Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Bash Vulnerability Fix for CUCM 7.1.5, unity connection 7.1.5

The Customer UC environment consists of CUCM 7.1.5, Unity connection 7.1.5, UCCX 7.

According to Cisco the fixes are provided in 10.5 version. Does that mean there is no fix for 7.x version and the customer has to migrate to 10 version to get the fix ?  Please advice

CUCM evaluation for CVE-2014-6271, 2014-7169, 2014-6277 and 2014-6278

Ref: CSCur00930

Known Affected Releases:     (16)

10.0(1.10000.24)

10.5(1.10000.7)

5.0

5.1

6.0

6.1

7.0

7.1

7.1(5)

8.0

8.5(1)

8.6

8.6(2.10000.30)

9.0(1)

9.1(1)

9.1(2)

 

Known Fixed Releases:          (5)

10.5(1.11900.12)

10.5(1.98000.307)

10.5(1.98000.311)

10.5(1.98000.372)

10.5(1.98000.378)

 

Cisco Unity Connection evaluation for CVE-2014-6271 and CVE-2014-7169

Ref: CSCur05328

 

Known Affected Releases:     (1)

9.5(0.9)TT0

 

Known Fixed Releases:          (1)

10.5(1.11900.13)

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

There is a COP file out on

There is a COP file out on CCO that may be applied to 8.5.1, 8.6.2, 9.01, 9.1.2, 10.0 and 10.5.1

Cisco has implemented the bash fix in some Engineering Special (ES) version as well, but only for major version 8, 9 and 10.

CUCM 7.1.5 is End of Support (EOS) and hence no BASH fix for this version. You should consider moving your customer to a never version. Just remember anything past 9.1.2 (10 and above) will require new virtualized hardware (UCS) as MCS-servers are no longer supported.

7 REPLIES
New Member

There is a COP file out on

There is a COP file out on CCO that may be applied to 8.5.1, 8.6.2, 9.01, 9.1.2, 10.0 and 10.5.1

Cisco has implemented the bash fix in some Engineering Special (ES) version as well, but only for major version 8, 9 and 10.

CUCM 7.1.5 is End of Support (EOS) and hence no BASH fix for this version. You should consider moving your customer to a never version. Just remember anything past 9.1.2 (10 and above) will require new virtualized hardware (UCS) as MCS-servers are no longer supported.

New Member

Thanks David for the

Thanks David for the confirmation. Do you have any updates for the Unity connection and UCCX as well. Do you know if the Unity connection 7.1.5 and UCCX 7.x are also affected by the Bash Vulnerability.

 

Thanks

New Member

You're welcome.Unity

You're welcome.

Unity Connection (CUC) shares the same OS base as CUCM. Same thing applies to CUC as to CUCM. The COP file for CUCM may be installed on the CUC servers too. This means in your case no support (again).

Regarding UCCX you want to have a look here:
https://tools.cisco.com/bugsearch/bug/CSCur02861

Short story - Same problem. Version 7 is EOS and there are only fixes for 8 and above.

New Member

Thank You for the information

Thank You for the information.

Hi Davidlooking the EOL

Hi David

looking the EOL details for 7.1.5 it details s/w is still covered until next year....

 

I know that the website details that "The last date that Cisco Engineering may release any final software maintenance releases or bug fixes. After this date, Cisco Engineering will no longer develop, repair, maintain, or test the product software was June 2013."  but as this is an O/S Vulnerability I would hope that this is still covered...

kind regards

 

Gareth

 

New Member

Hi Gareth,You found this link

Hi Gareth,

You found this link yourself I see:

http://www.cisco.com/c/en/us/products/collateral/unified-communications/unified-communications-manager-callmanager/end_of_life_notice_c51-695269.html

If Cisco had intended to fix 7.X they could easily have included it in the released "ciscocm.bashupgrade.cop.sgn" which covers 8.X, 9.X and 10.X.

 

I would not put my money on a Bash fix for 7.X, as it went out into  "The last date that Cisco Engineering may release any final software maintenance releases or bug fixes. After this date, Cisco Engineering will no longer develop, repair, maintain, or test the product software. " in june 2013.

There has been no Heartbleed (Open SSL) fixes for 7.X either.

New Member

So let me get this straight.

So let me get this straight.  Cisco sold FAULTY software, and they have no intentions of fixing it?

This will be fun to watch!

 

I wonder if they realize just how many customer are staying on 7.1(5) because they dropped AC.  Because the licensing doubled in price, and most customers don't need or want the new features.  They sold a defective product, it is only a matter of time before they get held accountable for that.  I guess Ford, GM and Dodge have gotten away with it, at least until someone gets hacked, and CISCO is RESPONSIBLE... 

 

Fun times for FREEware, SOLD for a price.  

lol

241
Views
5
Helpful
7
Replies
CreatePlease to create content