The following vulnerability seems to be accessible only via the web-based management interface of Cisco Expressway Series and Cisco TelePresence VCS.
However the Cisco Security Advisory is somewhat unclear if this then still can be exploited as it states “There are no workarounds that address these vulnerabilities.”
One would think that disabling access to the web-based management interface would be sufficient?
Yes indeed. It's the "if possible" part
It's for a company with multi-layered management team and it's also holiday season so currently there are little people that are able to make decisions on this (the rest went skiing :-))
So would be great if Cisco could state that it's fine to upgrade at a somewhat later time if the management interfaces are closed off.
Ok, yes, but that's the normal setup with the firewalls.
But still, you can't disable the full web service. If you would block the traffic (e.g. 443), then you won't be able to manage it via GUI or will cut of your MRA feature (on port 8443).
You could re-configure the GUI port to e.g. 7443, but then this port is open again.
Still you would not really shutdown the web service and as such you would be affected by the defect.
Having rules in place to limit traffic to the bare minimum for the service to work is best practices. Part of this would definitely be to only allow access to the web UI from internal sources.