This document provides installation instructions for Unified CCE 12.5(1) ES61. It also contains a list of Unified CCE issues resolved by this engineering special. Review all installation information before installing the product. Failure to install this engineering special as described can result in inconsistent Unified CCE behavior.
This document contains these sections:
In the Product
Alert Tool, you can set up profiles to receive email notification of new
Field Notices, Product Alerts, or End of Sale information for your selected
products.
The Product
Alert Tool is available at https://www.cisco.com/cisco/support/notifications.html.
· Unified CCE 12.5(1)
This section lists the Unified CCE components on which you can and cannot install this engineering special.
You can install Unified CCE 12.5(1) ES61 on these Unified CCE components:
Do not install this engineering
special on any components other than the above supported components.
Installation
of this patch requires the all ICM services to be shut down during the entire
period of installation. It is
always recommended to install this ES during a scheduled downtime.
1. Using the CCE Service Control, stop all
the CCE services running on the system
2. Launch the Installer provided for ES61 and
follow the instructions on the screen
3. Check the version of tomcat installed by running version.bat
from tomcat\bin folder
cd <ICM
HOME>\tomcat\bin
run version.bat
file. If it is 9.0.37 or higher, then do the following steps:
· Step 1:
In <ICM HOME>\tomcat\config\server.xml make sure the entries for
<Connector> and APJ protocol is as below
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="127.0.0.1"
maxPostSize="5242880" secretRequired="false" allowedRequestAttributesPattern=".*" />
If the highlighted entry is missing, then add the entry in server.xml
· Step 2:
oDownload the 32 bit
tomcat installer zip from http://archive.apache.org/dist/tomcat/tomcat-9/ .
Download the same version that is displayed when version.bat was run.
oUnzip the installer to a
temp folder
oCopy
tomcat-util-scan.jar from the <temp>\apache-tomcat-9.0.xx\lib location
to <ICM HOME>\tomcat\lib
oUsing the ICM/CCE
Service Control, start Apache Tomcat 9 service.
Note: Remove patches in the reverse order of their installation. For example, if you installed patches 3, then 5, then 10 for a product, you must uninstall patches 10, 5, and 3, in that order, to remove the patches from that product.
This section provides a list of significant Unified CCE defects resolved by this engineering special. It contains these subsections:
Note: You can view more information on and track individual Unified CCE defects using the Cisco Bug Search tool, located at: https://bst.cloudapps.cisco.com/bugsearch/search?null.
This section lists caveats specifically resolved by Unified CCE 12.5(1) ES61.
Caveats in this section are ordered by UNIFIED CCE component, severity, and then identifier.
Identifier |
Severity |
Component |
Headline |
CSCvx82605 |
2 |
security |
Evaluation
of icm for OpenSSL March 2021 vulnerabilities |
CSCvx52770 |
2 |
tools |
Certmon does not handle the JAVA_HOME change when in FIPS mode |
Caveats are ordered by severity then defect number.
Defect Number: CSCvx52770
Component: tools
Severity: 2
Headline: Certmon does not handle the JAVA_HOME change when in FIPS mode
Symptom: VM
reboots
Conditions: 1. After installing the Unified CCE 12.5(1) ES33 and Enable
FIPS. 2. Install any new java update.
Workaround: Make sure data (-Djava.ext.dirs) in
the the registry value
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Apache Software Foundation\Procrun 2.0\Tomcat9\Parameters\Java\Options\ matches the
JAVA_HOME. -Djava.ext.dirs=C:\icm\ssl\bin;C:\Program
Files (x86)\Java\jre1.8.0_221\lib\ext
Further Problem Description:
Defect Number: CSCvx82605
Component: security
Severity: 2
Headline: Evaluation of icm for OpenSSL March 2021 vulnerabilities
Symptom: On
March 25, 2021 - the OpenSSL Software foundation disclosed two high severity
vulnerabilities affecting the OpenSSL software package identified by CVE IDs:
CVE-2021-3450 and CVE-2021-3449. Cisco has evaluated the impact of the
vulnerability on this product and concluded that the product is affected by: *
CVE-2021-3449 could allow a remote unauthenticated attacker to crash a TLS
server resulting in a Denial of Service (DoS) condition. However
the product is not affected by: * CVE-2021-3450 could allow a remote
unauthenticated attacker to conduct a MiTM attack or
to impersonate another user or device by providing a crafted certificate.
Conditions: Not applicable
Workaround: None. Upgrade to version that includes CiscoSSL
3.1.377 or more.
Further Problem Description: Impacted Version: 12.5(1) ES33, 12.6(1) Impact
Analysis: CVE-2021-3450: Not impacted. X509_V_FLAG_X509_STRICT flag is not by
any server/client processes of UCCE using CiscoSSL
7.1.368 (OpenSSL 1.1.1j). Purpose is never over-written. CVE-2021-3449:
Impacted. R-negotiation is enabled (default configuration) Mitigation: Upgrade
to CiscoSSL 7.1.377 which contains OpenSSL 1.1.1k. PSIRT
Evaluation: The Cisco PSIRT has assigned this bug the following CVSS
version 3 score. The Base CVSS score as of the time of evaluation is: 8.6
https://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Additional information on Cisco's security vulnerability policy can be found at
the following URL:
https://tools.cisco.com/security/center/resources/security_vulnerability_policy.html
You can access current Cisco documentation on the Support pages at the following sites:
To provide comments about this document, send an email message to the following address:
contactcenterproducts_docfeedback@cisco.com
We appreciate your comments.
Cisco.com is a starting point for all technical assistance. Customers and partners can obtain documentation, troubleshooting tips, and sample configurations from online tools. For Cisco.com registered users, additional troubleshooting tools are available from the TAC site.
Cisco.com provides a broad range of features and services to help customers and partners streamline business processes and improve productivity. Through Cisco.com, you can find information about Cisco and our networking solutions, services, and programs. You can also resolve technical issues with online technical support and download software packages. Valuable online skill assessment, training, and certification programs are also available.
Customers and partners can self-register on Cisco.com to obtain additional personalized information and services. Registered users can order products, check on the status of an order, access technical support, and view benefits specific to their relationships with Cisco.
The Cisco TAC site is available to all customers who need technical assistance with a Cisco product or technology that is under warranty or covered by a maintenance contract.
If you have a priority level 3 (P3) or priority level 4 (P4) problem, contact TAC by going to https://www.cisco.com/c/en/us/support/index.html.
P3 and P4 level problems are defined as follows:
In each of the above cases, use the Cisco TAC site to quickly find answers to your questions.
If you cannot resolve your technical issue by using the TAC online resources, Cisco.com registered users can open a case online by using the TAC Case Open tool at the following site: https://mycase.cloudapps.cisco.com/create/start/
If you have a priority level 1(P1) or priority level 2 (P2) problem, contact TAC by telephone and immediately open a case. To obtain a directory of toll-free numbers for your country, go to the following sites:
P1 and P2 level problems are defined as follows: