About this Document

This document provides installation instructions for ICM11.0(2) ES21. It also contains a list of ICM issues resolved by this engineering special. Please review all sections in this document pertaining to installation before installing the product. Failure to install this engineering special as described may result in inconsistent ICM behavior.

This document contains these sections:

Signup to Receive Email Notification of New Field Notices

The Product Alert Tool offers you the ability to set up one or more profiles that will enable you to receive email notification of new Field Notices, Product Alerts or End of Sale information for the products that you have selected.

The Product Alert Tool is available at http://www.cisco.com/cgi-bin/Support/FieldNoticeTool/field-notice

About Cisco ICM (and ICM Engineering Specials)

Explain how this particular patch (service release or engineering special) is used -- does it play nice with other patches?
Be sure to include ALL of the changes for the files you're delivering, i.e. all of the info from the release notes of the previous ES which included these files.

ICM Compatibility and Support Specifications

This section provides information to help you understand on which ICM servers ICM11.0(2) ES21 can and should be installed. "these versions/components/servers are supported, and these other ones aren't".

ICM Version Support

ICM 11.0(2)

ICM Component Support

This section is like "version support", except that you need to describe which components of the system can be installed together and which can't. Really only necessary for multiple-component systems, like ICM.

This section lists the ICM components on which this engineering special can be installed, and those on which it cannot.

Supported ICM Components

ICM11.0(2) ES21 is compatible with and should be installed on these ICM components:

Unsupported ICM Components

Do not install this engineering special on any of the following components other than:

ICM Engineering Special Installation Planning

In this section, you should describe all steps users need to take before starting to install this patch. Also describe any "gotchas" that are waiting for them, such as "this patch should be applied late at night, because it needs to shut everything down" or "the components need to be installed in this specific order".

Installing ICM11.0(2) ES21

1)      Stop all icm services and close icm service control.

2)      Install the ES Patch.

3)      Restart the system.

4)      Start the services.

Uninstall Directions for ICM11.0(2) ES21

To uninstall this patch, go to Control Panel. Select "Add or Remove Programs". Find the installed patch in the list and select "Remove".

Note: Patches have to be removed in the reverse order in which they were installed. For example, if you had installed patches 3, then 5, then 10 for a product, you will need to uninstall patches 10, 5 and 3 in that order to remove all patches for that product.

Resolved Caveats in this Engineering Special

This section provides a list of significant ICM defects resolved by this engineering special. It contains these subsections:

Note: You can view more information on and track individual ICM defects using the Cisco Bug Toolkit located at: http://www.cisco.com/support/bugtools/Bug_root.html

Resolved Caveats in ICM11.0(2) ES21

This section lists caveats specifically resolved by ICM11.0(2) ES21.

Index of Resolved Caveats

Caveats in this section are ordered by ICM component, severity, and then identifier.
Be sure to include ALL of the resolved caveats for the files you're delivering, i.e. all of the caveats from the release notes of the previous ES which included these files.

Identifier

Severity

Component

Headline

CSCux34589

2

security

Evaluation of icm for Java_December_2015

CSCux59474

6

security

Cisco Unified Contact Center Enterprise Cross Site Script Vulnerability

CSCvb48529 2            security            Evaluation of icm for Openssl September 2016

Text Box: As a part of CSCvb48529- Evaluation of icm for Openssl September 2016 we have fixed all the below defects 1) CSCuy07225 2) CSCuy54688 3) CSCuz52360
 

 

 

 


Detailed list of Resolved Caveats in This Engineering Special

Caveats are ordered by severity then defect number.
Be sure to include ALL of the resolved caveats for the files you're delivering, i.e. all of the caveats from the release notes of the previous ES which included these files.

Defect Number: CSCux34589

Component: security

Severity: 2

Headline: Evaluation of icm for Java_December_2015


Symptom: Cisco Computer Telephony Integration Object Server (CTIOS);Cisco Unified Contact Center Enterprise;Cisco Unified Intelligent Contact Management Enterprise includes a version of Commons Collections library that is affected by the vulnerability identified by the Common Vulnerability and Exposures (CVE) IDs: CVE-2015-6420 This product is affected by the listed CVE id.

Conditions: Exposure is not configuration dependent. All versions back to 9.0(4) are vulnerable.

Workaround: Not available.

Further Problem Description: ETA for the fix is Mid-March. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are: 7.5/7.1 http://tools.cisco.com/security/center/cvssCalculator.x?version=2&vector=AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html

Defect Number: CSCux59474

Component: security

Severity: 6

Headline: Cisco Unified Contact Center Enterprise Cross Site Script Vulnerability


Symptom: A vulnerability in the HTTP Web based management interface of the Cisco Unified Contact Center Enterprise could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface of the affected system. The vulnerability is due to insufficient input validation of a user-supplied value. An attacker could exploit this vulnerability by convincing a user to click on a specific link.

Conditions: Device running with default configuration running an affected version of software.

Workaround: None.

Further Problem Description: Additional information about XSS attacks and potential mitigations can be found at: http://www.cisco.com/en/US/products/cmb/cisco-amb-20060922-understanding-xss.html https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.7: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:U/RC:C&version=2.0 CVE ID CVE-2016-1439 has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

Defect Number: CSCvb48529

Component: security

Severity: 2

Headline: Evaluation of icm for Openssl September 2016


Symptom: The product Cisco Computer Telephony Integration Object Server (CTIOS);Cisco Unified Contact Center Enterprise;Cisco Unified Intelligent Contact Management Enterprise includes a version of OpenSSL that is affected by the vulnerability identified by one or more of the following Common Vulnerability and Exposures (CVE) IDs:

 

CVE-2016-6304 CVE-2016-6305 CVE-2016-2183 CVE-2016-6303 CVE-2016-6302 CVE-2016-2182 CVE-2016-2180 CVE-2016-2177 CVE-2016-2178 CVE-2016-2179 CVE-2016-2181 CVE-2016-6306 CVE-2016-6307 CVE-2016-6308 CVE-2016-6309 CVE-2016-7052

 

And disclosed in https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160927-openssl

 

Cisco has reviewed and concluded that this product is affected by the following Common Vulnerability and Exposures (CVE) IDs:

CVE-2016-6304         TLS OCSP Stapling extension Status Request memory consumption vulnerability

CVE-2016-2183         Birthday attack against 64-bit block ciphers in TLS AKA SWEET32

CVE-2016-2180         OOB read in TS_OBJ_print_bio()

CVE-2016-2177         Pointer arithmetic undefined behaviour

CVE-2016-2178         DSA cache-timing side channel attack

CVE-2016-6306         Certificate message OOB reads

 

This product is not affected by the following Common Vulnerability and Exposures (CVE) IDs:

CVE-2016-6305         SSL_peek() hang on empty record

CVE-2016-6303         OOB write in MDC2_Update()

CVE-2016-6302         Malformed SHA512 ticket DoS

CVE-2016-2182         OOB write in BN_bn2dec()

CVE-2016-2179         DTLS buffered message DoS

CVE-2016-2181         DTLS replay protection DoS

CVE-2016-6307         Excessive allocation of memory in tls_get_message_header()

CVE-2016-6308         Excessive allocation of memory in dtls1_preprocess_fragment()

CVE-2016-6309         Fix Use After Free for large message sizes

CVE-2016-7052         Missing CRL sanity check

Conditions: Exposure is not configuration dependent.

Workaround: None.

Further Problem Description: Additional details about those vulnerabilities can be found at http://cve.mitre.org/cve/cve.html

 

<b>PSIRT Evaluation:</b>

The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base CVSS score as of the time of evaluation is: 5.0

 

https://tools.cisco.com/security/center/cvssCalculator.x?version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:U/RC:UR

 

The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.

 

Additional information on Cisco's security vulnerability policy can be found at the following URL:

 

http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html

 

 

Obtaining Documentation

The following sections provide sources for obtaining documentation from Cisco Systems.

World Wide Web

You can access the most current Cisco documentation on the World Wide Web at the following sites:

Documentation CD-ROM

Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or as an annual subscription.

Ordering Documentation

Cisco documentation is available in the following ways:

Documentation Feedback

If you are reading Cisco product documentation on the World Wide Web, you can submit technical comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco.

You can e-mail your comments to bug-doc@cisco.com.

To submit your comments by mail, use the response card behind the front cover of your document, or write to the following address:

Attn Document Resource Connection
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate your comments.

Obtaining Technical Assistance

Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain documentation, troubleshooting tips, and sample configurations from online tools. For Cisco.com registered users, additional troubleshooting tools are available from the TAC website.

Cisco.com

Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information and resources at anytime, from anywhere in the world. This highly integrated Internet application is a powerful, easy-to-use tool for doing business with Cisco.

Cisco.com provides a broad range of features and services to help customers and partners streamline business processes and improve productivity. Through Cisco.com, you can find information about Cisco and our networking solutions, services, and programs. In addition, you can resolve technical issues with online technical support, download and test software packages, and order Cisco learning materials and merchandise. Valuable online skill assessment, training, and certification programs are also available.

Customers and partners can self-register on Cisco.com to obtain additional personalized information and services. Registered users can order products, check on the status of an order, access technical support, and view benefits specific to their relationships with Cisco.

To access Cisco.com, go to: http://www.cisco.com

Technical Assistance Center

The Cisco TAC website is available to all customers who need technical assistance with a Cisco product or technology that is under warranty or covered by a maintenance contract.

Contacting TAC by Using the Cisco TAC Website

If you have a priority level 3 (P3) or priority level 4 (P4) problem, contact TAC by going to the TAC website: http://www.cisco.com/tac

P3 and P4 level problems are defined as follows:

In each of the above cases, use the Cisco TAC website to quickly find answers to your questions.

To register for Cisco.com, go to the following website: http://www.cisco.com/register/

If you cannot resolve your technical issue by using the TAC online resources, Cisco.com registered users can open a case online by using the TAC Case Open tool at the following website: http://www.cisco.com/tac/caseopen

Contacting TAC by Telephone

If you have a priority level 1(P1) or priority level 2 (P2) problem, contact TAC by telephone and immediately open a case. To obtain a directory of toll-free numbers for your country, go to the following website: http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

P1 and P2 level problems are defined as follows: