Re: CSCwa47388 - CCX Log4j - Page 2

joshua.gertig · ‎12-13-2021

When will we know what versions are affected? Also, will this be resolvable via a .cop file patch, or entire SU upgrade only?

TXG · ‎12-14-2021

Hi Anupam,

Will this patch also address CVE-2021-45046?

Thanks

Anupam_Dewedi · ‎12-14-2021

@TXG I am assuming yes as of now. However i do not have any concrete info on the same.

Antony GALLEZ · ‎12-16-2021

Hello Anupam,

Can you confirm the SU2 will include the fix?

Regards,
Antony Gallez

floatingpurr · ‎12-15-2021

Just a quick recap . Only UCCX 12.5 looks affected so far. 11.x and 12.0 seem safe.

Side questions. What about:

the Informix DBMS bundled with the UCCX? (Edit: looks took into account in the patching)
Any related driver such as the IBM INFORMIX ODBC DRIVERS such as ibm.csdk.4.50.FC3.LNX? Not strictly Cisco related, I know. Hints are welcome

mlee · ‎12-15-2021

Why is the official Cisco bug report for UCCX not mentioning whether or not log4j vulnerability exists for 11.6? I only see 12.5.1

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47388

Anupam_Dewedi · ‎12-16-2021

@mlee we only mention the version a bug affects too. However as informed previously its just the 12.5.x versions that are affected. Previous versions such as 12.0 and below them use version 1.x of log4j and thus is marked safe.

Vulnerability only affects servers using log4j 2.x

jim-j · ‎12-16-2021

@Anupam_Dewedi wrote:
@mlee we only mention the version a bug affects too. However as informed previously its just the 12.5.x versions that are affected. Previous versions such as 12.0 and below them use version 1.x of log4j and thus is marked safe.
Vulnerability only affects servers using log4j 2.x

According to Apache:

Please note that Log4j 1.x has reached end of life and is no longer supported. Vulnerabilities reported after August 2015 against Log4j 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2 to obtain security fixes.

The way I read this is that Apache is saying Log4j 1.x could be vulnerable, so you should upgrade to Log4j 2.16.0. How did Cisco determine Log4j 1.x isn't affected?

Anupam_Dewedi · ‎12-16-2021

@jim-j our security teams are actively in the evaluation of the product lineup to verify what is safe and what is affected.

More information is available on https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd

jim-j · ‎12-17-2021

@jim-j wrote:
According to Apache:
Please note that Log4j 1.x has reached end of life and is no longer supported. Vulnerabilities reported after August 2015 against Log4j 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2 to obtain security fixes.
The way I read this is that Apache is saying Log4j 1.x could be vulnerable, so you should upgrade to Log4j 2.16.0. How did Cisco determine Log4j 1.x isn't affected?

Reading further down this same page they do also say:

"Log4j 1.x is not impacted by this vulnerability"

So sorry for the misinformation, Log4j 1.x looks good.

mlee · ‎12-17-2021

thanks for the clarification, I was getting worried.

Bal_S · ‎12-16-2021

Look at this .This might help. We got this from TAC:

https://www.cisco.com/c/en/us/support/docs/contact-center/unified-contact-center-express/217603-tech-note-on-apache-log4j-vulnerability.html

mlee · ‎12-17-2021

Thank you! This is what I was looking for.

neil wooloff · ‎12-21-2021

excellent find - wish the bug would refernce this as be so much more useful

Brent Barnard · ‎12-23-2021

I am now seeing that ES03 has been released for UCCX 12.5.1 SU1.

KevinDebelak2369 · ‎12-27-2021

Our security team has found that 11.6(1) is vulnerable to Log4J.

I have a TAC case open, waiting to hear back.

I noticed on this link that 11.6(1) was not listed, only 11.6(2)

https://www.cisco.com/c/en/us/support/docs/contact-center/unified-contact-center-express/217603-tech-note-on-apache-log4j-vulnerability.html