This document provides installation instructions for Unified CCE 12.0(1) ES68. It also contains a list of Unified CCE issues resolved by this engineering special. Review all installation information before installing the product. Failure to install this engineering special as described can result in inconsistent Unified CCE behavior.
This document contains these sections:
In the Product
Alert Tool, you can set up profiles to receive email notification of new
Field Notices, Product Alerts, or End of Sale information for your selected
products.
The Product
Alert Tool is available at https://www.cisco.com/cisco/support/notifications.html.
This ES patch resolves security vulnerabilities (CVE-2020-17530) in the websetup application on all ICM servers, including Admin Client machines, by upgrading the Apache Struts2 sub-component to version 2.5.26. All ICM services running on a server should be stopped before proceeding with patch installation. As this patch only involves the upgrade of the websetup application, there should be no need to for contact center downtime. For instance, if you were installing this patch on a duplexed Router server, you could bring one side down, apply the ES and then restart the Router service again after reboot, to resume duplexed operation. Once duplexed operation resumes, the other side of the Router can have the patch applied.
12.0(1)
This section lists the Unified CCE components on which you can and cannot install this engineering special.
You can install Unified CCE 12.0(1) ES68 on these Unified CCE components:
Do not install this engineering special on any components other than the following:
Installation of this patch requires the all CCE services to be shut down during the entire period of installation. It is always recommended to install this ES during a scheduled downtime.
Note: Remove patches in the reverse order of their installation. For example, if you installed patches 3, then 5, then 10 for a product, you must uninstall patches 10, 5, and 3, in that order, to remove the patches from that product.
This section provides a list of significant Unified CCE defects resolved by this engineering special. It contains these subsections:
Note: You can view more information on and track individual Unified CCE defects using the Cisco Bug Search tool, located at: https://bst.cloudapps.cisco.com/bugsearch/search?null.
This section lists caveats specifically resolved by Unified CCE 12.0(1) ES68.
Caveats in this section are ordered by UNIFIED CCE component, severity, and then identifier.
Identifier |
Severity |
Component |
Headline |
CSCvw77880 |
2 |
web.setup |
Evaluation
of UCCE for Apache Struts Dec 20 critical vulnerability- CVE-2020-17530 |
Caveats are ordered by severity then defect number.
Defect Number: CSCvw77880
Component: web.setup
Severity: 2
Headline: Evaluation of UCCE for Apache Struts Dec 20 critical vulnerability- CVE-2020-17530
$$IGNORE-PSIRT
Symptom: On 08 December 2020, the Apache Struts Team released a security
announcement urging an upgrade to Apache Struts version 2.5.26. Systems using
Apache Struts versions Struts 2.0.0 - Struts 2.5.25 may be exposed to:
CVE-2020-17530 Problem Statement from Apache: Some of the tag?s attributes
could perform a double evaluation if a developer applied forced OGNL evaluation
by using the %{...} syntax. Using forced OGNL evaluation on untrusted user
input can lead to a Remote Code Execution and security degradation. Solution
Avoid using forced OGNL evaluation on untrusted user input, and/or upgrade to
Struts 2.5.26 which checks if expression evaluation won?t lead to the double
evaluation. This bug has been filed against the product Cisco Unified Contact
Center Enterprise to address these vulnerabilities.
Conditions: Apache Struts versions Struts 2.0.0 - Struts 2.5.25
Workaround: NA
Further Problem Description:
You can access current Cisco documentation on the Support pages at the following sites:
To provide comments about this document, send an email message to the following address:
contactcenterproducts_docfeedback@cisco.com
We appreciate your comments.
Cisco.com is a starting point for all technical assistance. Customers and partners can obtain documentation, troubleshooting tips, and sample configurations from online tools. For Cisco.com registered users, additional troubleshooting tools are available from the TAC site.
Cisco.com provides a broad range of features and services to help customers and partners streamline business processes and improve productivity. Through Cisco.com, you can find information about Cisco and our networking solutions, services, and programs. You can also resolve technical issues with online technical support and download software packages. Valuable online skill assessment, training, and certification programs are also available.
Customers and partners can self-register on Cisco.com to obtain additional personalized information and services. Registered users can order products, check on the status of an order, access technical support, and view benefits specific to their relationships with Cisco.
The Cisco TAC site is available to all customers who need technical assistance with a Cisco product or technology that is under warranty or covered by a maintenance contract.
If you have a priority level 3 (P3) or priority level 4 (P4) problem, contact TAC by going to https://www.cisco.com/c/en/us/support/index.html.
P3 and P4 level problems are defined as follows:
In each of the above cases, use the Cisco TAC site to quickly find answers to your questions.
If you cannot resolve your technical issue by using the TAC online resources, Cisco.com registered users can open a case online by using the TAC Case Open tool at the following site: https://mycase.cloudapps.cisco.com/create/start/
If you have a priority level 1(P1) or priority level 2 (P2) problem, contact TAC by telephone and immediately open a case. To obtain a directory of toll-free numbers for your country, go to the following sites:
P1 and P2 level problems are defined as follows: