This document provides
installation instructions for Unified CCE 12.6(1) ES17. It also contains a list
of Unified CCE issues resolved by this engineering special. Review all
installation information before installing the product. Failure to install this
engineering special as described can result in inconsistent Unified CCE
behaviour.
This document contains
these sections:
In the Product Alert
Tool, you can set up profiles to receive email notification of new Field
Notices, Product Alerts, or End of Sale information for your selected products.
The Product
Alert Tool is available at https://www.cisco.com/cisco/support/notifications.html.
This ES
patch resolves security vulnerabilities (CVE-2021-44228 and CVE-2021-45046)
related to log4j (Log4Shell) on all CCE servers, including Admin Client
machines, by upgrading the log4j version to 2.16.0.
This ES
also resolves CVE-2021-45105 by upgrading the log4j version
to 2.17.0 for AppDynamics agents ONLY running on CCE nodes .
All ICM
services running on a server should be stopped before proceeding with patch
installation. There should be no need to for contact centre downtime. For
instance, if you were installing this patch on a duplexed Router server, you
could bring one side down, apply the ES and then restart the Router service again
after reboot, to resume duplexed operation. Once duplexed operation resumes,
the other side of the Router can have the patch applied.
Removal of
this patch for any reason will revert the system to vulnerable state for CVE-2021-44228,
CVE-2021-45046 and CVE-2021-45105 (AppDynamics
Agents only).
Unified CCE 12.6(1) ES17 addresses log4j vulnerability on
all CCE deployments.
Note: This ES don’t
address any known vulnerabilities related to log4j 1.x. CCE has been evaluated
for all known vulnerabilities with log4j 1.x and found to be not impacted
with any of them. Any log4j scanner ran on a CCE node reporting following CVE’s
can be treated as false positive:
CVE-2021-4104:
JMSAppender is not configured to be used by log4j1.x deployed with CCE.
CVE-2019-17571: SocketServer
feature is not configured to be used by log4j1.x deployed with CCE.
CVE-2020-9488: Apache Log4j SMTPAppender is
not configured to be used by log4j1.x deployed
with CCE applications.
CVE-2022-23302: JMSSink is not configured to be used by log4j1.x deployed with
CCE.
CVE-2022-23305: JDBCAppender is not configured to be used by log4j1.x deployed with
CCE.
CVE-2022-23307: Chainsaw is not configured to be used by log4j1.x deployed with
CCE.
12.6(1)
You can install Unified CCE 12.6(1) ES17 on these Unified CCE
components:
Note: In Contact Director deployment, ES6 need to be applied on the CCE server
where router service/contact share node is running before applying ES17
irrespective of the Windows and SQL version used.
Do not install this
engineering special on the following components:
2. Once the installation is complete, restart the machine.
3. Using the ICM Service Control, start the CCE services if
they are not started already.
Note: Remove patches in the reverse order
of their installation. For example, if you installed patches 3, then 5, then 10
for a product, you must uninstall patches 10, 5, and 3, in that order, to remove
the patches from that product.
This section provides a
list of significant Unified CCE defects resolved by this engineering special.
It contains these subsections:
Note: You can view more information on
and track individual Unified CCE defects using the Cisco Bug Search tool,
located at: https://bst.cloudapps.cisco.com/bugsearch/search?null.
This section lists caveats
specifically resolved by Unified CCE 12.6(1) ES17.
Caveats in this section are
ordered by UNIFIED CCE component, severity, and then identifier.
Identifier |
Severity |
Component |
Headline |
CSCwa47274 |
1 |
ova |
Evaluation of pcce for Log4j RCE (Log4Shell) Vulnerability vulnerability |
CSCwa47273 |
1 |
security |
Evaluation of icm for Log4j RCE (Log4Shell) Vulnerability vulnerability |
Caveats are ordered by
severity then defect number.
Defect Number: CSCwa47273
Component: security
Severity: 1
Headline: Evaluation of icm
for Log4j RCE (Log4Shell) Vulnerability vulnerability
Symptom: This bug
has been filed to evaluate the product against the following vulnerability in
the Apache Log4j Java library disclosed on December 9, 2021 CVE-2021-44228:
Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and
other JNDI related endpoints. Cisco is currently investigating impact.
Conditions:
Workaround:
Not
currently available.
Further Problem Description: Additional details about the vulnerability
listed above can be found at http://cve.mitre.org/cve/cve.html PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 3.1 score. The
Base CVSS scores as of the time of evaluation are 8.8:
https://tools.cisco.com/security/center/cvssCalculator.x?version=3.1&vector=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
The Cisco PSIRT has assigned this score based on information obtained from
multiple sources. This includes the CVSS score assigned by the third-party
vendor when available. The CVSS score assigned may not reflect the actual
impact on the Cisco Product. Additional information on Cisco's security
vulnerability policy can be found at the following URL:
https://tools.cisco.com/security/center/resources/security_vulnerability_policy.html
Defect Number: CSCwa47274
Component: ova
Severity: 1
Headline: Evaluation of pcce
for Log4j RCE (Log4Shell) Vulnerability vulnerability
Symptom: This bug
has been filed to evaluate the product against the following vulnerability in
the Apache Log4j Java library disclosed on December 9, 2021 CVE-2021-44228:
Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and
other JNDI related endpoints. Cisco is currently investigating impact.
Conditions:
Workaround:
Not
currently available.
Further Problem Description: Additional details about the vulnerability
listed above can be found at http://cve.mitre.org/cve/cve.html PSIRT
Evaluation: The Cisco PSIRT has assigned this bug the following CVSS
version 3.1 score. The Base CVSS scores as of the time of evaluation are 8.8:
https://tools.cisco.com/security/center/cvssCalculator.x?version=3.1&vector=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
The Cisco PSIRT has assigned this score based on information obtained from
multiple sources. This includes the CVSS score assigned by the third-party
vendor when available. The CVSS score assigned may not reflect the actual
impact on the Cisco Product. Additional information on Cisco's security
vulnerability policy can be found at the following URL:
https://tools.cisco.com/security/center/resources/security_vulnerability_policy.html
Caveats
resolved earlier ESs and included as part of 12.6(1) ES17:
None
You can access current
Cisco documentation on the Support pages at the following sites:
To provide comments about
this document, send an email message to the following address:
contactcenterproducts_docfeedback@cisco.com
We appreciate your
comments.
Cisco.com is a starting
point for all technical assistance. Customers and partners can obtain
documentation, troubleshooting tips, and sample configurations from online
tools. For Cisco.com registered users, additional troubleshooting tools are
available from the TAC site.
Cisco.com provides a broad
range of features and services to help customers and partners streamline
business processes and improve productivity. Through Cisco.com, you can find
information about Cisco and our networking solutions, services, and programs.
You can also resolve technical issues with online technical support and
download software packages. Valuable online skill assessment, training, and
certification programs are also available.
Customers and partners can
self-register on Cisco.com to obtain additional personalized information and
services. Registered users can order products, check on the status of an order,
access technical support, and view benefits specific to their relationships
with Cisco.
The Cisco TAC site is
available to all customers who need technical assistance with a Cisco product
or technology that is under warranty or covered by a maintenance contract.
If you have a priority
level 3 (P3) or priority level 4 (P4) problem, contact TAC by going to https://www.cisco.com/c/en/us/support/index.html.
P3 and P4 level problems
are defined as follows:
In each of the above cases,
use the Cisco TAC site to quickly find answers to your questions.
If you cannot resolve your
technical issue by using the TAC online resources, Cisco.com registered users
can open a case online by using the TAC Case Open tool at the following site: https://mycase.cloudapps.cisco.com/create/start/
If you have a priority
level 1(P1) or priority level 2 (P2) problem, contact TAC by telephone and
immediately open a case. To obtain a directory of toll-free numbers for your
country, go to the following sites:
P1 and P2 level problems
are defined as follows: