This document provides installation instructions for ICM11.6(1)
ES3. It also contains a list of ICM issues resolved by this engineering
special. Please review all sections in this document pertaining to installation
before installing the product. Failure to install this engineering special as
described may result in inconsistent ICM behavior.
This document contains these sections:
The Product
Alert Tool offers you the ability to set up one or more profiles that will
enable you to receive email notification of new Field Notices, Product Alerts
or End of Sale information for the products that you have selected.
The Product
Alert Tool is available at http://www.cisco.com/cgi-bin/Support/FieldNoticeTool/field-notice
This ES patch
resolves security vulnerabilities (CVE-2017-12611,
CVE-2017-9805, CVE-2017-9804, CVE-2017-9793) in the websetup application on all ICM servers, including
Admin Client machines, by upgrading the Apache Struts2 sub-component to version
2.3.34.
All ICM services running
on a server should be stopped before proceeding with patch installation.
As this patch only
involves the upgrade of the websetup application, there should be no need to for contact center
downtime. For instance, if you were installing this patch on a duplexed
Router server, you could bring one side down, apply the ES and then restart the
Router service again after reboot, to resume duplexed operation. Once duplexed
operation resumes, the other side of the Router can have the patch applied.
ICM 11.6(1)
This patch is
compatible with and should be installed on all ICM servers including admin
client machines. ICM11.6(1) ES3 addresses security
vulnerabilities in the websetup application by
upgrading the following component:
This patch is
supported on all ICM components.
Installation of this patch requires
the all ICM services to be shut-down during the entire period of installation
on machine where this patch is being applied. It is always recommended to
install this ES during a scheduled downtime.
· Using
the ICM Service Control, stop all the ICM services running on the system.
· Launch
the Installer provided for ES3 and follow the instructions on the screen.
· Using
the ICM Service Control, start required ICM services again.
To uninstall this patch, go to Control Panel. Select "Add or Remove
Programs". Find the installed patch in the list and select
"Remove".
Note: Patches have to be removed in the reverse order in which they were
installed. For example, if you had installed patches 3, then 5, then 10 for a
product, you will need to uninstall patches 10, 5 and 3 in that order to remove
all patches for that product.
This section provides a list of significant ICM defects resolved by this
engineering special. It contains these subsections:
Note: You can view more information on and track individual
ICM defects using the Cisco Bug Toolkit located at: http://www.cisco.com/support/bugtools/Bug_root.html
This section lists caveats specifically resolved by ICM11.6(1)
ES3.
Caveats in this section are ordered by ICM component, severity, and then
identifier.
Be sure to include ALL of the resolved caveats for the files you're delivering,
i.e. all of the caveats from the release notes of the previous ES which
included these files.
Identifier |
Severity |
Component |
Headline |
CSCvf86098 |
2 |
web.setup |
Evaluation
of ICM for Struts2 Sep-17 Vulnerabilities |
CSCvf86143 |
2 |
deployment |
Evaluation
of HCS_CC for Struts2 Sep-17 Vulnerabilities |
Caveats are ordered by severity then defect number.
Be sure to include ALL of the resolved caveats for the files you're delivering,
i.e. all of the caveats from the release notes of the previous ES which
included these files.
Defect Number: CSCvf86098
Component: web.setup
Severity: 2
Headline: Evaluation of icm for Struts2 Sep-17
Vulnerabilities
Symptom: This bug has been filed to
evaluate the product against multiple Struts2 vulnerabilities released on
September 5th 2017 by the Apache Software Foundation, identified by CVE IDs:
CVE-2017-9805 - Apache Struts REST Plug-in XML Processing Arbitrary Code
Execution Vulnerability CVE-2017-9793 - Apache Struts REST Plug-In Denial of
Service Vulnerability CVE-2017-9804 - Apache Struts URLValidator
Resource Exhaustion Denial of Service Vulnerability Cisco has evaluated the
impact of the vulnerability on this product and concluded that the product is
not affected. Even if the analysis has proved the product to not be affected by
these vulnerabilities Cisco has decided to use this defect to perform a proactive
upgrade of the Struts package.
Conditions: Not applicable
Workaround: Not applicable
Further Problem Description: The
purpose of this patch is to perform an in place upgrade of Apache Struts2
version 2.3.32 to 2.3.34 which is utilized by the Web Setup component (setup.war) of ICM.
This
upgrade has been performed in response to the CVEs referenced in the Symptoms
section to mitigate any potential vulnerabilities
exposed by those CVEs.
The
following patches are available for specific versions of ICM:
·
ICM10.5(3)_ES24
·
ICM11.0(2)_ES40
·
ICM11.5(1)_ES19
·
ICM11.6(1)_ES3
Defect Number: CSCvf86143
This
defect is a duplicate of CSCvf86098.
The following sections provide sources for obtaining documentation from
Cisco Systems.
You can access the most current Cisco documentation on the World Wide Web at
the following sites:
Cisco documentation and additional literature are available in a CD-ROM
package, which ships with your product. The Documentation CD-ROM is updated
monthly and may be more current than printed documentation. The CD-ROM package
is available as a single unit or as an annual subscription.
Cisco documentation is available in the following ways:
If you are reading Cisco product documentation on the World Wide Web, you
can submit technical comments electronically. Click Feedback in the toolbar and
select Documentation. After you complete the form, click Submit to send it to
Cisco.
You can e-mail your comments to bug-doc@cisco.com.
To submit your comments by mail, use the response card behind the front
cover of your document, or write to the following address:
Attn Document Resource Connection
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.
Cisco provides Cisco.com as a starting point for all technical assistance.
Customers and partners can obtain documentation, troubleshooting tips, and
sample configurations from online tools. For Cisco.com registered users, additional
troubleshooting tools are available from the TAC website.
Cisco.com is the foundation of a suite of interactive, networked services
that provides immediate, open access to Cisco information and resources at anytime, from anywhere in the world. This highly integrated
Internet application is a powerful, easy-to-use tool for doing business with
Cisco.
Cisco.com provides a broad range of features and services to help customers
and partners streamline business processes and improve productivity. Through
Cisco.com, you can find information about Cisco and our networking solutions,
services, and programs. In addition, you can resolve technical issues with
online technical support, download and test software packages, and order Cisco
learning materials and merchandise. Valuable online skill assessment, training,
and certification programs are also available.
Customers and partners can self-register on Cisco.com to obtain additional
personalized information and services. Registered users can order products,
check on the status of an order, access technical support, and view benefits
specific to their relationships with Cisco.
To access Cisco.com, go to: http://www.cisco.com
The Cisco TAC website is available to all customers who need technical
assistance with a Cisco product or technology that is under warranty or covered
by a maintenance contract.
If you have a priority level 3 (P3) or priority level 4 (P4) problem, contact TAC by going to the TAC website:
http://www.cisco.com/tac
P3 and P4 level problems are defined as follows:
In each of the above cases, use the Cisco TAC website to quickly find
answers to your questions.
To register for Cisco.com, go to the following website:
http://www.cisco.com/register/
If you cannot resolve your technical issue by using the TAC online
resources, Cisco.com registered users can open a case online by using the TAC
Case Open tool at the following website: http://www.cisco.com/tac/caseopen
If you have a priority level 1(P1) or priority level 2 (P2) problem, contact TAC by telephone and immediately open a
case. To obtain a directory of toll-free numbers for your country, go to the
following website: http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
P1 and P2 level problems are defined as follows: