Guest

Cisco Unified Workforce Optimization

Field Notice: FN - 63667 - Cisco Workforce Optimization (WFO) Quality Management (QM) - New Java Release Causes Signed Applets to Hang Browser with Security Pop Up

Field Notice: FN - 63667 - Cisco Workforce Optimization (WFO) Quality Management (QM) - New Java Release Causes Signed Applets to Hang Browser with Security Pop Up

March 10, 2014


NOTICE:

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision Date Comment
1.1
10-Mar-2014
Update in Workaround
1.0
07-FEB-2014
Initial Public Release

Products Affected

Products Affected
8.5(2), 9.0(1), 10.0(1)  

Problem Description

As of Java Standard Edition (SE) 6 update 45 and Java SE 7 update 45, JavaScript code that calls code within a privileged applet is treated as mixed code, and warning dialogs are raised if the signed .JAR files are not tagged with the Trusted-Library attribute. 

In Java SE 7 update 51, Java again changed the 'Permissions Attribute.' 

Cisco code was implemented to account for this additional Java security. The Workaround/Solution section contains a list of versions where the issue will be corrected. This is part of a continued response to recent Java security issues that have recently been raised.

Background

7u45 Caller-Allowable-Codebase and Trusted-Library 

Manifest Attribute 7u45 7u40 and Below
Only Caller-Allowable-Codebase
No dialog
Displays prompt
Only Trusted-Library
Displays prompt
No dialog
Both
Displays prompt *
No dialog
* This will be fixed in a future release so that both attributes can co-exist.

Known Issues (From Oracle)

Area: Deployment/Plugin
Synopsis: Caller-Allowable-Codebase may be ignored when used with Trusted-Library.

If a trusted, signed JAR file is using the Caller-Allowable-Codebase manifest attribute along with Trusted-Library, then the Caller-Allowable-Codebase manifest entry will be ignored. As a result, a JavaScript > Java call will show the native LiveConnect warning. The workaround is to remove the Trusted-Library manifest entry.

Problem Symptoms

When one of the above applications is run in a browser, the user receives a new security warning similar to this: 

fn63430_n0ldmp.png 

Figure 1: Java 6 Security Warning 

Click the More Information link in order to bring up this panel: 

fn63667_n0ldof.png 

Figure 2: More Information Overview 

63667_n0lecw.png 

Figure 3: Java 7 Security Warning 

If the user is running Java 7 and chooses the Block option, the application will not run properly and the entire browser may lock up.

Workaround/Solution

Defect Number: QM-5111: Issue with the new Java Release. This is the parent defect; this table details other affected versions. 

Product Version (where it will be fixed) Vendor Bug #
WFO-QM
Cisco 8.5 SR2 ES5
QM-5111
WFO-QM
Cisco 9.0 SR4 ES6
QM-5111
WFO-QM
Cisco 10.0(1) ES3
QM-5111

How to Verify 

For WFO-QM, the easiest way to verify this issue is to click the Validate my PC configuration link on the Workforce Optimization login page, and look for the above security warning. 

You can also open the Java application under Control Panel, and inspect the version. 

Additional Resources Regarding Java Changes 

Java 7 Release Highlights 

Mixing Privileged Code and Sandbox Code 

7u45 Caller-Allowable-Codebase and Trusted-Library 

Update 51 release notes, which describe the 'Permission Attribute' changes

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Cisco Notification Service—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.