I notice that the affected version is 220.127.116.1158-1 (SR3) is not available for download. The highest available as of 9/26/14 is SR2a which is 18.104.22.16801-3.
I too am curious if lower versions of 9.1(2) are affected.
Oddly, I see that the description says 10.0 is affected, but the "Known Affected Releases" only says 9.1.2. So, is 10.0 affected or not?
What I noticed is they are not listing older versions on many of the "affected" systems, like WLC. I know that 7.6.130 has many issues prior to it that are basically the same with bug fixes.
What about Unity Connection, does it not also run on a Linux platform? Singlewire(Informacast) is also affected by this. Are all WAAS versions affected? There are a lot of systems out there, so knowing if they are posting versions, with assuming all prior releases are included is a must know.
Keep an eye on this link and on the bugs for further information:
You may also open a TAC for further information.
The details listed in the defect description will be more accurate than the actual Version field, since there is a limit in being able to enumerate all versions. As described in the Symptoms listed in CSCur00930, UCM versions 8, 9, and 10 are impacted.
We are working to make that more clear in the published information.
Please note from the Security Advisory (http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash) that Unity Connection is listed on the impacted products, with CSCur05328 tracking that fix. This will be updated with more details as they are confirmed.
My customer setup UCM running on 22.214.171.12400-5 & i understand, the patch - cop file can be applied directly to handle this vulnerability.
From the case notes, i can see that known fixed version in 9.X serious is - 9.1(2.13060.1).
Can i proceed with upgrade the version from 126.96.36.19900-5 to 9.1(2.13060.1) ?
Would that be enough to handle this bug & i don't need separately update the patch right ? Please suggest
Yes, 188.8.131.5260-1 and later 9.1(2) versions have the bash Shellshock update included. Upgrading to that version will address this issue.
Unity Connection uses the same platform, including the same OS, in fact it is installed from the same DVD. My guess is the list of vulnerable products will grow as Cisco figures out what products use BASH.
To my understanding all the GNU Bash versions 4.3 and prior are vulnerable and the above said operating system bash version contains 3.2 (32.el5). You can check with the command “show tech version”. The patch ciscocm.bashupgrade.cop.signs should be applied on affected version and it fixes the CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, and CVE-2014-7169 .
I run a version 9.1.1. The COP file released the 1st of October requires version 9.1.2 to be applied. Does this mean we have to upgrade to 9.1.2 first and then apply the fix for BASH?
This COP can be applied to 9.1(1). However, please understand that there are other PSIRT fixes that 9.1(1) does *not* have (such as http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130821-cucm), which is why Cisco always recommends current versions such as 9.1(2).
One point to remind customers of who are planning upgrades *after* installing the bash patch (as called out in the Readme http://www.cisco.com/web/software/282204704/18582/CiscoBashCodeInjectionVulnerabilityPatchv2.pdf ):
"When upgrading to a new release of Cisco Unified Communications Manager, make sure that the updates in this release are included in the version you are upgrading to. If an ES or SU is installed after this update that does not also contain the fixes referenced in “Updates in This Release” then this update will need to be reapplied after the ES or SU is installed."
So, until Cisco has released a 9.1(2) version that also contains this bash fix (a 9.1(2)ES version first), anyone upgrading to 9.1(2) (recommended latest SU) will need to *re-apply this patch after the upgrade*. The defect details for CSCur00930 will continue to be updated with the Communications Manager versions that natively contain this patch as those are made available.
we are running CUCM version 9.1(2)SU1
Do we need to apply ciscocm.bashupgrade.cop.sgn or should be upgrade to latest CUCM 9.1(2)SU2a?
The COP file (ciscocm.bashupgrade.cop.sgn) is currently the only method of patching bash. 9.1(2)SU2a (released 21Aug2014) doesn't have the fix.
Once future UCM 9.1(2) versions have the bash fix included, the details in CSCur00930 will be updated to confirm those versions.
we are running version CUCM 7.1.3. This version is affected? Is there any fix to this version? Do we need to upgrade BASH or should be upgrade CUCM? Should we wait for any fix to CUCM 7.1.3? What consequences can be on this threat? What degree of threat ShellShock for CUCM 7.1.3?