Thanks, I realise there's no work around but just trying to figure out if there's some mitigation that can be done in the interim until we plan the patch and maintenance window. If you run the UCS on its own network behind a firewall is this vulnerable CCX endpoint only used by the UCS servers in the cluster or do agents using finesse need access to these ports?

Juicy info! Thanks!

EDIT: I opened my own TAC case and was told 11.6(2)ES06 does not fully fix the issue, though it does contain a related fix.

Also, Lior posted their TAC case notes sharing the same.

hi guys these following are answers from TAC

maybe you can find it helpful..

Q1: Which version should one upgrade to get a complete fix?

A: The customer should move to 12.0ES03 to get a complete fix for the vulnerability.

Q2: What versions are vulnerable?

A: All versions prior to 12.0ES03 are vulnerable. 12.5 is not impacted by this vulnerability.

Q3: What should a customer do if they don't wish to upgrade to 12.0ES03?

A: The customer should move to 1162ES06 to get a fix for defect CSCvq58289 [Bug-Preview for CSCvq58289] and block port 6999 on the firewall. The port should be blocked towards both UCCX nodes if it is HA deployment.  (Blocking a port on firewall does ensure higher security but is not bullet proof solution if some attacker manages to get past the firewall)

Q4: What is the impact of blocking port 6999 on the firewall?

A: Port 6999 RMI is used for intracluster communication and also for clients like RTR, script editor. So if customers have RTR or script editor that communicates through the firewall they won't be able to use these clients.

Q5: Why defect CSCvq58235  fix can't be ported to 11.x?

A: Fixing the problem requires upgrading the apache common collection(ACC) libraries. UCCX 11.x has many components using ACC libraries, and this dependency for all components can not be fulfilled in version 11.6.2.