Solved: Can I install 2.0.1.956 on my CWMS version 2.5.1.5051.B-AE

Sarg . · ‎04-13-2016

Hello Team,

I have a few questions and I'll appreciate it even if a single question is answered:

Cisco has released a number of Vulnerability / bugs recently as shown below.

CSCuy36539

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-openssl.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160218-glibc

1) However, if you check the first link, you will notice that Cisco says that the fix for CWMS 2.X is as shown in the below picture. So my question is, when Cisco says 2.X do that mean 2.5 too? Because the release is actually 2.0.1.956 and it is listed on the 2.0 section of Cisco's download page instead of 2.5 section

2) If 2.0.1.956 is not supported on my current CWMS 2.5.1.5051.B-AE, then should I be waiting for CWMS 2.6.2 to be release so that I can protect the server from the problems listed in the links above? Does anyone know about the release date for 2.6.2?

3) Also we are also planning expand the system to 250 port after the update. Cisco's documentation is not clear whether we would have to re-apply our certificates after the server update: It simply said we might have to. Could anyone please confirm with a definite yes or no answer please so we can prepare for this?

dpetrovi · ‎04-13-2016

Hi,

Since you are on CWMS 2.5 version level, for this specific vulnerability, you will need to update your system to 2.6.1.39 (2.6 base) and then update to 2.6 MR2 once it is released (ETA is 04/14, but not sure if there will be any delay). Check cisco.com tomorrow or on Friday to see if it is released.

As for Expansion, if you are using internal SSL cert with Subject Alternative Names (all internal VMs, Admin URL and WebEx Site URL) then you will need to get a new SSL cert because you will have more VMs in your solution (Media VM) and that FQDN is not included in your current SSL cert.

If you have a wildcard SSL cert, then you shouldn't need to get a new one.

If you are only using External SSL cert currently which covers WebEx Site URL, you won't have to do anything about that, but your internal SSL cert will need updating (if you use self-signed SSL cert, a new one will be generated by the system to include Media VM and you will need to distribute it to the clients).

Also, for system expansion, depending what OVA file was originally used to deploy your CWMS system (can be seen in vCenter, click on the Admin VM and click General/Summary tab to see what OVA file was used), you will need to use that same OVA file to deploy the expansion system. The new expanded system will be automatically updated once the VMDK file is moved from the original system to the new one.

I hope this will help.

-Dejan

View solution in original post

dpetrovi · ‎04-13-2016

Hi,

Since you are on CWMS 2.5 version level, for this specific vulnerability, you will need to update your system to 2.6.1.39 (2.6 base) and then update to 2.6 MR2 once it is released (ETA is 04/14, but not sure if there will be any delay). Check cisco.com tomorrow or on Friday to see if it is released.

As for Expansion, if you are using internal SSL cert with Subject Alternative Names (all internal VMs, Admin URL and WebEx Site URL) then you will need to get a new SSL cert because you will have more VMs in your solution (Media VM) and that FQDN is not included in your current SSL cert.

If you have a wildcard SSL cert, then you shouldn't need to get a new one.

If you are only using External SSL cert currently which covers WebEx Site URL, you won't have to do anything about that, but your internal SSL cert will need updating (if you use self-signed SSL cert, a new one will be generated by the system to include Media VM and you will need to distribute it to the clients).

Also, for system expansion, depending what OVA file was originally used to deploy your CWMS system (can be seen in vCenter, click on the Admin VM and click General/Summary tab to see what OVA file was used), you will need to use that same OVA file to deploy the expansion system. The new expanded system will be automatically updated once the VMDK file is moved from the original system to the new one.

I hope this will help.

-Dejan

Sarg . · ‎04-15-2016

Thank you.

I really appreciate your time.

Cheers

Sarg . · ‎04-18-2016

So even though my CWMS was originally installed as 50 port 2.X install and I have since updated to 2.6.1 and now planning to update to 2.6.MR2; I should still use the same original OVA, even though my new Base version is "2.6.1.39" ?

All my current VMs has Public Domain FQDN and I am using a public CA assigned Cert which has the following SAN:

Public WebEx meeting page FQDN

Admin Server's public hostname FWDN

Internal admin URL FQDN

So based on what you said, do I need to generate a certificate request (including my new media VM) and send it to my external CA for them to send me a new certificate containing the FQDN of my new Media Server as a SAN?

Thankss

dpetrovi · ‎04-18-2016

Hi,

That is correct, you need to use the OVA that was used to deploy the VMs originally.

As for SSL cert, you are correct as well.

After the expansion to 250 users, you will have an additional VM included in your solution which will add an additional FQDN to the solution (Media VM FQDN). Since you currently have a SAN cert that covers only WebEx Site URL, Admin Site URL and Admin VM FQDN, you will need to obtain a new SSL cert that will cover: WebEx Site URL, Admin Site URL, Admin VM FQDN and Media VM FQDN.

Kind regards,

-Dejan

Sarg . · ‎04-18-2016

Thank you,

You mentioned before that I need to install the base OVA then the CWMS will automatically download all the updates and update itself until it reached the same version as the currently active CWMS [pre-expanded system]. So my questions are:

1: Which Server will download the updates; the Vcenter, the cwms admin server or will all the CWMS VM download the updates individually? The reason I am asking this question is because I want to know source address that I need to open up in my firewall in order to allow CWMS to download the files. Do you know if there is destination address that will be accessed in order to download the updates automatically? How about the port number(s)?

2: Will the updates be downloaded to Vcenter storage location ?

Thanks

dpetrovi · ‎04-18-2016

Hi,

The update files are saved on the original CWMS system after every update is performed on the system. Hence, once you deploy the expanded system using the original OVA file, you will be copying the Hard Disk 4 VMDK file from the original Admin VM to the newly deployed Admin VM. With that VMDK file, the update files will be transferred as well. Once the new system is then powered ON, the system will automatically update all the VMs to the version the original system was on.

With that in mind, there will be no downloads from the internet and no need to make any changes in the firewall.

I hope this clarifies it a little bit more.

Dejan

Sarg . · ‎04-19-2016

Thank you

Sarg . · ‎04-18-2016

.