This document provides installation instructions for ICM11.0(2) ES21. It also contains a list of ICM issues resolved by this engineering special. Please review all sections in this document pertaining to installation before installing the product. Failure to install this engineering special as described may result in inconsistent ICM behavior.
This document contains these sections:
The Product
Alert Tool offers you the ability to set up one or more profiles that will
enable you to receive email notification of new Field Notices, Product Alerts
or End of Sale information for the products that you have selected.
The Product
Alert Tool is available at http://www.cisco.com/cgi-bin/Support/FieldNoticeTool/field-notice
Explain how this particular patch (service release or engineering
special) is used -- does it play nice with other patches?
Be sure to include ALL of the changes for the files you're delivering, i.e.
all of the info from the release notes of the previous ES which included these
files.
This section provides information to help you understand on which ICM servers ICM11.0(2) ES21 can and should be installed. "these versions/components/servers are supported, and these other ones aren't".
This section is like "version support", except that you need to describe which components of the system can be installed together and which can't. Really only necessary for multiple-component systems, like ICM.
This section lists the ICM components on which this engineering special can be installed, and those on which it cannot.
ICM11.0(2) ES21 is compatible with and should be installed on these ICM components:
Do not install this engineering special on any of the following components other than:
In this section, you should describe all steps users need to take before starting to install this patch. Also describe any "gotchas" that are waiting for them, such as "this patch should be applied late at night, because it needs to shut everything down" or "the components need to be installed in this specific order".
1) Stop all icm services and close icm service control.
2) Install the ES Patch.
3) Restart the system.
4) Start the services.
To uninstall this patch, go to Control Panel. Select "Add or Remove Programs". Find the installed patch in the list and select "Remove".
Note: Patches have to be removed in the reverse order in which they were installed. For example, if you had installed patches 3, then 5, then 10 for a product, you will need to uninstall patches 10, 5 and 3 in that order to remove all patches for that product.
This section provides a list of significant ICM defects resolved by this engineering special. It contains these subsections:
Note: You can view more information on and track individual ICM defects using the Cisco Bug Toolkit located at: http://www.cisco.com/support/bugtools/Bug_root.html
This section lists caveats specifically resolved by ICM11.0(2) ES21.
Caveats in this section are ordered by ICM component, severity, and then
identifier.
Be sure to include ALL of the resolved caveats for the files you're delivering,
i.e. all of the caveats from the release notes of the previous ES which
included these files.
Identifier |
Severity |
Component |
Headline |
CSCux34589 |
2 |
security |
Evaluation
of icm for Java_December_2015 |
CSCux59474 |
6 |
security |
Cisco
Unified Contact Center Enterprise Cross Site Script Vulnerability |
CSCvb48529
2 security Evaluation
of icm for Openssl
September 2016
Caveats are ordered by severity then defect number.
Be sure to include ALL of the resolved caveats for the files you're delivering,
i.e. all of the caveats from the release notes of the previous ES which
included these files.
Defect Number: CSCux34589
Component: security
Severity: 2
Headline: Evaluation of icm for Java_December_2015
Symptom:
Cisco Computer Telephony Integration Object Server (CTIOS);Cisco
Unified Contact Center Enterprise;Cisco Unified
Intelligent Contact Management Enterprise includes a version of Commons Collections
library that is affected by the vulnerability identified by the Common
Vulnerability and Exposures (CVE) IDs: CVE-2015-6420 This product is affected
by the listed CVE id.
Conditions: Exposure is not configuration dependent. All versions back to
9.0(4) are vulnerable.
Workaround: Not available.
Further Problem Description: ETA for the fix is Mid-March. PSIRT
Evaluation: The Cisco PSIRT has assigned this bug the following CVSS
version 2 score. The Base and Temporal CVSS scores as of the time of evaluation
are: 7.5/7.1
http://tools.cisco.com/security/center/cvssCalculator.x?version=2&vector=AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C
The Cisco PSIRT has assigned this score based on information obtained from
multiple sources. This includes the CVSS score assigned by the third-party
vendor when available. The CVSS score assigned may not reflect the actual
impact on the Cisco Product. Additional information on Cisco's security
vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Defect Number: CSCux59474
Component: security
Severity: 6
Headline: Cisco Unified Contact Center Enterprise Cross Site Script Vulnerability
Symptom: A
vulnerability in the HTTP Web based management interface of the Cisco Unified
Contact Center Enterprise could allow an unauthenticated, remote attacker to
conduct a cross-site scripting (XSS) attack against a user of the web interface
of the affected system. The vulnerability is due to insufficient input
validation of a user-supplied value. An attacker could exploit this
vulnerability by convincing a user to click on a specific link.
Conditions: Device running with default configuration running an affected
version of software.
Workaround: None.
Further Problem Description: Additional information about XSS attacks and
potential mitigations can be found at:
http://www.cisco.com/en/US/products/cmb/cisco-amb-20060922-understanding-xss.html
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The
Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.7:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:U/RC:C&version=2.0
CVE ID CVE-2016-1439 has been assigned to this issue. Additional information on
Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Defect Number: CSCvb48529
Component: security
Severity: 2
Headline: Evaluation of icm for Openssl September 2016
Symptom: The
product Cisco Computer Telephony Integration Object Server (CTIOS);Cisco Unified Contact Center Enterprise;Cisco
Unified Intelligent Contact Management Enterprise includes a version of OpenSSL
that is affected by the vulnerability identified by one or more of the
following Common Vulnerability and Exposures (CVE) IDs:
CVE-2016-6304
CVE-2016-6305 CVE-2016-2183 CVE-2016-6303 CVE-2016-6302 CVE-2016-2182
CVE-2016-2180 CVE-2016-2177 CVE-2016-2178 CVE-2016-2179 CVE-2016-2181
CVE-2016-6306 CVE-2016-6307 CVE-2016-6308 CVE-2016-6309 CVE-2016-7052
And
disclosed in
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160927-openssl
Cisco
has reviewed and concluded that this product is affected by the following
Common Vulnerability and Exposures (CVE) IDs:
CVE-2016-6304 TLS
OCSP Stapling extension Status Request memory
consumption vulnerability
CVE-2016-2183 Birthday
attack against 64-bit block ciphers in TLS AKA SWEET32
CVE-2016-2180 OOB
read in TS_OBJ_print_bio()
CVE-2016-2177 Pointer
arithmetic undefined behaviour
CVE-2016-2178 DSA
cache-timing side channel attack
CVE-2016-6306 Certificate
message OOB reads
This
product is not affected by the following Common Vulnerability and Exposures
(CVE) IDs:
CVE-2016-6305 SSL_peek()
hang on empty record
CVE-2016-6303 OOB
write in MDC2_Update()
CVE-2016-6302 Malformed
SHA512 ticket DoS
CVE-2016-2182 OOB
write in BN_bn2dec()
CVE-2016-2179 DTLS
buffered message DoS
CVE-2016-2181 DTLS
replay protection DoS
CVE-2016-6307 Excessive
allocation of memory in tls_get_message_header()
CVE-2016-6308 Excessive
allocation of memory in dtls1_preprocess_fragment()
CVE-2016-6309 Fix
Use After Free for large message sizes
CVE-2016-7052 Missing
CRL sanity check
Conditions: Exposure is not configuration dependent.
Workaround: None.
Further Problem Description: Additional details about those vulnerabilities
can be found at http://cve.mitre.org/cve/cve.html
<b>PSIRT
Evaluation:</b>
The
Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base
CVSS score as of the time of evaluation is: 5.0
https://tools.cisco.com/security/center/cvssCalculator.x?version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:U/RC:UR
The
Cisco PSIRT has assigned this score based on information obtained from multiple
sources. This includes the CVSS score assigned by the third-party vendor when
available. The CVSS score assigned may not reflect the actual impact on the
Cisco Product.
Additional
information on Cisco's security vulnerability policy can be found at the
following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
The following sections provide sources for obtaining documentation from Cisco Systems.
You can access the most current Cisco documentation on the World Wide Web at the following sites:
Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or as an annual subscription.
Cisco documentation is available in the following ways:
If you are reading Cisco product documentation on the World Wide Web, you can submit technical comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco.
You can e-mail your comments to bug-doc@cisco.com.
To submit your comments by mail, use the response card behind the front cover of your document, or write to the following address:
Attn Document Resource Connection
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.
Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain documentation, troubleshooting tips, and sample configurations from online tools. For Cisco.com registered users, additional troubleshooting tools are available from the TAC website.
Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information and resources at anytime, from anywhere in the world. This highly integrated Internet application is a powerful, easy-to-use tool for doing business with Cisco.
Cisco.com provides a broad range of features and services to help customers and partners streamline business processes and improve productivity. Through Cisco.com, you can find information about Cisco and our networking solutions, services, and programs. In addition, you can resolve technical issues with online technical support, download and test software packages, and order Cisco learning materials and merchandise. Valuable online skill assessment, training, and certification programs are also available.
Customers and partners can self-register on Cisco.com to obtain additional personalized information and services. Registered users can order products, check on the status of an order, access technical support, and view benefits specific to their relationships with Cisco.
To access Cisco.com, go to: http://www.cisco.com
The Cisco TAC website is available to all customers who need technical assistance with a Cisco product or technology that is under warranty or covered by a maintenance contract.
If you have a priority level 3 (P3) or priority level 4 (P4) problem, contact TAC by going to the TAC website: http://www.cisco.com/tac
P3 and P4 level problems are defined as follows:
In each of the above cases, use the Cisco TAC website to quickly find answers to your questions.
To register for Cisco.com, go to the following website: http://www.cisco.com/register/
If you cannot resolve your technical issue by using the TAC online resources, Cisco.com registered users can open a case online by using the TAC Case Open tool at the following website: http://www.cisco.com/tac/caseopen
If you have a priority level 1(P1) or priority level 2 (P2) problem, contact TAC by telephone and immediately open a case. To obtain a directory of toll-free numbers for your country, go to the following website: http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
P1 and P2 level problems are defined as follows: