug detail is very lacking on specific versions of which are and which are not affected - cucm is excellent in convering this detail

my customer is asking daily for an update and i am looking unhelpful

 

please can we get a statement to say yes or no for v11.x

Joey Gore
Level 1
Level 1

Still no updates too (https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47388)
Also, the issue is present in Finesse as noted in CSCwa46459. Does that pertain to UCCX or just UCCE?

Joey, the security team will update it soon. Recent updates have been where 11.x and 12.0 UCCX versions are marked safe. 12.5.x is affected as stated earlier. 

 

Finesse and CUIC comes in to be an integrated package in UCCX and hence anything related will be tracked under UCCX specifically. 

 

So i see the bug has been updated for UCCX but it only lists 12.5.1 and 12.5.1(SU1), do you know if 12.5.1(SU2) is vulnerable? When will known fixed releases be posted or work arounds?

Michelle UCCX 12.5 SU2 is yet to be released. The Patches for the vulnerability is expected to be released by 1st week of January,2022. 

I assume this covers all Engineering Specials as well, such as 12.5(1) SU1-ES02? It is not listed as affected, but I assume it will be as you indicate 12.5.x is vulnerable.

Brent, your understanding is correct on that.