Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.


Release notes for CWMS MR5

Has anyone seen the release notes for MR5? Want to make sure it has the bash fix before I apply it.  CVE-2014-6271 still lists version 2.5 as first fixed version.


Hi,The best place for


The best place for information around the ShellShock bug is here;

Cisco WebEx Meeting Server is listed under Products Confirmed Not Vulnerable.




Applyed 2.0 MR5 for bash

Applyed 2.0 MR5 for bash vulnerability and now showing vulnerable for POODLE attack. Looks like CWMS is still under investigation according to Cisco (cisco-sa-20141015-poodle) but test from ssllabs shows MR5 as vulnerable.

Cisco Employee

POODLE is different type of

POODLE is different type of vulnerability and hasn't been completely investigated on CWMS side yet. 2.0 MR5 addresses just ShellShock vulnerability.



New Member

As per "

As per "", CWMS has been confirmed not affected by bash vulnerability.


The following Cisco products have been analyzed and are not affected by this vulnerability: 

Cable Modems

  • Digital Life RMS
  • Cisco Broadband Access Center Telco Wireless 3.8.1

Collaboration and Social Media

  • Cisco WebEx Meetings Server (CWMS)
  • Cisco WebEx Social
  • *********************************************************


Cisco Employee

Hi Ankit, CWMS 1.5 MR5 and 2

Hi Ankit,


CWMS 1.5 MR5 and 2.0 MR5 were released to address BASH vulnerability. For some reason Release Notes are not out yet, but if you look at the Readme file of the MR5 for both 1.5 and 2.0 you will see details about the vulnerability fixes.


I hope this will help, and that Release Notes will be released sooner than later.



New Member

Thanks Dejan. It is bit

Thanks Dejan.


It is bit confusing when I read vulnerability page. I know that originally when vulnerability came out, CWMS was listed as an affected product, but now it is listed under product confirmed not vulnerable, it does not specify the version as well.

Cisco Employee

Hi Ankit, CWMS runs a version

Hi Ankit,


CWMS runs a version of BASH that is vulnerable. However, Cisco has analyzed this vulnerability and concluded that while the product may run a vulnerable version of BASH, there are no exploitation vectors present. Hence, CWMS is not impacted, but we still released 1.5 MR5 and 2.0 MR5 to address this vulnerability. 

I hope this clarifies it a little bit.