Cisco Support Community
Community Member

CUCM SHellshock versions

Bug ID CSCur00930  lists version 9.1(2.13058.1) as affected.


Does this mean ONLY 9.1(2.13058.1) is affected, or does it mean 9.1(2.13058.1) and lower are affected? 

Everyone's tags (1)
Community Member

I notice that the affected

I notice that the affected version is (SR3) is not available for download. The highest available as of 9/26/14 is SR2a which is

I too am curious if lower versions of 9.1(2) are affected. 

Oddly, I see that the description says 10.0 is affected, but the "Known Affected Releases" only says 9.1.2.  So, is 10.0 affected or not?

Community Member

What I noticed is they are

What I noticed is they are not listing older versions on many of the "affected" systems, like WLC.  I know that 7.6.130 has many issues prior to it that are basically the same with bug fixes.


What about Unity Connection, does it not also run on a Linux platform? Singlewire(Informacast) is also affected by this.  Are all WAAS versions affected?  There are a lot of systems out there, so knowing if they are posting versions, with assuming all prior releases are included is a must know.

Cisco Employee

Keep an eye on this link and

Keep an eye on this link and on the bugs for further information:

You may also open a TAC for further information.



if this helps, please rate
Community Member

Already am, thats where I got

Already am, thats where I got the previous information from. It's deceiving though since it lists only one specific version.

Cisco Employee

The details listed in the

The details listed in the defect description will be more accurate than the actual Version field, since there is a limit in being able to enumerate all versions. As described in the Symptoms listed in CSCur00930, UCM versions 8, 9, and 10 are impacted.


We are working to make that more clear in the published information.


Please note from the Security Advisory ( that Unity Connection is listed on the impacted products, with CSCur05328 tracking that fix. This will be updated with more details as they are confirmed.

Community Member

My customer setup UCM running

My customer setup UCM running on & i understand, the patch - cop file can be applied directly to handle this vulnerability.

From the case notes, i can see that known fixed version in 9.X serious is - 9.1(2.13060.1).

Can i proceed with upgrade the version from to 9.1(2.13060.1) ?

Would that be enough to handle this bug & i don't need separately update the patch right ? Please suggest



Cisco Employee

Hi JP, Yes, and

Hi JP,


Yes, and later 9.1(2) versions have the bash Shellshock update included. Upgrading to that version will address this issue.

Community Member

Unity Connection uses the

Unity Connection uses the same platform, including the same OS, in fact it is installed from the same DVD.  My guess is the list of vulnerable products will grow as Cisco figures out what products use BASH.

Community Member

To my understanding  all the

To my understanding  all the GNU Bash versions 4.3 and prior are vulnerable and the above said operating system bash version contains  3.2 (32.el5). You can check with the command  “show tech version”. The patch  ciscocm.bashupgrade.cop.signs should be applied  on affected version and it fixes the CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, and CVE-2014-7169 .

Community Member

I run a version 9.1.1. The

I run a version 9.1.1. The COP file released the 1st of October requires version 9.1.2 to be applied. Does this mean we have to upgrade to 9.1.2 first and then apply the fix for BASH?

Cisco Employee

This COP can be applied to 9

This COP can be applied to 9.1(1). However, please understand that there are other PSIRT fixes that 9.1(1) does *not* have (such as, which is why Cisco always recommends current versions such as 9.1(2).

Community Member

Thank you kerussel, I will

Thank you kerussel, I will apply the shellshock hotfix asap, and then plan an upgrade to 9.1.2 in the next weeks.

Cisco Employee

One point to remind customers

One point to remind customers of who are planning upgrades *after* installing the bash patch (as called out in the Readme ):

"When upgrading to a new release of Cisco Unified Communications Manager, make sure that the updates in this release are included in the version you are upgrading to. If an ES or SU is installed after this update that does not also contain the fixes referenced in “Updates in This Release” then this update will need to be reapplied after the ES or SU is installed."


So, until Cisco has released a 9.1(2) version that also contains this bash fix (a 9.1(2)ES version first), anyone upgrading to 9.1(2) (recommended latest SU) will need to *re-apply this patch after the upgrade*. The defect details for CSCur00930 will continue to be updated with the Communications Manager versions that natively contain this patch as those are made available.


Hi Kenneth, we are running

Hi Kenneth,


we are running CUCM version 9.1(2)SU1


Do we need to apply ciscocm.bashupgrade.cop.sgn or should be upgrade to latest CUCM 9.1(2)SU2a?

Please advise.




Cisco Employee

The COP file (ciscocm

The COP file (ciscocm.bashupgrade.cop.sgn) is currently the only method of patching bash. 9.1(2)SU2a (released 21Aug2014) doesn't have the fix.


Once future UCM 9.1(2) versions have the bash fix included, the details in CSCur00930 will be updated to confirm those versions.


thanks for the same[+5] regds

thanks for the same[+5]




Community Member



we are running version CUCM 7.1.3. This version is affected?  Is there any fix to this version? Do we need to upgrade BASH or should be upgrade CUCM? Should we wait for any fix to CUCM 7.1.3? What consequences can be on this threat? What degree of threat ShellShock for CUCM 7.1.3?

CreatePlease to create content