About this Document                                      

This document provides installation instructions for ICM11.6(1) ES3. It also contains a list of ICM issues resolved by this engineering special. Please review all sections in this document pertaining to installation before installing the product. Failure to install this engineering special as described may result in inconsistent ICM behavior.

This document contains these sections:

Signup to Receive Email Notification of New Field Notices

The Product Alert Tool offers you the ability to set up one or more profiles that will enable you to receive email notification of new Field Notices, Product Alerts or End of Sale information for the products that you have selected.

The Product Alert Tool is available at http://www.cisco.com/cgi-bin/Support/FieldNoticeTool/field-notice

About Cisco ICM (and ICM Engineering Specials)

This ES patch resolves security vulnerabilities (CVE-2017-12611, CVE-2017-9805, CVE-2017-9804, CVE-2017-9793) in the websetup application on all ICM servers, including Admin Client machines, by upgrading the Apache Struts2 sub-component to version 2.3.34.

All ICM services running on a server should be stopped before proceeding with patch installation.

As this patch only involves the upgrade of the websetup application, there should be no need to for contact center downtime. For instance, if you were installing this patch on a duplexed Router server, you could bring one side down, apply the ES and then restart the Router service again after reboot, to resume duplexed operation. Once duplexed operation resumes, the other side of the Router can have the patch applied. 

It is recommended to install the ES during a scheduled maintenance window.

ICM Compatibility and Support Specifications

ICM Version Support

ICM 11.6(1)

ICM Component Support

Supported ICM Components

This patch is compatible with and should be installed on all ICM servers including admin client machines. ICM11.6(1) ES3 addresses security vulnerabilities in the websetup application by upgrading the following component:

Unsupported ICM Components

This patch is supported on all ICM components.

ICM Engineering Special Installation Planning

Installing ICM11.6(1) ES3

Installation of this patch requires the all ICM services to be shut-down during the entire period of installation on machine where this patch is being applied. It is always recommended to install this ES during a scheduled downtime.

·  Using the ICM Service Control, stop all the ICM services running on the system.

·  Launch the Installer provided for ES3 and follow the instructions on the screen.
·  Using the ICM Service Control, start required ICM services again.

Uninstall Directions for ICM11.6(1) ES3

To uninstall this patch, go to Control Panel. Select "Add or Remove Programs". Find the installed patch in the list and select "Remove".

Note: Patches have to be removed in the reverse order in which they were installed. For example, if you had installed patches 3, then 5, then 10 for a product, you will need to uninstall patches 10, 5 and 3 in that order to remove all patches for that product.

Resolved Caveats in this Engineering Special

This section provides a list of significant ICM defects resolved by this engineering special. It contains these subsections:

Note: You can view more information on and track individual ICM defects using the Cisco Bug Toolkit located at: http://www.cisco.com/support/bugtools/Bug_root.html

Resolved Caveats in ICM11.6(1) ES3

This section lists caveats specifically resolved by ICM11.6(1) ES3.

Index of Resolved Caveats

Caveats in this section are ordered by ICM component, severity, and then identifier.
Be sure to include ALL of the resolved caveats for the files you're delivering, i.e. all of the caveats from the release notes of the previous ES which included these files.

Identifier

Severity

Component

Headline

CSCvf86098

2

web.setup

Evaluation of ICM for Struts2 Sep-17 Vulnerabilities

CSCvf86143

2

deployment 

Evaluation of HCS_CC for Struts2 Sep-17 Vulnerabilities

Detailed list of Resolved Caveats in This Engineering Special

Caveats are ordered by severity then defect number.
Be sure to include ALL of the resolved caveats for the files you're delivering, i.e. all of the caveats from the release notes of the previous ES which included these files.

Defect Number: CSCvf86098

Component: web.setup

Severity: 2

Headline: Evaluation of icm for Struts2 Sep-17 Vulnerabilities

Symptom: This bug has been filed to evaluate the product against multiple Struts2 vulnerabilities released on September 5th 2017 by the Apache Software Foundation, identified by CVE IDs: CVE-2017-9805 - Apache Struts REST Plug-in XML Processing Arbitrary Code Execution Vulnerability CVE-2017-9793 - Apache Struts REST Plug-In Denial of Service Vulnerability CVE-2017-9804 - Apache Struts URLValidator Resource Exhaustion Denial of Service Vulnerability Cisco has evaluated the impact of the vulnerability on this product and concluded that the product is not affected. Even if the analysis has proved the product to not be affected by these vulnerabilities Cisco has decided to use this defect to perform a proactive upgrade of the Struts package.

Conditions: Not applicable

Workaround: Not applicable

Further Problem Description: The purpose of this patch is to perform an in place upgrade of Apache Struts2 version 2.3.32 to 2.3.34 which is utilized by the Web Setup component (setup.war) of ICM.

This upgrade has been performed in response to the CVEs referenced in the Symptoms section to mitigate any potential vulnerabilities exposed by those CVEs.

 

The following patches are available for specific versions of ICM:

 

·       ICM10.5(3)_ES24

·       ICM11.0(2)_ES40

·       ICM11.5(1)_ES19

·       ICM11.6(1)_ES3

 

Defect Number: CSCvf86143

This defect is a duplicate of CSCvf86098.

Obtaining Documentation

The following sections provide sources for obtaining documentation from Cisco Systems.

World Wide Web

You can access the most current Cisco documentation on the World Wide Web at the following sites:

Documentation CD-ROM

Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or as an annual subscription.

Ordering Documentation

Cisco documentation is available in the following ways:

Documentation Feedback

If you are reading Cisco product documentation on the World Wide Web, you can submit technical comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco.

You can e-mail your comments to bug-doc@cisco.com.

To submit your comments by mail, use the response card behind the front cover of your document, or write to the following address:

Attn Document Resource Connection
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate your comments.

Obtaining Technical Assistance

Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain documentation, troubleshooting tips, and sample configurations from online tools. For Cisco.com registered users, additional troubleshooting tools are available from the TAC website.

Cisco.com

Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information and resources at anytime, from anywhere in the world. This highly integrated Internet application is a powerful, easy-to-use tool for doing business with Cisco.

Cisco.com provides a broad range of features and services to help customers and partners streamline business processes and improve productivity. Through Cisco.com, you can find information about Cisco and our networking solutions, services, and programs. In addition, you can resolve technical issues with online technical support, download and test software packages, and order Cisco learning materials and merchandise. Valuable online skill assessment, training, and certification programs are also available.

Customers and partners can self-register on Cisco.com to obtain additional personalized information and services. Registered users can order products, check on the status of an order, access technical support, and view benefits specific to their relationships with Cisco.

To access Cisco.com, go to: http://www.cisco.com

Technical Assistance Center

The Cisco TAC website is available to all customers who need technical assistance with a Cisco product or technology that is under warranty or covered by a maintenance contract.

Contacting TAC by Using the Cisco TAC Website

If you have a priority level 3 (P3) or priority level 4 (P4) problem, contact TAC by going to the TAC website: http://www.cisco.com/tac

P3 and P4 level problems are defined as follows:

In each of the above cases, use the Cisco TAC website to quickly find answers to your questions.

To register for Cisco.com, go to the following website: http://www.cisco.com/register/

If you cannot resolve your technical issue by using the TAC online resources, Cisco.com registered users can open a case online by using the TAC Case Open tool at the following website: http://www.cisco.com/tac/caseopen

Contacting TAC by Telephone

If you have a priority level 1(P1) or priority level 2 (P2) problem, contact TAC by telephone and immediately open a case. To obtain a directory of toll-free numbers for your country, go to the following website: http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

P1 and P2 level problems are defined as follows: