This document provides installation instructions for ICM11.0(2) ES38. It also contains a list of ICM issues resolved by this engineering special. Please review all sections in this document pertaining to installation before installing the product. Failure to install this engineering special as described may result in inconsistent ICM behavior.
This document contains these sections:
The Product
Alert Tool offers you the ability to set up one or more profiles that will
enable you to receive email notification of new Field Notices, Product Alerts or
End of Sale information for the products that you have selected.
The Product
Alert Tool is available at http://www.cisco.com/cgi-bin/Support/FieldNoticeTool/field-notice
11.0(2)
ICM11.0(2) ES38 is compatible with and should be installed on these ICM components:
Do not install this engineering special on any component other than following:
Please verify that system does not have ES21(marked Bad) installed. If installed, uninstall ES21 before installing ES38. Installation of this patch requires the respective ICM service to be shutdown during the entire period of installation. It is always recommended to install this ES during a scheduled downtime.
· Using the ICM Service Control,
stop the required component and all other UCCE components.
· Launch the Installer provided for
ES38 and follow the instructions on the screen.
· Using the ICM Service Control,
start the UCCE services again.
If you are using self-signed certificate, after installing this ES, do the following steps:
· Open command prompt.
· cd
c:\icm\serviceability\diagnostics\bin.
· Run command 'DiagFwCertMgr.exe /task:CreateAndBindCert' .
If you are using third party certificate, above steps are not required
and you can continue to use existing third party signed certificate.
To uninstall this patch, go to Control Panel. Select "Add or Remove Programs". Find the installed patch in the list and select "Remove".
Note: Patches have to be removed in the reverse order in which they were installed. For example, if you had installed patches 3, then 5, then 10 for a product, you will need to uninstall patches 10, 5 and 3 in that order to remove all patches for that product.
This section provides a list of significant ICM defects resolved by this engineering special. It contains these subsections:
Note: You can view more information on and track individual ICM defects using the Cisco Bug Toolkit located at: http://www.cisco.com/support/bugtools/Bug_root.html
This section lists caveats specifically resolved by ICM11.0(2) ES38.
Caveats in this section are ordered by ICM component, severity, and then identifier.
|
Identifier |
Severity |
Component |
Headline |
|
CSCuy07225 |
2 |
security |
Evaluation
of icm for OpenSSL January 2016 |
|
CSCuy54688 |
2 |
security |
Evaluation
of icm for OpenSSL March 2016 |
|
CSCvb48529 |
2 |
security |
Evaluation
of icm for Openssl
September 2016 |
|
CSCuz52360 |
2 |
security |
Evaluation
of icm for OpenSSL May 2016 |
|
CSCva77070 |
3 |
security |
Error
Message During Open SSL Certificate Installation |
Caveats are ordered by severity then defect number.
Defect Number: CSCuy07225
Component: security
Severity: 2
Headline: Evaluation of icm for OpenSSL January 2016
Symptom: Cisco
Computer Telephony Integration Object Server (CTIOS);Cisco Unified Contact
Center Enterprise;Cisco Unified Intelligent Contact
Management Enterprise includes a version of OpenSSL that is affected by the
vulnerability identified by one or more of the following Common Vulnerability
and Exposures (CVE) IDs: CVE-2016-0701 CVE-2015-3197 And disclosed in
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160129-openssl
This bug has been opened to address the potential impact on this product.
Conditions: Exposure is not configuration dependent. Cisco has reviewed and
concluded that this product is affected by the following Common Vulnerability
and Exposures (CVE) IDs: CVE-2016-0701 This product is not affected by the
following Common Vulnerability and Exposures (CVE) IDs: CVE-2015-3197
Workaround: Not available.
Further Problem Description: Additional details about those vulnerabilities
can be found at http://cve.mitre.org/cve/cve.html PSIRT Evaluation: The
Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base
and Temporal CVSS scores as of the time of evaluation are: 5.8/4.5
http://tools.cisco.com/security/center/cvssCalculator.x?version=2&vector=AAV:N/AC:M/Au:N/C:P/I:P/A:N/E:POC/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained from
multiple sources. This includes the CVSS score assigned by the third-party
vendor when available. The CVSS score assigned may not reflect the actual
impact on the Cisco Product. Additional information on Cisco's security
vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
One
or more of the following links will take you to an emergency patch called an
Engineering Special or ES. If you are not directly experiencing this problem,
we encourage you to select or wait for a formally tested fix in an upcoming
major, minor, or maintenance release. Installing any interim emergency patch or
ES on a production system poses a risk of instability due to the limited
testing it receives. If you believe you are currently experiencing this problem
and you cannot wait for a later release, please select the link for the ES
built for your system. To identify the base version for this ES, please remove
_ES?? from the version name listed below. That will give you the version of the
tested base release you may install a given ES over. Be sure to read the
release notes or Readme file before running the patch installer.
Defect Number: CSCuy54688
Component: security
Severity: 2
Headline: Evaluation of icm for OpenSSL March 2016
Symptom:
Cisco Computer Telephony Integration Object Server (CTIOS);Cisco Unified
Contact Center Enterprise;Cisco Unified Intelligent
Contact Management Enterprise includes a version of OpenSSL that is affected by
the vulnerability identified by one or more of the following Common
Vulnerability and Exposures (CVE) IDs: CVE-2016-0800 CVE-2016-0705
CVE-2016-0798 CVE-2016-0797 CVE-2016-0799 CVE-2016-0702 CVE-2016-0703
CVE-2016-0704 And disclosed in
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-openssl
This bug has been opened to address the potential impact on this product.
Conditions: Exposure is not configuration dependent. Cisco has reviewed and
concluded that this product is affected by the following Common Vulnerability and
Exposures (CVE) IDs: CVE-2016-0797 - BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption CVE-2016-0799 - Fix memory issues in
BIO_*printf functions CVE-2016-0705 - Double-free in
DSA code CVE-2016-0702 - Side channel attack on modular exponentiation This
product is not affected by the following Common Vulnerability and Exposures
(CVE) IDs: CVE-2016-0800 - Cross-protocol attack on TLS using SSLv2 (DROWN)
CVE-2016-0703 - Divide-and-conquer session key recovery in SSLv2 CVE-2016-0704
- Bleichenbacher oracle in SSLv2 CVE-2016-0798 -
Memory leak in SRP database lookups
Workaround: Not available.
Further Problem Description: Additional details about those vulnerabilities
can be found at http://cve.mitre.org/cve/cve.html PSIRT Evaluation: The
Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base
CVSS score as of the time of evaluation is: 4.3
https://tools.cisco.com/security/center/cvssCalculator.x?version=2&vector=AV:N/AC:M/Au:N/C:P/I:N/A:N/E:ND/RL:ND/RC:ND
The Cisco PSIRT has assigned this score based on information obtained from
multiple sources. This includes the CVSS score assigned by the third-party
vendor when available. The CVSS score assigned may not reflect the actual
impact on the Cisco Product. Additional information on Cisco's security
vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
One
or more of the following links will take you to an emergency patch called an
Engineering Special or ES. If you are not directly experiencing this problem,
we encourage you to select or wait for a formally tested fix in an upcoming
major, minor, or maintenance release. Installing any interim emergency patch or
ES on a production system poses a risk of instability due to the limited
testing it receives. If you believe you are currently experiencing this problem
and you cannot wait for a later release, please select the link for the ES
built for your system. To identify the base version for this ES, please remove
_ES?? from the version name listed below. That will give you the version of the
tested base release you may install a given ES over. Be sure to read the
release notes or Readme file before running the patch installer.
Defect Number: CSCuz52360
Component: security
Severity: 2
Headline: Evaluation of icm for OpenSSL May 2016
Symptom:
This product includes a version of OpenSSL that is affected by the
vulnerability identified by one or more of the following Common Vulnerability
and Exposures (CVE) IDs: CVE-2016-2108 CVE-2016-2107 CVE-2016-2105
CVE-2016-2106 CVE-2016-2109 CVE-2016-2176 And disclosed in
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160504-openssl
This bug has been opened to address the potential impact on this product. Cisco
has analyzed the vulnerabilities and concluded that this product may be affected
by the following vulnerabilities: Padding oracle in AES-NI CBC MAC check
CVE-2016-2107 EVP_EncodeUpdate overflow CVE-2016-2105
ASN.1 BIO excessive memory allocation CVE-2016-2109 This product is not
affected by the following vulnerability: EBCDIC overread
CVE-2016-2176 Memory corruption in the ASN.1 encoder CVE-2016-2108 EVP_EncryptUpdate overflow CVE-2016-2106
Conditions: Exposure is not configuration dependent.
Workaround: None
Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has
assigned this bug the following CVSS version 2 score. The Base CVSS score as of
the time of evaluation is: 5.1
https://tools.cisco.com/security/center/cvssCalculator.x?version=2&vector=AV:N/AC:H/Au:N/C:P/I:P/A:P/E:ND/RL:ND/RC:ND
The Cisco PSIRT has assigned this score based on information obtained from
multiple sources. This includes the CVSS score assigned by the third-party
vendor when available. The CVSS score assigned may not reflect the actual
impact on the Cisco Product. The score reflects the maximum score for all the
vulnerabilities mentioned in this bug information Additional information on
Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
One
or more of the following links will take you to an emergency patch called an
Engineering Special or ES. If you are not directly experiencing this problem,
we encourage you to select or wait for a formally tested fix in an upcoming
major, minor, or maintenance release. Installing any interim emergency patch or
ES on a production system poses a risk of instability due to the limited
testing it receives. If you believe you are currently experiencing this problem
and you cannot wait for a later release, please select the link for the ES
built for your system. To identify the base version for this ES, please remove
_ES?? from the version name listed below. That will give you the version of the
tested base release you may install a given ES over. Be sure to read the release
notes or Readme file before running the patch installer.
Defect Number: CSCvb48529
Component: security
Severity: 2
Headline: Evaluation of icm for Openssl September 2016
Symptom: The
product Cisco Computer Telephony Integration Object Server (CTIOS);Cisco
Unified Contact Center Enterprise;Cisco Unified
Intelligent Contact Management Enterprise includes a version of OpenSSL that is
affected by the vulnerability identified by one or more of the following Common
Vulnerability and Exposures (CVE) IDs: CVE-2016-6304 CVE-2016-6305
CVE-2016-2183 CVE-2016-6303 CVE-2016-6302 CVE-2016-2182 CVE-2016-2180
CVE-2016-2177 CVE-2016-2178 CVE-2016-2179 CVE-2016-2181 CVE-2016-6306
CVE-2016-6307 CVE-2016-6308 CVE-2016-6309 CVE-2016-7052 And disclosed in
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160927-openssl
Cisco has reviewed and concluded that this product is affected by the following
Common Vulnerability and Exposures (CVE) IDs: CVE-2016-6304 TLS OCSP Stapling
extension Status Request memory consumption vulnerability CVE-2016-2183
Birthday attack against 64-bit block ciphers in TLS AKA SWEET32 CVE-2016-2180
OOB read in TS_OBJ_print_bio() CVE-2016-2177 Pointer
arithmetic undefined behaviour CVE-2016-2178 DSA
cache-timing side channel attack CVE-2016-6306 Certificate message OOB reads
This product is not affected by the following Common Vulnerability and
Exposures (CVE) IDs: CVE-2016-6305 SSL_peek() hang on
empty record CVE-2016-6303 OOB write in MDC2_Update() CVE-2016-6302 Malformed
SHA512 ticket DoS CVE-2016-2182 OOB write in
BN_bn2dec() CVE-2016-2179 DTLS buffered message DoS
CVE-2016-2181 DTLS replay protection DoS
CVE-2016-6307 Excessive allocation of memory in tls_get_message_header()
CVE-2016-6308 Excessive allocation of memory in dtls1_preprocess_fragment()
CVE-2016-6309 Fix Use After Free for large message sizes CVE-2016-7052 Missing
CRL sanity check
Conditions: Exposure is not configuration dependent.
Workaround: Not available.
Further Problem Description: Additional details about those vulnerabilities
can be found at http://cve.mitre.org/cve/cve.html PSIRT Evaluation: The
Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base
CVSS score as of the time of evaluation is: 5.0
https://tools.cisco.com/security/center/cvssCalculator.x?version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:U/RC:UR
The Cisco PSIRT has assigned this score based on information obtained from
multiple sources. This includes the CVSS score assigned by the third-party
vendor when available. The CVSS score assigned may not reflect the actual
impact on the Cisco Product. Additional information on Cisco's security
vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
One
or more of the following links will take you to an emergency patch called an
Engineering Special or ES. If you are not directly experiencing this problem,
we encourage you to select or wait for a formally tested fix in an upcoming
major, minor, or maintenance release. Installing any interim emergency patch or
ES on a production system poses a risk of instability due to the limited
testing it receives. If you believe you are currently experiencing this problem
and you cannot wait for a later release, please select the link for the ES
built for your system. To identify the base version for this ES, please remove
_ES?? from the version name listed below. That will give you the version of the
tested base release you may install a given ES over. Be sure to read the
release notes or Readme file before running the patch installer.
Defect Number: CSCva77070
Component: security
Severity: 3
Headline: Error Message During Open SSL Certificate Installation
$$PREFCS
Symptom: Open SSL Certificate Installation fails
Conditions: After Upgrading ICM to 11.5(1) latest build , Run SSL
Encryption utility tool to uninstall and install certificate .
Workaround: None
Further Problem Description:
The following sections provide sources for obtaining documentation from Cisco Systems.
You can access the most current Cisco documentation on the World Wide Web at the following sites:
Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or as an annual subscription.
Cisco documentation is available in the following ways:
If you are reading Cisco product documentation on the World Wide Web, you can submit technical comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco.
You can e-mail your comments to bug-doc@cisco.com.
To submit your comments by mail, use the response card behind the front cover of your document, or write to the following address:
Attn Document Resource Connection
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.
Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain documentation, troubleshooting tips, and sample configurations from online tools. For Cisco.com registered users, additional troubleshooting tools are available from the TAC website.
Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information and resources at anytime, from anywhere in the world. This highly integrated Internet application is a powerful, easy-to-use tool for doing business with Cisco.
Cisco.com provides a broad range of features and services to help customers and partners streamline business processes and improve productivity. Through Cisco.com, you can find information about Cisco and our networking solutions, services, and programs. In addition, you can resolve technical issues with online technical support, download and test software packages, and order Cisco learning materials and merchandise. Valuable online skill assessment, training, and certification programs are also available.
Customers and partners can self-register on Cisco.com to obtain additional personalized information and services. Registered users can order products, check on the status of an order, access technical support, and view benefits specific to their relationships with Cisco.
To access Cisco.com, go to: http://www.cisco.com
The Cisco TAC website is available to all customers who need technical assistance with a Cisco product or technology that is under warranty or covered by a maintenance contract.
If you have a priority level 3 (P3) or priority level 4 (P4) problem, contact TAC by going to the TAC website: http://www.cisco.com/tac
P3 and P4 level problems are defined as follows:
In each of the above cases, use the Cisco TAC website to quickly find answers to your questions.
To register for Cisco.com, go to the following website: http://www.cisco.com/register/
If you cannot resolve your technical issue by using the TAC online resources, Cisco.com registered users can open a case online by using the TAC Case Open tool at the following website: http://www.cisco.com/tac/caseopen
If you have a priority level 1(P1) or priority level 2 (P2) problem, contact TAC by telephone and immediately open a case. To obtain a directory of toll-free numbers for your country, go to the following website: http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
P1 and P2 level problems are defined as follows: