This document provides installation instructions for Unified CCE 11.0(3) ES5. It also contains a list of Unified CCE issues resolved by this engineering special. Review all installation information before installing the product. Failure to install this engineering special as described can result in inconsistent Unified CCE behavior.
This document contains these sections:
In the Product Alert Tool, you can set up profiles to receive email notification of new Field Notices, Product Alerts, or End of Sale information for your selected products.
The Product Alert Tool is available at https://www.cisco.com/cisco/support/notifications.html.
This ES is needed to solve the PSB request related to commons-fileupload-1.3.2.jar. We have upgrade the commons-fileupload from version 1.3.2 to 1.3.3. This will reduce the existing vulnerability present in 1.3.2 version. This ES does not have any dependency and this is an independent ES.
Supported Unified CCE Components
Pre requisite : ICM 11.0(3) ES2 - ES - US302506 . ICM 11.0(3) ES5 should be installed after installing ICM 11.0(3) ES2
You can install Unified CCE 11.0(3) ES5 on these Unified CCE components:
· Logger
· Router
· AW Distributor
· Admin Client
· Stop all UCCE Services
· Uninstall ET Patch if installed
· Download ICM 11.0(3) ES5 patch from CCO
· Copy the patch to server where it needs to be installed
· Install patch
· Reboot server
· Start ICM Services
Note: Remove patches in the reverse order of their installation. For example, if you installed patches 3, then 5, then 10 for a product, you must uninstall patches 10, 5, and 3, in that order, to remove the patches from that product.
This section provides a list of significant Unified CCE defects resolved by this engineering special. It contains these subsections:
Note: You can view more information on and track individual Unified CCE defects using the Cisco Bug Search tool, located at: https://bst.cloudapps.cisco.com/bugsearch/search?null.
This section lists caveats specifically resolved by Unified CCE 11.0(3) ES5.
|
Identifier |
Severity |
Component |
Headline |
|
CSCvn18888 |
2 |
web.setup |
Evaluation of icm for Apache Struts Commons FileUpload RCE |
Caveats are ordered by severity then defect number.
Defect Number: CSCvn18888
Component: web.setup
Severity: 2
Headline: Evaluation of icm for Apache Struts Commons FileUpload RCE
Symptom: The products Cisco Unified Contact Center Enterprise; Cisco Unified Intelligent Contact Management Enterprise include a version of Apache Struts that is affected by the Remote Code Execution vulnerability identified by the following Common Vulnerability and Exposures (CVE) ID: CVE-2016-1000031 Cisco has reviewed this product and concluded that it is affected by this vulnerability.
Conditions: Exposure is not configuration dependent.
Workaround: Not currently available.
Further Problem Description: More information about this vulnerability may be found on the advisory published at: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-struts-commons-fileupload PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 3 score. The Base CVSS scores as of the time of evaluation are 9.8: https://tools.cisco.com/security/center/cvssCalculator.x?version=3.0&vector=CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2016-1000031 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Getting the Patch: The following links take you to an emergency patch, called an Engineering Special or ES. These emergency patches are meant for deployments that are actively encountering a specific problem and cannot wait for a formal release to include a fix. An ES receives limited testing compared to a formal release. Installing an ES on a production system poses a risk of instability due to that limited testing. If you are not directly experiencing this problem, wait to install a major, minor, or maintenance release that includes the fix for this issue. If you experience this problem and cannot wait for a later formal release, select the ES that matches the base release of your deployment. The base release is the front part of the ES name. Only install an ES that matches the release that your deployment runs. Always read the release notes or Readme file before running the patch installer.
You can access current Cisco documentation on the Support pages at the following sites:
To provide comments about this document, send an email message to the following address:
contactcenterproducts_docfeedback@cisco.com
We appreciate your comments.
Cisco.com is a starting point for all technical assistance. Customers and partners can obtain documentation, troubleshooting tips, and sample configurations from online tools. For Cisco.com registered users, additional troubleshooting tools are available from the TAC site.
Cisco.com provides a broad range of features and services to help customers and partners streamline business processes and improve productivity. Through Cisco.com, you can find information about Cisco and our networking solutions, services, and programs. You can also resolve technical issues with online technical support and download software packages. Valuable online skill assessment, training, and certification programs are also available.
Customers and partners can self-register on Cisco.com to obtain additional personalized information and services. Registered users can order products, check on the status of an order, access technical support, and view benefits specific to their relationships with Cisco.
The Cisco TAC site is available to all customers who need technical assistance with a Cisco product or technology that is under warranty or covered by a maintenance contract.
If you have a priority level 3 (P3) or priority level 4 (P4) problem, contact TAC by going to https://www.cisco.com/c/en/us/support/index.html.
P3 and P4 level problems are defined as follows:
In each of the above cases, use the Cisco TAC site to quickly find answers to your questions.
If you cannot resolve your technical issue by using the TAC online resources, Cisco.com registered users can open a case online by using the TAC Case Open tool at the following site: https://mycase.cloudapps.cisco.com/create/start/
If you have a priority level 1(P1) or priority level 2 (P2) problem, contact TAC by telephone and immediately open a case. To obtain a directory of toll-free numbers for your country, go to the following sites:
P1 and P2 level problems are defined as follows: