Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Bash Bug -- CUCM evaluation for CVE-2014-6271 and CVE-2014-7169

Since a lot of queries are coming up regarding the Bash bug, posting the bug link for the same here

https://tools.cisco.com/bugsearch/bug/CSCur00930/?reffering_site=dumpcr

Symptoms:
The Cisco Unified Communications Manager (UCM) 10.0 includes a version of bash that is affected by the vulnerabilities
identified by the Common Vulnerability and Exposures (CVE) IDs:

CVE-2014-6271
CVE-2014-7169

This bug has been opened to address the potential impact on this product.

Conditions:
Devices with default configuration.

Workaround:
Not available.

Further Problem Description:
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.5/7.5:

https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:U/RC:C

The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html

Comments
VIP Purple

Hi Manish,

I could find ciscocm.bashupgrade.cop.sgn available on below Cisco site

http://software.cisco.com/download/release.html?mdfid=284603371&softwareid=282204704&release=COP-Files&flowid=45680

Any advise how do we proceed to exexcute this cop file , we have got CUCM 9.1(2)SU1?

 

regds,

aman

Hi Aman,

The installation requirements and process for the same is outlined in the read me file here

http://www.cisco.com/web/software/282204704/18582/CiscoBashCodeInjectionVulnerabilityPatchv2.pdf

HTH

Manish

 

VIP Purple

Thanks Manish for the same[+5].

Let me take call with customer so that we can apply the same.

there is a similar discussion in which show tech version is being discussed .

https://supportforums.cisco.com/discussion/12311531/cucm-shellshock-versions#comment-9986951

Any idea if we could check something related to bash.

regds,

aman

 

1026
Views
5
Helpful
3
Comments