About this Document

This document provides installation instructions for Unified CCE 11.6(2) ES84. It also contains a list of Unified CCE issues resolved by this engineering special. Review all installation information before installing the product. Failure to install this engineering special as described can result in inconsistent Unified CCE behavior.

This document contains these sections:

Sign Up for Email Notification of New Field Notices

In the Product Alert Tool, you can set up profiles to receive email notification of new Field Notices, Product Alerts, or End of Sale information for your selected products.

The Product Alert Tool is available at https://www.cisco.com/cisco/support/notifications.html.

About Cisco Unified CCE (and Unified CCE Engineering Specials)

This ES patch resolves security vulnerabilities (CVE-2021-44228 and CVE-2021-45046) related to log4j (Log4Shell) on all ICM servers, including Admin Client machines, by upgrading the log4j version to 2.16.0.

All ICM services running on a server should be stopped before proceeding with patch installation. There should be no need to for contact center downtime. For instance, if you were installing this patch on a duplexed Router server, you could bring one side down, apply the ES and then restart the Router service again after reboot, to resume duplexed operation. Once duplexed operation resumes, the other side of the Router can have the patch applied.

Removal of this patch for any reason will revert the system to vulnerable state for CVE-2021-44228 and CVE-2021-45046.

Unified CCE 11.6(2) ES84 addresses log4j vulnerability on all CCE deployments.

Unified CCE Compatibility and Support Specifications

.

Unified CCE Version Support

11.6(2)

Unified CCE Component Support

This section lists the Unified CCE components on which you can and cannot install this engineering special.

Supported Unified CCE Components

You can install Unified CCE 11.6(2) ES84 on these Unified CCE components:

Unsupported Unified CCE Components

Do not install this engineering special on the following components:

Unified CCE Engineering Special Installation Planning

Installing Unified CCE 11.6(2) ES84

Installation of this patch requires the all CCE services to be shut down during the entire period of installation. It is always recommended to install this ES during a scheduled maintenance window.

  1. Using the CCE Service Control, stop all the CCE services running on the system
  2. Launch the Installer provided for ES84 and follow the instructions on the screen

Using the CCE Service Control, start all CCE services again

Uninstall Directions for Unified CCE 11.6(2) ES84

  1. To uninstall this patch, go to Control Panel.
  2. Select "Add or Remove Programs".
  3. Find the installed patch in the list and select "Remove".

Note: Remove patches in the reverse order of their installation. For example, if you installed patches 3, then 5, then 10 for a product, you must uninstall patches 10, 5, and 3, in that order, to remove the patches from that product.

Resolved Caveats in this Engineering Special

This section provides a list of significant Unified CCE defects resolved by this engineering special. It contains these subsections:

Note: You can view more information on and track individual Unified CCE defects using the Cisco Bug Search tool, located at: https://bst.cloudapps.cisco.com/bugsearch/search?null.

Resolved Caveats in Unified CCE 11.6(2) ES84

This section lists caveats specifically resolved by Unified CCE 11.6(2) ES84.

Index of Resolved Caveats

Caveats in this section are ordered by UNIFIED CCE component, severity, and then identifier.

Identifier

Severity

Component

Headline

CSCwa47273

1

security

Evaluation of icm for Log4j RCE (Log4Shell) Vulnerability vulnerability

CSCwa47274

1

ova

Evaluation of pcce for Log4j RCE (Log4Shell) Vulnerability vulnerability

Detailed list of Resolved Caveats in This Engineering Special

Caveats are ordered by severity then defect number.

Defect Number: CSCwa47273

Component: security

Severity: 1

Headline: Evaluation of icm for Log4j RCE (Log4Shell) Vulnerability vulnerability


Symptom: This bug has been filed to evaluate the product against the following vulnerability in the Apache Log4j Java library disclosed on December 9, 2021 CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints. Cisco is currently investigating impact.

Conditions:

Workaround: Not currently available.

Further Problem Description: Additional details about the vulnerability listed above can be found at http://cve.mitre.org/cve/cve.html PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 3.1 score. The Base CVSS scores as of the time of evaluation are 8.8: https://tools.cisco.com/security/center/cvssCalculator.x?version=3.1&vector=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. Additional information on Cisco's security vulnerability policy can be found at the following URL: https://tools.cisco.com/security/center/resources/security_vulnerability_policy.html

Defect Number: CSCwa47274

Component: ova

Severity: 1

Headline: Evaluation of pcce for Log4j RCE (Log4Shell) Vulnerability vulnerability


Symptom: This bug has been filed to evaluate the product against the following vulnerability in the Apache Log4j Java library disclosed on December 9, 2021 CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints. Cisco is currently investigating impact.

Conditions:

Workaround: Not currently available.

Further Problem Description: Additional details about the vulnerability listed above can be found at http://cve.mitre.org/cve/cve.html PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 3.1 score. The Base CVSS scores as of the time of evaluation are 8.8: https://tools.cisco.com/security/center/cvssCalculator.x?version=3.1&vector=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. Additional information on Cisco's security vulnerability policy can be found at the following URL: https://tools.cisco.com/security/center/resources/security_vulnerability_policy.html


Caveats resolved earlier ESs and included as part of ICM11.6(2) ES84:

ES#

Identifier

Severity

Component

Headline

Comments

ES55

CSCvv43532

2

AW, Router, Logger, PG and admin client

Evaluation of icm for Apache Struts Aug20 vulnerabilities

 

 

ES67

CSCvw77880

2

AW, Router, Logger, PG and admin client

Evaluation of UCCE for Apache Struts Dec 20 critical vulnerability- CVE-2020-17530

 

 

Obtaining Documentation

You can access current Cisco documentation on the Support pages at the following sites:

Documentation Feedback

To provide comments about this document, send an email message to the following address:

contactcenterproducts_docfeedback@cisco.com

We appreciate your comments.

Obtaining Technical Assistance

Cisco.com is a starting point for all technical assistance. Customers and partners can obtain documentation, troubleshooting tips, and sample configurations from online tools. For Cisco.com registered users, additional troubleshooting tools are available from the TAC site.

Cisco.com

Cisco.com provides a broad range of features and services to help customers and partners streamline business processes and improve productivity. Through Cisco.com, you can find information about Cisco and our networking solutions, services, and programs. You can also resolve technical issues with online technical support and download software packages. Valuable online skill assessment, training, and certification programs are also available.

Customers and partners can self-register on Cisco.com to obtain additional personalized information and services. Registered users can order products, check on the status of an order, access technical support, and view benefits specific to their relationships with Cisco.

Technical Assistance Center

The Cisco TAC site is available to all customers who need technical assistance with a Cisco product or technology that is under warranty or covered by a maintenance contract.

Contacting TAC by Using the Cisco TAC Site

If you have a priority level 3 (P3) or priority level 4 (P4) problem, contact TAC by going to https://www.cisco.com/c/en/us/support/index.html.

P3 and P4 level problems are defined as follows:

In each of the above cases, use the Cisco TAC site to quickly find answers to your questions.

If you cannot resolve your technical issue by using the TAC online resources, Cisco.com registered users can open a case online by using the TAC Case Open tool at the following site: https://mycase.cloudapps.cisco.com/create/start/

CContacting TAC by Telephone

If you have a priority level 1(P1) or priority level 2 (P2) problem, contact TAC by telephone and immediately open a case. To obtain a directory of toll-free numbers for your country, go to the following sites:

P1 and P2 level problems are defined as follows: