Re: Ciscoworks LMS 2.6 server - Installing patches

ronmarcojr · ‎03-26-2009

There are vulnerabilities found on Ciscoworks server and below patches/recommendation should be done. Please check items below and advise if these will not affect Ciscoworks LMS 2.6. Kindly advise also what are the latest versions that are supported by LMS 2.6.

Sun Java Runtime Environment (JRE) - Upgrade to the latest version

Cisco Security Manager - Upgrade Cisco Security Manager to the newest available version

SSL 2.0 - Disable SSL 2.0. Upgrade to SSLv3, TLSv1, or newer protocol

Multiple insecure remote control services are running - Disable the following services and migrate to a more secure alternative such as SSH. Rsh rlogin rexec

Joe Clarke · ‎03-26-2009

You cannot upgrade the JRE beyond what Cisco recommends. As security vulnerabilities are announced, we review them, and post updates as needed. Assuming you apply all of the relevant security patches at http://www.cisco.com/cgi-bin/tablebuild.pl/cw2000-cd-one and http://www.cisco.com/cgi-bin/tablebuild.pl/cd-one-3des you should be safe.

I believe the latest version of Cisco Security Management Suite is 3.2. I am not sure what the upgrade path is. You could inquire on the Security Network Management forum.

SSLv2 cannot be disabled in LMS. It is still required for some legacy components. However, you can always use SSLv3 and TLS 1.0 in your browser. We do support those newer protocols.

If you are not using RCP in your network, you can disable the CWCS rsh service. This will not affect the rest of LMS.

ronmarcojr · ‎03-26-2009

What is the recommended version of JRE for Ciscoworks LMS 2.6?

Marvin Rhoads · ‎03-27-2009

According to the quick start guide for LMS 2.6, the required JRE for client browsers is JRE 1.4.2_10.

Reference: http://www.cisco.com/en/US/partner/docs/net_mgmt/ciscoworks_lan_management_solution/2.6/quickstart/guide/lms26qn.html#wp1027494

Note that LMS is very particular about using that specific JRE version. Checks verifying it's presence are hard-coded into the program. If supplying clients with that specific version are a problem in your environment, you might consider using a client that is accessible from your larger enterprise via RDP. Go from whatever client via remote desktop to the JRE 1.4.2_10 client and thence onto CiscoWorks.

Hope this helps. Please rate this post if it does.

ronmarcojr · ‎03-27-2009

How can we know if we are not using RCP? And where can we find the CWCS rsh service?

Marvin Rhoads · ‎03-27-2009

rcp is used as an alternative, more secure, transport than tftp. It is typically used in this context for downloading new IOS/CatOS images from the CW server to your network devices. See the guide at http://www.cisco.com/en/US/products/sw/cscowork/ps2073/products_configuration_example09186a00800a8765.shtml#rcp for more information.

That reference shows where to disable rcp in the appropriate CW dialog boxes. You can confirm that has been done by checking your running daemon processes (on Unix) or services (on Windows) on your CW server(s).

Hope this helps. Please rate this post if it does.