Re: CSCwa47388 - CCX Log4j

joshua.gertig · ‎12-13-2021

When will we know what versions are affected? Also, will this be resolvable via a .cop file patch, or entire SU upgrade only?

darthnugget · ‎12-13-2021

Chances are 12.6 CCX will be vulnerable. It could be a cop patch to fix to disable service classes that are vulnerable. Unless Cisco uses those specific services, then we should expect an SU release.

Anupam_Dewedi · ‎12-13-2021

We have a the products affected tracked here :

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd

Also for UCCX here is the bug which tracks the developments : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47388

Any updates will be updated under these links. So far, 11.x UCCX has been marked not vulnerable however 12.5X UCCX has been marked as Vulnerable.

am316 · ‎12-13-2021

where did you see 11.x is marked as not vulnerable, I have CCX with 11.6.2.10000-38 willing to know if it's affected or not...

thank you

TXG · ‎12-13-2021

I'm not seeing it either, nor am I seeing anything related to UCCX 12.5. I'm also curious why the vulnerability header says "Evaluation of cra for Log4j RCE". CRA has been end of life for a while.

Eagle-man · ‎12-22-2021

Is UCCX 12.0 vulnerable?

Anupam_Dewedi · ‎12-13-2021

We will have the info updated soon on the bug. Our product team has so far confirmed uccx 11.x servers to be safe from the vulnerability.

In the meantime you can subscribe to this bug to receive updates by email, by doing the following :

Please click where it says “Notifications “. Then you just need to add your email address and you will be receiving updates of this bug.

neil wooloff · ‎12-21-2021

is v11.x affected?

the bug detail is very lacking on specific versions of which are and which are not affected - cucm is excellent in convering this detail

my customer is asking daily for an update and i am looking unhelpful

please can we get a statement to say yes or no for v11.x

floatingpurr · ‎12-21-2021

Hey @neil wooloff, here you can find more details per each CCX version: https://www.cisco.com/c/en/us/support/docs/contact-center/unified-contact-center-express/217603-tech-note-on-apache-log4j-vulnerability.html

Joey Gore · ‎12-14-2021

Still no updates too (https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47388)
Also, the issue is present in Finesse as noted in CSCwa46459. Does that pertain to UCCX or just UCCE?

Anupam_Dewedi · ‎12-14-2021

Joey, the security team will update it soon. Recent updates have been where 11.x and 12.0 UCCX versions are marked safe. 12.5.x is affected as stated earlier.

Finesse and CUIC comes in to be an integrated package in UCCX and hence anything related will be tracked under UCCX specifically.

Michelle Kramer · ‎12-14-2021

So i see the bug has been updated for UCCX but it only lists 12.5.1 and 12.5.1(SU1), do you know if 12.5.1(SU2) is vulnerable? When will known fixed releases be posted or work arounds?

Anupam_Dewedi · ‎12-14-2021

Michelle UCCX 12.5 SU2 is yet to be released. The Patches for the vulnerability is expected to be released by 1st week of January,2022.

Brent Barnard · ‎12-14-2021

I assume this covers all Engineering Specials as well, such as 12.5(1) SU1-ES02? It is not listed as affected, but I assume it will be as you indicate 12.5.x is vulnerable.

Anupam_Dewedi · ‎12-14-2021

Brent, your understanding is correct on that.