Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1410
Views
5
Helpful
3
Comments

Bash Bug -- CUCM evaluation for CVE-2014-6271 and CVE-2014-7169

Manish Gogna
Cisco Employee
Cisco Employee

‎09-27-2014 01:56 AM - edited ‎03-12-2019 10:11 AM

Since a lot of queries are coming up regarding the Bash bug, posting the bug link for the same here

https://tools.cisco.com/bugsearch/bug/CSCur00930/?reffering_site=dumpcr

Symptoms:
The Cisco Unified Communications Manager (UCM) 10.0 includes a version of bash that is affected by the vulnerabilities
identified by the Common Vulnerability and Exposures (CVE) IDs:

CVE-2014-6271
CVE-2014-7169

This bug has been opened to address the potential impact on this product.

Conditions:
Devices with default configuration.

Workaround:
Not available.

Further Problem Description:
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.5/7.5:

https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:U/RC:C

The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html

Labels:
Comments
Aman Soi
VIP Alumni
VIP Alumni
‎10-06-2014 08:24 AM

Hi Manish,

I could find ciscocm.bashupgrade.cop.sgn available on below Cisco site

http://software.cisco.com/download/release.html?mdfid=284603371&softwareid=282204704&release=COP-Files&flowid=45680

Any advise how do we proceed to exexcute this cop file , we have got CUCM 9.1(2)SU1?

 

regds,

aman

Manish Gogna
Cisco Employee
Cisco Employee
‎10-06-2014 08:41 AM

Hi Aman,

The installation requirements and process for the same is outlined in the read me file here

http://www.cisco.com/web/software/282204704/18582/CiscoBashCodeInjectionVulnerabilityPatchv2.pdf

HTH

Manish

 

Aman Soi
VIP Alumni
VIP Alumni
‎10-06-2014 09:09 AM

Thanks Manish for the same[+5].

Let me take call with customer so that we can apply the same.

there is a similar discussion in which show tech version is being discussed .

https://supportforums.cisco.com/discussion/12311531/cucm-shellshock-versions#comment-9986951

Any idea if we could check something related to bash.

regds,

aman

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents