Guest

Preview Tool

Cisco Bug: CSCup22670 - Multiple Vulnerabilities in OpenSSL - June 2014

Last Modified

Dec 15, 2019

Products (1)

  • Cisco Unified Communications Manager (CallManager)

Known Affected Releases

10.0(1) 10.5(1.10000.7) 8.5(1) 8.6(2) 9.1(2)

Description (partial)

Symptom:
The following Cisco products

Cisco Unified Communications Manager


include a version of openssl that is affected by the vulnerabilities identified by the Common Vulnerability and Exposures (CVE) IDs:

CVE-2014-0076 - Fix for the attack described in the paper "Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
CVE-2014-0195 - DTLS invalid fragment vulnerability
CVE-2014-0221 - DTLS recursion flaw
CVE-2014-0224 - SSL/TLS MITM vulnerability

This bug has been opened to address the potential impact on this product.

Conditions:
Default Configuration running software versions:

CUCM 8.5(1) or prior
CUCM 8.6.2 or prior
CUCM 9.1.2 or prior
CUCM 10.0.1 or prior
CUCM 10.5.1 or prior

Related Community Discussions

Multiple Vulnerabilities in OpenSSL How to handle a change on CUCM to fixed software
Regarding Bug ID <key>CSCup22670</key>: I would like to ask which certificates are affected. During upgrade to fixed version will be those certificates replaced by new ones? Is the CAPF private key affected? If yes after generating new private key for CAPF will be all LSC certificates for the endpoints generated automatically? Regarding Bug ID CSCup22603: A similar question in regards to endpoints. Will be the LSC certificate automatically regenerated or there is need to regenerate a new certificate for each ...
Latest activity: Aug 05, 2014
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.