When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Notices archive at http://www.cisco.com/go/psirt
and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
There are no Cisco Unified CM versions currently available that contain software fixes for the vulnerabilities described in this advisory. This advisory will be updated as fixed software is made available. In the interim, Cisco has released a Cisco Options Package (COP) file that addresses the following vulnerabilities: CSCuh01051
Customers can download and install the COP file as a solution for the previous vulnerabilities while awaiting fixed software versions.
This package will install on the following system versions:
The COP file, cmterm-CSCuh01051-2.cop.sgn,
is located in the Utilities section of the software downloads page
for each of the versions in the preceding list. For instance, the file for 9.1(x) versions would be located by navigating the following path on the software downloads page:
Products -> Voice and Unified Communications -> IP Telephony -> Unified Communications Platform -> Cisco Unified Communications Manager -> Cisco Unified Communications Manager Version 9.1 -> Unified Communications Manager / CallManager / Cisco Unity Connection Utilities-COP-Files
The COP file mitigates the initial attack vector (CSCuh01051) and reduces the documented attack surface. Application of the COP file is highly recommended for all affected Cisco Unified CM product versions.