About this Document


This document provides installation instructions for Unified CCE 12.5(1) ES20. It also contains a list of Unified CCE issues resolved by this engineering special. Review all installation information before installing the product. Failure to install this engineering special as described can result in inconsistent Unified CCE behavior.

This document contains these sections:

Sign Up for Email Notification of New Field Notices


In the Product Alert Tool, you can set up profiles to receive email notification of new Field Notices, Product Alerts, or End of Sale information for your selected products.

The Product Alert Tool is available at https://www.cisco.com/cisco/support/notifications.html.

About Cisco Unified CCE (and Unified CCE Engineering Specials)


Ghostcat vulnerability (CVE-2020-1938) which allows remote code execution in certain condition where tomcat listens on port 8009 for all external IP addresses. ICM applications are not found to be vulnerable since it uses reverse proxy where IIS intercepts all external requests and redirects to tomcat which listens only on local IP address for port 8009. However, for those who are impacted with this vulnerability where Tomcat listens on port 8009 for all external addresses, Apache has made changes to default behavior by updating Server.xml to include a new field called 'secretRequired' with default value as "true". This breaks even the web-applications that are not impacted by Ghostcat since they don't provision option to provide secret in external requests. Apache Tomcat updates are cumulative in nature and any future minor update for Tomcat is not possible without change to Server.xml file of Tomcat. This proactive ES will facilitate future updates to Tomcat by Customers using Cisco provided Tomcat Upgrade Utility by delivering the Cisco customizer server.xml along with options to support ES rollback if required so that web-apps continue to work even after any ES uninstallation.

Background:

·      12.5(1) Shipped with Tomcat 9.0.21.

·      Tomcat 9.0.21 is vulnerable to Ghostcat (CVE-2020-1938) and is fixed with Tomcat 9.0.31 onwards.

·      Customers were recommended to use Cisco provided 'Tomcat Upgrade Utility' for minor version upgrade.

For customers in older release where defect CSCvt31436 fix is not available, A field notice is provided with problem description and work-around: https://www.cisco.com/c/en/us/support/docs/field-notices/705/fn70542.html. Though the field notice talks about Tomcat 7, it applies to Tomcat 9 as well. After using utility to upgrade Tomcat, manual steps were provided to update required Server.xml and get things working. However still an issue remained opened CSCvt60447(websetup throwing error after patch uninstall). Customer would potentially hit this when they uninstall a ES on older release where manual work-around is applied post tomcat upgrade. 

THIS ES WILL DELIVER CUSTOM SERVER.XML SO THAT CUSTOMERS DON’T NEED TO MANUALLY MODIFY THEM AS SPECIFIED IN FIELD NOTICE. ALSO IT WILL FIX ANY ES UNINSTALATION ISSUES RELATED TO SERVER.XML FILE.

TOMCAT UPGRADE UTILITY POSTED AT CCO FOR 12.0(1) CAN BE USED FOR MINOR VERSION UPGRADE.

IF A CUSTOMER HAS APPLIED MANUL WORKAROUND AS INDICATED IN FIELD NOTICE, CUSTOMER SHOULD STILL APPLY THIS ES. IT WILL RESOLVE THE UNINSTALL ISSUE.

Unified CCE Compatibility and Support Specifications


Unified CCE Version Support

12.5(1)

Unified CCE Component Support

This section lists the Unified CCE components on which you can and cannot install this engineering special.

Supported Unified CCE Components

You can install Unified CCE 12.5(1) ES20 on these Unified CCE components:

·      AW, Router, Logger, PG – all CCE machines which has tomcat installed.

Unsupported Unified CCE Components

Do not install this engineering special on the following components:

·      Admin client machine.

Unified CCE Engineering Special Installation Planning


Installing Unified CCE 12.5(1) ES20


Installation of this patch requires the all CCE services to be shut down during the entire period of installation. It is always recommended to install this ES during a scheduled downtime.

  1. Using the CCE Service Control, stop all the CCE services running on the system
  2. Launch the Installer provided for ES20 and follow the instructions on the screen
  3. Check the version of tomcat installed by running <ICM HOME>\tomcat\bin\version.bat . If its 9.0.37 or higher, then do the following steps
    • Step 1:
      In <ICM HOME>\tomcat\config\server.xml make sure the entry for <Connector> entry for APJ protocol is as below
      < Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="127.0.0.1" maxPostSize="5242880" secretRequired="false" allowedRequestAttributesPattern=".*" />
      If the highlighted entry is missing, then add the entry in server.xml

    • Step 2:
      • Download the 32 bit tomcat installer zip from http://archive.apache.org/dist/tomcat/tomcat-9/ . Download the same version that is displayed when version.bat was run.
      • Unzip the installer to a temp folder.
      • Copy tomcat-util-scan.jar from the <temp>\apache-tomcat-9.0.xx\lib location to <ICM HOME>\tomcat\lib .
      • Using the ICM/CCE Service Control, start Apache Tomcat 9 service.

  4. Using the CCE Service Control, start all CCE services again

Uninstall Directions for Unified CCE 12.5(1) ES20


  1. To uninstall this patch, go to Control Panel.
  2. Select "Add or Remove Programs".
  3. Find the installed patch in the list and select "Remove".

Note: Remove patches in the reverse order of their installation. For example, if you installed patches 3, then 5, then 10 for a product, you must uninstall patches 10, 5, and 3, in that order, to remove the patches from that product.

Resolved Caveats in this Engineering Special


This section provides a list of significant Unified CCE defects resolved by this engineering special. It contains these subsections:


Note: You can view more information on and track individual Unified CCE defects using the Cisco Bug Search tool, located at: https://bst.cloudapps.cisco.com/bugsearch/search?null.


Resolved Caveats in Unified CCE 12.5(1) ES20

This section lists caveats specifically resolved by Unified CCE 12.5(1) ES20.

Index of Resolved Caveats

Caveats in this section are ordered by UNIFIED CCE component, severity, and then identifier.

Identifier

Severity

Component

Headline

CSCvt31436

2

web.setup

CCE - Upgrading tomcat to version 7.0.100 or greater breaks cceadmin and websetup

CSCvt60447

3

web.setup

websetup throwing error after patch uninstall

Detailed list of Resolved Caveats in This Engineering Special

Caveats are ordered by severity then defect number.


Defect Number: CSCvt31436

Component: web.setup

Severity: 2

Headline: CCE - Upgrading tomcat to version 7.0.100 or greater breaks cceadmin and websetup


Symptom:
cceadmin and websetup page doesnot load post Tomcat Upgrade 7.0.99 and above on CCE 11.6.

Conditions:
It gives the following error. HTTP Error 500.0 - Internal Server Error Calling LoadLibraryEx on ISAPI filter "C:\icm\tomcat\bin\i386\isapi_redirect.dll" failed

Workaround:
https://www.cisco.com/c/en/us/support/docs/field-notices/705/fn70542.html

Further Problem Description:
PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and determined it does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco''s security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Getting the Patch: The following links take you to an emergency patch, called an Engineering Special or ES. These emergency patches are meant for deployments that are actively encountering a specific problem and cannot wait for a formal release to include a fix. An ES receives limited testing compared to a formal release. Installing an ES on a production system poses a risk of instability due to that limited testing. If you are not directly experiencing this problem, wait to install a major, minor, or maintenance release that includes the fix for this issue. If you experience this problem and cannot wait for a later formal release, select the ES that matches the base release of your deployment. The base release is the front part of the ES name. Only install an ES that matches the release that your deployment runs. Always read the release notes or Readme file before running the patch installer.

size=2 width="100%" align=center>

Defect Number: CSCvt60447

Component: web.setup

Severity: 3

Headline: websetup throwing error after patch uninstall

$$PREFCS
Symptom:
websetup throwing error after patch uninstall

Conditions:


Workaround:


Further Problem Description:
seeing this as an issue from Patch ICM patch Getting the Patch: The following links take you to an emergency patch, called an Engineering Special or ES. These emergency patches are meant for deployments that are actively encountering a specific problem and cannot wait for a formal release to include a fix. An ES receives limited testing compared to a formal release. Installing an ES on a production system poses a risk of instability due to that limited testing. If you are not directly experiencing this problem, wait to install a major, minor, or maintenance release that includes the fix for this issue. If you experience this problem and cannot wait for a later formal release, select the ES that matches the base release of your deployment. The base release is the front part of the ES name. Only install an ES that matches the release that your deployment runs. Always read the release notes or Readme file before running the patch installer.

size=2 width="100%" align=center>

Obtaining Documentation


You can access current Cisco documentation on the Support pages at the following sites:

Documentation Feedback

To provide comments about this document, send an email message to the following address:

contactcenterproducts_docfeedback@cisco.com

We appreciate your comments.

Obtaining Technical Assistance


Cisco.com is a starting point for all technical assistance. Customers and partners can obtain documentation, troubleshooting tips, and sample configurations from online tools. For Cisco.com registered users, additional troubleshooting tools are available from the TAC site.

Cisco.com

Cisco.com provides a broad range of features and services to help customers and partners streamline business processes and improve productivity. Through Cisco.com, you can find information about Cisco and our networking solutions, services, and programs. You can also resolve technical issues with online technical support and download software packages. Valuable online skill assessment, training, and certification programs are also available.

Customers and partners can self-register on Cisco.com to obtain additional personalized information and services. Registered users can order products, check on the status of an order, access technical support, and view benefits specific to their relationships with Cisco.

Technical Assistance Center

The Cisco TAC site is available to all customers who need technical assistance with a Cisco product or technology that is under warranty or covered by a maintenance contract.

Contacting TAC by Using the Cisco TAC Site

If you have a priority level 3 (P3) or priority level 4 (P4) problem, contact TAC by going to https://www.cisco.com/c/en/us/support/index.html.

P3 and P4 level problems are defined as follows:

In each of the above cases, use the Cisco TAC site to quickly find answers to your questions.

If you cannot resolve your technical issue by using the TAC online resources, Cisco.com registered users can open a case online by using the TAC Case Open tool at the following site: https://mycase.cloudapps.cisco.com/create/start/

CContacting TAC by Telephone

If you have a priority level 1(P1) or priority level 2 (P2) problem, contact TAC by telephone and immediately open a case. To obtain a directory of toll-free numbers for your country, go to the following sites:

P1 and P2 level problems are defined as follows: