Cisco has released a patch for OpenSSL January 2016 vulnerability that is described in CVE-2016-0701 and also on Cisco’s Bug Tracker: CSCuy07473. The patch ciscocm.ciscossl_11.0.1-v5_4_3.k3.cop.sgn comes in a form of a COP file can be downloaded off CCO for version 11.0(1) or 10.5(2). No reboot is required after applying the patch, but installation after business hours is recommended. For more information, please consult the published Release Notes for version 11.0(1) or 10.5(2) for this update.
Heartbleed and Vulnerabilities Discovered in Cisco UC Line
You can’t look anywhere these days without seeing news about Heartbleed – the new vulnerability discovered with OpenSSL 1.01/1.02. Vendors frantically started releasing security patches to fix affected applications, and Cisco was no exception. From the list of affected products, the following fall under UC domain:
- Cisco Desktop Collaboration Experience DX650 [CSCuo16892]
- Cisco IP Video Phone E20 [CSCuo26699]
- Cisco TelePresence Conductor [CSCuo20306]
- Cisco TelePresence EX Series [CSCuo26378]
- Cisco Telepresence Integrator C Series [CSCuo26378]
- Cisco TelePresence IP Gateway Series [CSCuo21597]
- Cisco TelePresence ISDN GW 3241 [CSCuo21486]
- Cisco TelePresence ISDN GW MSE 8321 [CSCuo21486]
- Cisco TelePresence ISDN Link [CSCuo26686]
- Cisco TelePresence MX Series [CSCuo26378]
- Cisco TelePresence Profile Series [CSCuo26378]
- Cisco TelePresence Serial Gateway Series [CSCuo21535]
- Cisco TelePresence Server 8710, 7010 [CSCuo21468]
- Cisco TelePresence Server on Multiparty Media 310, 320 [CSCuo21468]
- Cisco TelePresence Server on Virtual Machine [CSCuo21468]
- Cisco TelePresence Supervisor MSE 8050 [CSCuo21584]
- Cisco TelePresence SX Series [CSCuo26378]
- Cisco TelePresence Video Communication Server (VCS) [CSCuo16472]
- Cisco Unified 7800 series IP Phones [CSCuo16987]
- Cisco Unified 8961 IP Phone [CSCuo16938]
- Cisco Unified 9951 IP Phone [CSCuo16938]
- Cisco Unified 9971 IP Phone [CSCuo16938]
- Cisco Unified Communications Manager (UCM) 10.0 [CSCuo17440]
- Cisco Unified Presence Server (CUPS)[CSCuo21298], [CSCuo21289]
- Cisco WebEx Meetings Server versions 2.x [CSCuo17528]
Yup, pretty much 90% of affected products were Voice, Video and Conferencing related (click here to see the full list).
Our own vulnerability scanner discovered that Cisco Jabber Guest (EAP 7) is also vulnerable, so if you, like myself, are a member of the privileged Collaboration User Group and participate in Cisco Jabber Guest Beta trial, make sure that you minimize your risk exposure by controlling access to Jabber Guest server until the update/patch becomes available.
Stay tuned and keep safe!