I rarely post twice in the same day and most if it is scheduled from days before, however, I thought this one was important. Cisco just released the following fix that looks to address/patch this vulnerability.
Here is the CCO Link to download and install the patch on your new and upgraded UCCX 11.5 servers
Here is the link to the readme (Not really much information on what the whole thing, but just the installation instructions)
What is the deal?
In the past few weeks, a vulnerability was discovered in software that uses Apache Struts2… I think it may not be right if I go and explain the whole thing because I might miss few important things, but basically, the vulnerability enables an attacker to perform a remote code execution on the server running it. I decided to add the link –> Follow this link (Talos) and don’t own that explanation 🙂
I was under the impression that UCCX was not affected as per the initial post does not list it as affected.
In case you want to know more about this vulnerability look at the Apache Website.
For more important vulnerability reports from Apache Struts 2 follow this link
Cisco Affected Software
Now talking more about all the Cisco products that are confirmed affected by the vulnerability. Please take a look at this link (CVE-ID CVE-2017-5638)
What to look forward to?
I think is very important for us as Consultants, Engineers, Network/Voice Administrators, to look at the most recent UCCX 11.5 installations and install this patch on any of the affected software you may have running or installed in the previous months.
Patch those servers!!
About the Author:
Andres Sarmiento, CCIE # 53520 (Collaboration)
With more than 13 years of experience, Andres is specialized in the Unified Communications and Collaboration technologies. Consulted for several companies in South Florida, also Financial Institutions on behalf of Cisco Systems. Andres has been involved in high-profile implementations including Cisco technologies; such as Data Center, UC & Collaboration, Contact Center Express, Routing & Switching, Security and Hosted IPT Service provider infrastructures.