Guest

Preview Tool

Cisco Bug: CSCuo31083 - Upgrade JDK to 1.7.0_55

Last Modified

Jan 30, 2020

Products (3)

  • Cisco Unified Communications Manager (CallManager)
  • Cisco Intercompany Media Engine
  • Cisco Unified Communications Manager Version 10.0

Known Affected Releases

10.0(1)

Description (partial)

Symptom:
Cisco Unified Communications Manager (CallManager) contains a version of Oracle Java that is affected by the
vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs:

CVE-2013-6629: The get_sos function in jdmarker.c in (1) libjpeg 6b and (2) libjpeg-turbo through 1.3.0, as
used in Google Chrome before 31.0.1650.48, Ghostscript, and other products, does not check for certain
duplications of component data during the reading of segments that follow Start Of Scan (SOS) JPEG markers,
which allows remote attackers to obtain sensitive information from uninitialized memory locations via a
crafted JPEG image. This has been classified by the vendor as having a CVSSv2 score of 5.0
(AV:N/AC:L/AU:N/C:P/I:N/A:N)

CVE-2013-6954: The png_do_expand_palette function in libpng before 1.6.8 allows remote attackers to cause a
denial of service (NULL pointer dereference and application crash) via (1) a PLTE chunk of zero bytes or (2) a
NULL palette, related to pngrtran.c and pngset.c. This has been classified by the vendor as having a CVSSv2
score of 5.0 (AV:N/AC:L/AU:N/C:N/I:N/A:P)

CVE-2014-0429: Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8; JRockit R27.8.1 and
R28.3.1; and Java SE Embedded 7u51 allows remote attackers to affect confidentiality, integrity, and
availability via unknown vectors related to 2D. This has been classified by the vendor as having a CVSSv2
score of 10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)

CVE-2014-0432: Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Embedded 7u51, allows
remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to
Libraries, a different vulnerability than CVE-2014-0455 and CVE-2014-2402. This has been classified by the
vendor as having a CVSSv2 score of 9.3 (AV:N/AC:M/AU:N/C:C/I:C/A:C)

CVE-2014-0446: Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8, and Java SE Embedded
7u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors
related to Libraries. This has been classified by the vendor as having a CVSSv2 score of 7.5
(AV:N/AC:L/AU:N/C:P/I:P/A:P)

CVE-2014-0448: Unspecified vulnerability in Oracle Java SE 7u51 and 8 allows remote attackers to affect
confidentiality, integrity, and availability via unknown vectors related to Deployment. This has been
classified by the vendor as having a CVSSv2 score of 7.6 (AV:N/AC:H/AU:N/C:C/I:C/A:C)

CVE-2014-0449: Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51,
allows remote attackers to affect confidentiality via unknown vectors related to Deployment. This has been
classified by the vendor as having a CVSSv2 score of 5.0 (AV:N/AC:L/AU:N/C:P/I:N/A:N)

CVE-2014-0451: Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8, and Java SE Embedded
7u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to
AWT, a different vulnerability than CVE-2014-2412. This has been classified by the vendor as having a CVSSv2
score of 7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)

CVE-2014-0452: Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51,
allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAX-WS,
a different vulnerability than CVE-2014-0458 and CVE-2014-2423. This has been classified by the vendor as
having a CVSSv2 score of 7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)

CVE-2014-0453: Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8; JRockit R27.8.1 and
R28.3.1; and Java SE Embedded 7u51 allows remote attackers to affect confidentiality and integrity via unknown
vectors related to Security. This has been classified by the vendor as having a CVSSv2 score of 4.0
(AV:N/AC:H/AU:N/C:P/I:P/A:N)

CVE-2014-0454: Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Embedded 7u51, allows
remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to
Security. This has been classified by the vendor as having a CVSSv2 score of 7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)

CVE-2014-0455: Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Embedded 7u51, allows
remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to
Libraries, a different vulnerability than CVE-2014-0432 and CVE-2014-2402. This has been classified by the
vendor as having a CVSSv2 score of 9.3 (AV:N/AC:M/AU:N/C:C/I:C/A:C)

CVE-2014-0456: Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51,
allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to
Hotspot. This has been classified by the vendor as having a CVSSv2 score of 10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)

CVE-2014-0457: Unspecified vulnerability in Oracle Java SE 5.0u61, SE 6u71, 7u51, and 8; JRockit R27.8.1 and
R28.3.1; and Java SE Embedded 7u51 allows remote attackers to affect confidentiality, integrity, and
availability via unknown vectors related to Libraries. This has been classified by the vendor as having a
CVSSv2 score of 10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)

CVE-2014-0458: Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51,
allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAX-WS,
a different vulnerability than CVE-2014-0452 and CVE-2014-2423. This has been classified by the vendor as
having a CVSSv2 score of 7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)

CVE-2014-0459: Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Embedded 7u51, allows
remote attackers to affect availability via unknown vectors related to 2D. This has been classified by the
vendor as having a CVSSv2 score of 4.3 (AV:N/AC:M/AU:N/C:N/I:N/A:P)

CVE-2014-0460: Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8; JRockit R27.8.1 and
R28.3.1; and Java SE Embedded 7u51 allows remote attackers to affect confidentiality and integrity via vectors
related to JNDI. This has been classified by the vendor as having a CVSSv2 score of 5.8
(AV:N/AC:M/AU:N/C:P/I:P/A:N)

CVE-2014-0461: Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51,
allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to
Libraries. This has been classified by the vendor as having a CVSSv2 score of 9.3 (AV:N/AC:M/AU:N/C:C/I:C/A:C)

CVE-2014-0463: Unspecified vulnerability in Oracle Java SE 8 allows remote attackers to affect confidentiality
via unknown vectors related to Scripting, a different vulnerability than CVE-2014-0464. This has been
classified by the vendor as having a CVSSv2 score of 4.3 (AV:N/AC:M/AU:N/C:P/I:N/A:N)

CVE-2014-0464: Unspecified vulnerability in Oracle Java SE 8 allows remote attackers to affect confidentiality
via unknown vectors related to Scripting, a different vulnerability than CVE-2014-0463. This has been
classified by the vendor as having a CVSSv2 score of 4.3 (AV:N/AC:M/AU:N/C:P/I:N/A:N)

CVE-2014-1876: The unpacker::redirect_stdio function in unpack.cpp in unpack200 in OpenJDK 6, 7, and 8; Oracle
Java SE 5.0u61, 6u71, 7u51, and 8; JRockit R27.8.1 and R28.3.1; and Java SE Embedded 7u51 does not securely
create temporary files when a log file cannot be opened, which allows local users to overwrite arbitrary files
via a symlink attack on /tmp/unpack.log. This has been classified by the vendor as having a CVSSv2 score of
4.4 (AV:L/AC:M/AU:N/C:P/I:P/A:P)

CVE-2014-2397: Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Embedded 7u51, allows
remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to
Hotspot. This has been classified by the vendor as having a CVSSv2 score of 9.3 (AV:N/AC:M/AU:N/C:C/I:C/A:C)

CVE-2014-2398: Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8; JavaFX 2.2.51; and
JRockit R27.8.1 and R28.3.1 allows remote authenticated users to affect integrity via unknown vectors related
to Javadoc. This has been classified by the vendor as having a CVSSv2 score of 3.5
(AV:N/AC:M/AU:S/C:N/I:P/A:N)

CVE-2014-2401: Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8; JavaFX 2.2.51; and Java
SE Embedded 7u51 allows remote attackers to affect confidentiality via unknown vectors related to 2D. This has
been classified by the vendor as having a CVSSv2 score of 5.0 (AV:N/AC:L/AU:N/C:N/I:P/A:N)

CVE-2014-2402: Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Embedded 7u51, allows
remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to
Libraries, a different vulnerability than CVE-2014-0432 and CVE-2014-0455. This has been classified by the
vendor as having a CVSSv2 score of 7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)

CVE-2014-2403: Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51,
allows remote attackers to affect confidentiality via vectors related to JAXP. This has been classified by the
vendor as having a CVSSv2 score of 5.0 (AV:N/AC:L/AU:N/C:P/I:N/A:N)

CVE-2014-2409: Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51,
allows remote attackers to affect confidentiality and integrity via unknown vectors related to
Deployment. This has been classified by the vendor as having a CVSSv2 score of 6.4
(AV:N/AC:L/AU:N/C:P/I:P/A:N)

CVE-2014-2410: Unspecified vulnerability in Oracle Java SE 8 allows remote attackers to affect
confidentiality, integrity, and availability via unknown vectors related to JavaFX. This has been classified
by the vendor as having a CVSSv2 score of 9.3 (AV:N/AC:M/AU:N/C:C/I:C/A:C)

CVE-2014-2412: Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, SE 7u51, and 8, and Java SE Embedded
7u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to
AWT, a different vulnerability than CVE-2014-0451. This has been classified by the vendor as having a CVSSv2
score of 7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)

CVE-2014-2413: Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Embedded 7u51, allows
remote attackers to affect integrity via unknown vectors related to Libraries. This has been classified by the
vendor as having a CVSSv2 score of 4.3 (AV:N/AC:M/AU:N/C:N/I:P/A:N)

CVE-2014-2414: Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51,
allows remote attackers to affect confidentiality, integrity, and availability via vectors related to
JAXB. This has been classified by the vendor as having a CVSSv2 score of 7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)

CVE-2014-2420: Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51,
allows remote attackers to affect integrity via unknown vectors related to Deployment. This has been
classified by the vendor as having a CVSSv2 score of 2.6 (AV:N/AC:H/AU:N/C:N/I:P/A:N)

CVE-2014-2421: Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8; JavaFX 2.2.51; and Java
SE Embedded 7u51 allows remote attackers to affect confidentiality, integrity, and availability via unknown
vectors related to 2D. This has been classified by the vendor as having a CVSSv2 score of 10.0
(AV:N/AC:L/AU:N/C:C/I:C/A:C)

CVE-2014-2422: Unspecified vulnerability in Oracle Java SE 7u51 and 8, and JavaFX 2.2.51, allows remote
attackers to affect confidentiality, integrity, and availability via unknown vectors. This has been classified
by the vendor as having a CVSSv2 score of 6.8 (AV:N/AC:M/AU:N/C:P/I:P/A:P)

CVE-2014-2423: Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51,
allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAX-WS,
a different vulnerability than CVE-2014-0452 and CVE-2014-0458. This has been classified by the vendor as
having a CVSSv2 score of 7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)

CVE-2014-2427: Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8, and Java SE Embedded
7u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors
related to Sound. This has been classified by the vendor as having a CVSSv2 score of 7.5
(AV:N/AC:L/AU:N/C:P/I:P/A:P)

CVE-2014-2428: Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51,
allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to
Deployment. This has been classified by the vendor as having a CVSSv2 score of 7.6
(AV:N/AC:H/AU:N/C:C/I:C/A:C)

This bug was opened to address the potential impact on this product.

Conditions:
Running a version of Call Manager prior to this bug fix.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.