Guest

Preview Tool

Cisco Bug: CSCus58161 - Multiple JDK vulnerabilities may affect CUCM, upgrade to 1.7.0_76

Last Modified

Feb 01, 2017

Products (1)

  • Cisco Unified Communications Manager (CallManager)

Known Affected Releases

10.0(1.10000.24) 10.5(1.10000.7) 10.5(2.10000.5)

Description (partial)

Symptom:
Cisco Unified Communications Manager (CallManager) includes a version of Oracle Java that is affected by the
vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs:

CVE-2014-3566: The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses
nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data
via a padding-oracle attack, aka the ''POODLE'' issue. This has been classified by the vendor as having a CVSSv2
score of 4.3 (AV:N/AC:M/AU:N/C:P/I:N/A:N)

CVE-2014-6593: Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25; Java SE Embedded 7u71
and 8u6; and JRockit 27.8.4 and 28.3.4 allows remote attackers to affect confidentiality and integrity via
vectors related to JSSE. This has been classified by the vendor as having a CVSSv2 score of 4.0
(AV:N/AC:H/AU:N/C:P/I:P/A:N)

CVE-2015-0383: Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25; Java SE Embedded 7u71
and 8u6; and JRockit R27.8.4 and R28.3.4 allows local users to affect integrity and availability via unknown
vectors related to Hotspot. This has been classified by the vendor as having a CVSSv2 score of 5.4
(AV:L/AC:M/AU:N/C:N/I:P/A:C)

CVE-2015-0410: Unspecified vulnerability in the Java SE, Java SE Embedded, JRockit component in Oracle Java SE
5.0u75, 6u85, 7u72, and 8u25; Java SE Embedded 7u71 and 8u6; and JRockit R27.8.4 and R28.3.4 allows remote
attackers to affect availability via unknown vectors related to Security. This has been classified by the
vendor as having a CVSSv2 score of 5.0 (AV:N/AC:L/AU:N/C:N/I:N/A:P)

This bug was opened to address the potential impact on this product.

Conditions:
Running version of the software prior to the Known Fixed Releases.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.