09-26-2014 09:09 AM - edited 03-17-2019 12:18 AM
Bug ID CSCur00930 lists version 9.1(2.13058.1) as affected.
Does this mean ONLY 9.1(2.13058.1) is affected, or does it mean 9.1(2.13058.1) and lower are affected?
09-26-2014 09:43 AM
I notice that the affected version is 9.1.2.13058-1 (SR3) is not available for download. The highest available as of 9/26/14 is SR2a which is 9.1.2.12901-3.
I too am curious if lower versions of 9.1(2) are affected.
Oddly, I see that the description says 10.0 is affected, but the "Known Affected Releases" only says 9.1.2. So, is 10.0 affected or not?
09-26-2014 10:28 AM
What I noticed is they are not listing older versions on many of the "affected" systems, like WLC. I know that 7.6.130 has many issues prior to it that are basically the same with bug fixes.
What about Unity Connection, does it not also run on a Linux platform? Singlewire(Informacast) is also affected by this. Are all WAAS versions affected? There are a lot of systems out there, so knowing if they are posting versions, with assuming all prior releases are included is a must know.
09-26-2014 11:19 AM
Keep an eye on this link and on the bugs for further information:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
You may also open a TAC for further information.
09-26-2014 11:37 AM
Already am, thats where I got the previous information from. It's deceiving though since it lists only one specific version.
09-30-2014 07:45 AM
The details listed in the defect description will be more accurate than the actual Version field, since there is a limit in being able to enumerate all versions. As described in the Symptoms listed in CSCur00930, UCM versions 8, 9, and 10 are impacted.
We are working to make that more clear in the published information.
Please note from the Security Advisory (http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash) that Unity Connection is listed on the impacted products, with CSCur05328 tracking that fix. This will be updated with more details as they are confirmed.
10-25-2014 07:30 AM
My customer setup UCM running on 9.1.1.20000-5 & i understand, the patch - cop file can be applied directly to handle this vulnerability.
From the case notes, i can see that known fixed version in 9.X serious is - 9.1(2.13060.1).
Can i proceed with upgrade the version from 9.1.1.20000-5 to 9.1(2.13060.1) ?
Would that be enough to handle this bug & i don't need separately update the patch right ? Please suggest
Thanks
JP
10-27-2014 08:39 AM
Hi JP,
Yes, 9.1.2.13060-1 and later 9.1(2) versions have the bash Shellshock update included. Upgrading to that version will address this issue.
09-26-2014 11:30 AM
Unity Connection uses the same platform, including the same OS, in fact it is installed from the same DVD. My guess is the list of vulnerable products will grow as Cisco figures out what products use BASH.
10-03-2014 06:07 AM
To my understanding all the GNU Bash versions 4.3 and prior are vulnerable and the above said operating system bash version contains 3.2 (32.el5). You can check with the command “show tech version”. The patch ciscocm.bashupgrade.cop.signs should be applied on affected version and it fixes the CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, and CVE-2014-7169 .
10-05-2014 11:49 PM
I run a version 9.1.1. The COP file released the 1st of October requires version 9.1.2 to be applied. Does this mean we have to upgrade to 9.1.2 first and then apply the fix for BASH?
10-06-2014 07:09 AM
This COP can be applied to 9.1(1). However, please understand that there are other PSIRT fixes that 9.1(1) does *not* have (such as http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130821-cucm), which is why Cisco always recommends current versions such as 9.1(2).
10-06-2014 07:28 AM
Thank you kerussel, I will apply the shellshock hotfix asap, and then plan an upgrade to 9.1.2 in the next weeks.
10-06-2014 07:41 AM
One point to remind customers of who are planning upgrades *after* installing the bash patch (as called out in the Readme http://www.cisco.com/web/software/282204704/18582/CiscoBashCodeInjectionVulnerabilityPatchv2.pdf ):
"When upgrading to a new release of Cisco Unified Communications Manager, make sure that the updates in this release are included in the version you are upgrading to. If an ES or SU is installed after this update that does not also contain the fixes referenced in “Updates in This Release” then this update will need to be reapplied after the ES or SU is installed."
So, until Cisco has released a 9.1(2) version that also contains this bash fix (a 9.1(2)ES version first), anyone upgrading to 9.1(2) (recommended latest SU) will need to *re-apply this patch after the upgrade*. The defect details for CSCur00930 will continue to be updated with the Communications Manager versions that natively contain this patch as those are made available.
10-06-2014 08:22 AM
Hi Kenneth,
we are running CUCM version 9.1(2)SU1
Do we need to apply ciscocm.bashupgrade.cop.sgn or should be upgrade to latest CUCM 9.1(2)SU2a?
Please advise.
regds,
aman
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide