cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13619
Views
60
Helpful
29
Replies

CSCwa47388 - CCX Log4j

joshua.gertig
Level 1
Level 1

When will we know what versions are affected? Also, will this be resolvable via a .cop file patch, or entire SU upgrade only? 

29 Replies 29

Hi Anupam,

             Will this patch also address CVE-2021-45046?

Thanks

@TXG I am assuming yes as of now. However i do not have any concrete info on the same. 

Hello Anupam,

 

Can you confirm the SU2 will include the fix?

 

Regards,
Antony Gallez

floatingpurr
Level 1
Level 1

Just a quick recap . Only UCCX 12.5 looks affected so far. 11.x and 12.0 seem safe.

Side questions. What about:

  • the Informix DBMS bundled with the UCCX? (Edit: looks took into account in the patching)
  • Any related driver such as the IBM INFORMIX ODBC DRIVERS such as ibm.csdk.4.50.FC3.LNX? Not strictly Cisco related, I know. Hints are welcome 

mlee
Level 1
Level 1

Why is the official Cisco bug report for UCCX not mentioning whether or not log4j vulnerability exists for 11.6?  I only see 12.5.1

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47388

@mlee we only mention the version a bug affects too. However as informed previously its just the 12.5.x versions that are affected. Previous versions such as 12.0 and below them use version 1.x of log4j and thus is marked safe. 

 

Vulnerability only affects servers using log4j 2.x 


@Anupam_Dewedi wrote:

@mlee we only mention the version a bug affects too. However as informed previously its just the 12.5.x versions that are affected. Previous versions such as 12.0 and below them use version 1.x of log4j and thus is marked safe. 

Vulnerability only affects servers using log4j 2.x 


According to Apache:

Please note that Log4j 1.x has reached end of life and is no longer supported. Vulnerabilities reported after August 2015 against Log4j 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2 to obtain security fixes.

The way I read this is that Apache is saying Log4j 1.x could be vulnerable, so you should upgrade to Log4j 2.16.0.  How did Cisco determine Log4j 1.x isn't affected?

@jim-j our security teams are actively in the evaluation of the product lineup to verify what is safe and what is affected.

 

More information is available on https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd

 


@jim-j wrote:

According to Apache:

Please note that Log4j 1.x has reached end of life and is no longer supported. Vulnerabilities reported after August 2015 against Log4j 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2 to obtain security fixes.

The way I read this is that Apache is saying Log4j 1.x could be vulnerable, so you should upgrade to Log4j 2.16.0.  How did Cisco determine Log4j 1.x isn't affected?


Reading further down this same page they do also say:

"Log4j 1.x is not impacted by this vulnerability"

So sorry for the misinformation, Log4j 1.x looks good.

thanks for the clarification, I was getting worried.

Thank you!  This is what I was looking for.

excellent find - wish the bug would refernce this as be so much more useful

I am now seeing that ES03 has been released for UCCX 12.5.1 SU1. 

Our security team has found that 11.6(1) is vulnerable to Log4J.

I have a TAC case open, waiting to hear back.

I noticed on this link that 11.6(1) was not listed, only 11.6(2)

https://www.cisco.com/c/en/us/support/docs/contact-center/unified-contact-center-express/217603-tech-note-on-apache-log4j-vulnerability.html