10-09-2014 01:27 PM - edited 03-17-2019 04:33 PM
Has anyone seen the release notes for MR5? Want to make sure it has the bash fix before I apply it. CVE-2014-6271 still lists version 2.5 as first fixed version.
10-13-2014 03:13 AM
Hi,
The best place for information around the ShellShock bug is here;
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
Cisco WebEx Meeting Server is listed under Products Confirmed Not Vulnerable.
Regards,
Richard
10-20-2014 12:01 PM
Applyed 2.0 MR5 for bash vulnerability and now showing vulnerable for POODLE attack. Looks like CWMS is still under investigation according to Cisco (cisco-sa-20141015-poodle) but test from ssllabs shows MR5 as vulnerable.
10-20-2014 12:07 PM
POODLE is different type of vulnerability and hasn't been completely investigated on CWMS side yet. 2.0 MR5 addresses just ShellShock vulnerability.
-Dejan
10-13-2014 05:28 PM
As per "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash", CWMS has been confirmed not affected by bash vulnerability.
****************************
The following Cisco products have been analyzed and are not affected by this vulnerability:
Cable Modems
Collaboration and Social Media
10-14-2014 01:36 PM
Hi Ankit,
CWMS 1.5 MR5 and 2.0 MR5 were released to address BASH vulnerability. For some reason Release Notes are not out yet, but if you look at the Readme file of the MR5 for both 1.5 and 2.0 you will see details about the vulnerability fixes.
I hope this will help, and that Release Notes will be released sooner than later.
-Dejan
10-14-2014 02:53 PM
Thanks Dejan.
It is bit confusing when I read vulnerability page. I know that originally when vulnerability came out, CWMS was listed as an affected product, but now it is listed under product confirmed not vulnerable, it does not specify the version as well.
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
10-14-2014 05:41 PM
Hi Ankit,
CWMS runs a version of BASH that is vulnerable. However, Cisco has analyzed this vulnerability and concluded that while the product may run a vulnerable version of BASH, there are no exploitation vectors present. Hence, CWMS is not impacted, but we still released 1.5 MR5 and 2.0 MR5 to address this vulnerability.
I hope this clarifies it a little bit.
-Dejan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide