cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6003
Views
16
Helpful
17
Replies

CUCM SHellshock versions

tahequivoice
Level 2
Level 2

Bug ID CSCur00930  lists version 9.1(2.13058.1) as affected.

 

Does this mean ONLY 9.1(2.13058.1) is affected, or does it mean 9.1(2.13058.1) and lower are affected? 

17 Replies 17

Tim Schroeder
Level 4
Level 4

I notice that the affected version is 9.1.2.13058-1 (SR3) is not available for download. The highest available as of 9/26/14 is SR2a which is 9.1.2.12901-3.

I too am curious if lower versions of 9.1(2) are affected. 

Oddly, I see that the description says 10.0 is affected, but the "Known Affected Releases" only says 9.1.2.  So, is 10.0 affected or not?

What I noticed is they are not listing older versions on many of the "affected" systems, like WLC.  I know that 7.6.130 has many issues prior to it that are basically the same with bug fixes.

 

What about Unity Connection, does it not also run on a Linux platform? Singlewire(Informacast) is also affected by this.  Are all WAAS versions affected?  There are a lot of systems out there, so knowing if they are posting versions, with assuming all prior releases are included is a must know.

Keep an eye on this link and on the bugs for further information:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash

You may also open a TAC for further information.

HTH

java

if this helps, please rate

Already am, thats where I got the previous information from. It's deceiving though since it lists only one specific version.

The details listed in the defect description will be more accurate than the actual Version field, since there is a limit in being able to enumerate all versions. As described in the Symptoms listed in CSCur00930, UCM versions 8, 9, and 10 are impacted.

 

We are working to make that more clear in the published information.

 

Please note from the Security Advisory (http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash) that Unity Connection is listed on the impacted products, with CSCur05328 tracking that fix. This will be updated with more details as they are confirmed.

My customer setup UCM running on 9.1.1.20000-5 & i understand, the patch - cop file can be applied directly to handle this vulnerability.

From the case notes, i can see that known fixed version in 9.X serious is - 9.1(2.13060.1).

Can i proceed with upgrade the version from 9.1.1.20000-5 to 9.1(2.13060.1) ?

Would that be enough to handle this bug & i don't need separately update the patch right ? Please suggest

Thanks

JP

Hi JP,

 

Yes, 9.1.2.13060-1 and later 9.1(2) versions have the bash Shellshock update included. Upgrading to that version will address this issue.

Unity Connection uses the same platform, including the same OS, in fact it is installed from the same DVD.  My guess is the list of vulnerable products will grow as Cisco figures out what products use BASH.

Abbas Hussain
Level 1
Level 1

To my understanding  all the GNU Bash versions 4.3 and prior are vulnerable and the above said operating system bash version contains  3.2 (32.el5). You can check with the command  “show tech version”. The patch  ciscocm.bashupgrade.cop.signs should be applied  on affected version and it fixes the CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, and CVE-2014-7169 .

Yorick Petey
Level 4
Level 4

I run a version 9.1.1. The COP file released the 1st of October requires version 9.1.2 to be applied. Does this mean we have to upgrade to 9.1.2 first and then apply the fix for BASH?

This COP can be applied to 9.1(1). However, please understand that there are other PSIRT fixes that 9.1(1) does *not* have (such as http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130821-cucm), which is why Cisco always recommends current versions such as 9.1(2).

Thank you kerussel, I will apply the shellshock hotfix asap, and then plan an upgrade to 9.1.2 in the next weeks.

One point to remind customers of who are planning upgrades *after* installing the bash patch (as called out in the Readme http://www.cisco.com/web/software/282204704/18582/CiscoBashCodeInjectionVulnerabilityPatchv2.pdf ):

"When upgrading to a new release of Cisco Unified Communications Manager, make sure that the updates in this release are included in the version you are upgrading to. If an ES or SU is installed after this update that does not also contain the fixes referenced in “Updates in This Release” then this update will need to be reapplied after the ES or SU is installed."

 

So, until Cisco has released a 9.1(2) version that also contains this bash fix (a 9.1(2)ES version first), anyone upgrading to 9.1(2) (recommended latest SU) will need to *re-apply this patch after the upgrade*. The defect details for CSCur00930 will continue to be updated with the Communications Manager versions that natively contain this patch as those are made available.

Hi Kenneth,

 

we are running CUCM version 9.1(2)SU1

 

Do we need to apply ciscocm.bashupgrade.cop.sgn or should be upgrade to latest CUCM 9.1(2)SU2a?

Please advise.

 

regds,

aman

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: