12-13-2021 08:52 AM
When will we know what versions are affected? Also, will this be resolvable via a .cop file patch, or entire SU upgrade only?
12-13-2021 09:19 AM
Chances are 12.6 CCX will be vulnerable. It could be a cop patch to fix to disable service classes that are vulnerable. Unless Cisco uses those specific services, then we should expect an SU release.
12-13-2021 01:30 PM
We have a the products affected tracked here :
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
Also for UCCX here is the bug which tracks the developments : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47388
Any updates will be updated under these links. So far, 11.x UCCX has been marked not vulnerable however 12.5X UCCX has been marked as Vulnerable.
12-13-2021 02:33 PM - edited 12-13-2021 02:44 PM
where did you see 11.x is marked as not vulnerable, I have CCX with 11.6.2.10000-38 willing to know if it's affected or not...
thank you
12-13-2021 05:36 PM
I'm not seeing it either, nor am I seeing anything related to UCCX 12.5. I'm also curious why the vulnerability header says "Evaluation of cra for Log4j RCE". CRA has been end of life for a while.
12-22-2021 01:41 PM
Is UCCX 12.0 vulnerable?
12-13-2021 08:48 PM
We will have the info updated soon on the bug. Our product team has so far confirmed uccx 11.x servers to be safe from the vulnerability.
In the meantime you can subscribe to this bug to receive updates by email, by doing the following :
Please click where it says “Notifications “. Then you just need to add your email address and you will be receiving updates of this bug.
12-21-2021 12:26 AM
is v11.x affected?
the bug detail is very lacking on specific versions of which are and which are not affected - cucm is excellent in convering this detail
my customer is asking daily for an update and i am looking unhelpful
please can we get a statement to say yes or no for v11.x
12-21-2021 12:36 AM
Hey @neil wooloff, here you can find more details per each CCX version: https://www.cisco.com/c/en/us/support/docs/contact-center/unified-contact-center-express/217603-tech-note-on-apache-log4j-vulnerability.html
12-14-2021 06:58 AM
Still no updates too (https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47388)
Also, the issue is present in Finesse as noted in CSCwa46459. Does that pertain to UCCX or just UCCE?
12-14-2021 07:34 AM
Joey, the security team will update it soon. Recent updates have been where 11.x and 12.0 UCCX versions are marked safe. 12.5.x is affected as stated earlier.
Finesse and CUIC comes in to be an integrated package in UCCX and hence anything related will be tracked under UCCX specifically.
12-14-2021 08:48 AM
So i see the bug has been updated for UCCX but it only lists 12.5.1 and 12.5.1(SU1), do you know if 12.5.1(SU2) is vulnerable? When will known fixed releases be posted or work arounds?
12-14-2021 09:18 AM
Michelle UCCX 12.5 SU2 is yet to be released. The Patches for the vulnerability is expected to be released by 1st week of January,2022.
12-14-2021 10:56 AM - edited 12-14-2021 11:04 AM
I assume this covers all Engineering Specials as well, such as 12.5(1) SU1-ES02? It is not listed as affected, but I assume it will be as you indicate 12.5.x is vulnerable.
12-14-2021 05:27 PM
Brent, your understanding is correct on that.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide