Guest

Preview Tool

Cisco Bug: CSCup22627 - Multiple Vulnerabilities in OpenSSL - June 2014

Last Modified

Dec 10, 2018

Products (8)

  • Cisco Unified Communications Manager IM & Presence Service
  • Cisco Unified Communications Manager IM and Presence Service Version 10.5
  • Cisco Unified Communications Manager IM and Presence Service Version 9.1
  • Cisco Unified Communications Manager IM and Presence Service Version 9.0
  • Cisco Unified Presence Version 8.5
  • Cisco Unified Communications Manager IM and Presence Service Version 10.0
  • Cisco Unified Presence Version 8.6
  • Cisco Unified Presence Version 8.0

Known Affected Releases

10.0(1) 10.5(1) 8.0(1) 8.0(2) 8.0(3) 8.0(4) 8.5(1) 8.5(2) 8.5(3) 8.6(1) 8.6(2) 8.6(3) 8.6(4) 8.6(5) 9.0(1) 9.1(1)

Description (partial)

Symptom:
The following Cisco products

CUCM IM and Presence Service 10.5(1) 
CUCM IM and Presence Service 10.0(1) including all SU releases, up to SU1

include a version of openssl that is affected by the vulnerabilities identified by the Common Vulnerability and Exposures (CVE) IDs:

CVE-2014-0224 - SSL/TLS MITM vulnerability
CVE-2014-0198 - SSL_MODE_RELEASE_BUFFERS NULL pointer dereference 
CVE-2010-5298 - SSL_MODE_RELEASE_BUFFERS session injection or denial of service
CVE-2014-3470 - Anonymous ECDH denial of service
CVE-2014-0076 - EDCS NONCE Side-Channel Recovery Attack

these other Cisco products

CUCM IM and Presence Service 9.1(1) including all SU releases, up to SU3
CUCM IM and Presence Service 9.0(1) 
Cisco Unified Presence  8.6 including all SU releases
Cisco Unified Presence  8.5 including all SU releases
Cisco Unified Presence  8.0 including all SU releases

include a version of openssl that is affected by the vulnerabilities identified by the Common Vulnerability and Exposures (CVE) IDs:

CVE-2014-0224 - SSL/TLS MITM vulnerability
CVE-2014-3470 - Anonymous ECDH denial of service
CVE-2014-0076 - EDCS NONCE Side-Channel Recovery Attack

This bug has been opened to address the potential impact on this product.

Conditions:
Devices with default configuration.

The following services are affected:
Cisco SIP Proxy
Cisco Presence Engine
Cisco XCP Web Connection Manager
Cisco XCP Connection Manager
Cisco XCP XMPP Federation Connection Manager
Cisco XCP Directory Service
Cisco XCP Router
Cisco XCP Text Conference Manager
Cisco XCP Message Archiver

Note:
The Cisco XCP Text Conference Manager and Cisco XCP Message Archiver services are only affect in the following product versions as all previous versions do not support TLS for these services: CUCM IM and Presence Service 10.5(1)
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.