Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
590
Views
10
Helpful
7
Replies

Release notes for CWMS MR5

Brad Martin
Level 3
Level 3

‎10-09-2014 01:27 PM - edited ‎03-17-2019 04:33 PM

Has anyone seen the release notes for MR5? Want to make sure it has the bash fix before I apply it.  CVE-2014-6271 still lists version 2.5 as first fixed version.

Labels:
0 Helpful
7 Replies 7

Richard Simmons
Level 3
Level 3

‎10-13-2014 03:13 AM

Hi,

The best place for information around the ShellShock bug is here;

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash

Cisco WebEx Meeting Server is listed under Products Confirmed Not Vulnerable.

Regards,

Richard 

0 Helpful

Brad Martin
Level 3
Level 3
In response to Richard Simmons

‎10-20-2014 12:01 PM

Applyed 2.0 MR5 for bash vulnerability and now showing vulnerable for POODLE attack. Looks like CWMS is still under investigation according to Cisco (cisco-sa-20141015-poodle) but test from ssllabs shows MR5 as vulnerable.

0 Helpful

dpetrovi
Cisco Employee
Cisco Employee
In response to Brad Martin

‎10-20-2014 12:07 PM

POODLE is different type of vulnerability and hasn't been completely investigated on CWMS side yet. 2.0 MR5 addresses just ShellShock vulnerability.

 

-Dejan

0 Helpful

ankit.joshi
Level 1
Level 1

‎10-13-2014 05:28 PM

As per "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash", CWMS has been confirmed not affected by bash vulnerability.

****************************

The following Cisco products have been analyzed and are not affected by this vulnerability: 

Cable Modems

  • Digital Life RMS 1.8.1.1
  • Cisco Broadband Access Center Telco Wireless 3.8.1


Collaboration and Social Media

  • Cisco WebEx Meetings Server (CWMS)
  • Cisco WebEx Social
  • *********************************************************

 

0 Helpful

dpetrovi
Cisco Employee
Cisco Employee
In response to ankit.joshi

‎10-14-2014 01:36 PM

Hi Ankit,

 

CWMS 1.5 MR5 and 2.0 MR5 were released to address BASH vulnerability. For some reason Release Notes are not out yet, but if you look at the Readme file of the MR5 for both 1.5 and 2.0 you will see details about the vulnerability fixes.

 

I hope this will help, and that Release Notes will be released sooner than later.

 

-Dejan

ankit.joshi
Level 1
Level 1
In response to dpetrovi

‎10-14-2014 02:53 PM

Thanks Dejan.

 

It is bit confusing when I read vulnerability page. I know that originally when vulnerability came out, CWMS was listed as an affected product, but now it is listed under product confirmed not vulnerable, it does not specify the version as well.

 

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash

0 Helpful

dpetrovi
Cisco Employee
Cisco Employee
In response to ankit.joshi

‎10-14-2014 05:41 PM

Hi Ankit,

 

CWMS runs a version of BASH that is vulnerable. However, Cisco has analyzed this vulnerability and concluded that while the product may run a vulnerable version of BASH, there are no exploitation vectors present. Hence, CWMS is not impacted, but we still released 1.5 MR5 and 2.0 MR5 to address this vulnerability. 

I hope this clarifies it a little bit.

 

-Dejan

Customers Also Viewed These Support Documents