Guest

Preview Tool

Cisco Bug: CSCup94767 - Upgrade JDK to 1.7.0_65

Last Modified

Feb 01, 2017

Products (1)

  • Cisco Unified Communications Manager (CallManager)

Known Affected Releases

10.5(1.10001.9)

Description (partial)

Symptom:
Cisco Unified Communications Domain Manager includes a version of Oracle Java that is affected by the
vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs:

CVE-2014-4244: Vulnerability in the Java SE, JRockit component of Oracle Java SE (subcomponent:
Security). Supported versions that are affected are Java SE 5.0u65, Java SE 6u75, Java SE 7u60, Java SE 8u5,
JRockit R27.8.2 and JRockit R28.3.2. Very difficult to exploit vulnerability allows successful unauthenticated
network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized
update, insert or delete access to some Java SE, JRockit accessible data as well as read access to a subset of
Java SE, JRockit accessible data.  Note: Applies to client and server deployment of Java. This vulnerability
can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be
exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start
applications or sandboxed Java applets, such as through a web service. This has been classified by the vendor
has having a CVSSv2 Base Score of 4.0 (AV:N/AC:H/Au:N/C:P/I:P/A:N).

CVE-2014-4263: Vulnerability in the Java SE, JRockit component of Oracle Java SE (subcomponent:
Security). Supported versions that are affected are Java SE 5.0u65, Java SE 6u75, Java SE 7u60, Java SE 8u5,
JRockit R27.8.2 and JRockit R28.3.2. Very difficult to exploit vulnerability allows successful unauthenticated
network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized
update, insert or delete access to some Java SE, JRockit accessible data as well as read access to a subset of
Java SE, JRockit accessible data.  Note: Applies to Diffie-Hellman key agreement in client and server
deployment of Java.  This has been classified by the vendor has having a CVSSv2 Base Score of 4.0
(AV:N/AC:H/Au:N/C:P/I:P/A:N).

CVE-2014-4264: Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Security). Supported
versions that are affected are Java SE 7u60 and Java SE 8u5. Easily exploitable vulnerability allows
successful unauthenticated network attacks via SSL/TLS. Successful attack of this vulnerability can result in
unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: Applies to client
and server deployment of JSSE. This has been classified by the vendor has having a CVSS Base Score of 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P).
 

This bug was opened to address the potential impact on this product.

Conditions:
Device with default configuration.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.