Cisco Cisco Expressway Release Notes
Open and Resolved Issues
Unified Communications Cisco Expressway Series Software Release Notes (X8.5)
Page 10 of 23
Resolved in X8.1.1
Identifier
Description
CSCuo16472
Symptom: Expressway includes a version of OpenSSL that is affected by the vulnerability
identified by the Common Vulnerability and Exposures (CVE) ID CVE-2014-0160. This bug has
been opened to address the potential impact on this product.
identified by the Common Vulnerability and Exposures (CVE) ID CVE-2014-0160. This bug has
been opened to address the potential impact on this product.
Conditions: Device with default configuration, running one of the following versions: X7.2 X7.2.1
X7.2.2 X7.2.3 RC2 X8.1. Version X7.1 and all prior versions are NOT vulnerable to this issue.
X7.2.2 X7.2.3 RC2 X8.1. Version X7.1 and all prior versions are NOT vulnerable to this issue.
Workaround: Not currently available.
Further Problem Description: Additional details about this vulnerability can be found at
http://cve.mitre.org/cve/cve.html
http://cve.mitre.org/cve/cve.html
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score.
The Base and Temporal CVSS scores as of the time of evaluation are 5/4.4:
https://intellishield.cisco.com/security/alertmanager/cvss?target=new&version=2.0&vector
=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:H/RL:OF/RC:C The Cisco PSIRT has assigned this score based
on information obtained from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not reflect the actual impact
on the Cisco Product. CVE-2014-0160 has been assigned to document this issue. Additional
information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
The Base and Temporal CVSS scores as of the time of evaluation are 5/4.4:
https://intellishield.cisco.com/security/alertmanager/cvss?target=new&version=2.0&vector
=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:H/RL:OF/RC:C The Cisco PSIRT has assigned this score based
on information obtained from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not reflect the actual impact
on the Cisco Product. CVE-2014-0160 has been assigned to document this issue. Additional
information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
CSCul12855
Symptom: Expressway systems enable a number of SSL ciphers by default. The default
configuration in X8.1 is: ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4-
SHA:HIGH:!ADH:!aNULL. This means that suites that may be affected by issues such as the RC4
weakness (CVE-2013-2566), BEAST (CVE-2011-3389), or Lucky 13 (CVE-2013-0169). By
default no GUI method is provided to allow the customization of these values to a customer's
security policy.
configuration in X8.1 is: ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4-
SHA:HIGH:!ADH:!aNULL. This means that suites that may be affected by issues such as the RC4
weakness (CVE-2013-2566), BEAST (CVE-2011-3389), or Lucky 13 (CVE-2013-0169). By
default no GUI method is provided to allow the customization of these values to a customer's
security policy.
Conditions: Expressway systems running a version of Expressway software prior to X8.1.1.
Workaround: Customers may modify the ssl.conf file of the device and modify the cipher list to
that required to meet their security policy. Customers are advised to consult with Cisco TAC or
their authorized support provider for assistance with this modification.
that required to meet their security policy. Customers are advised to consult with Cisco TAC or
their authorized support provider for assistance with this modification.
Further Problem Description: This defect is opened as an enhancement to the current
operation of the Expressway. Future versions of the product will be modified to remove all known
affected ciphers. This may also include a migration to TSL 1.2, and the ability to modify the
ciphers in use from the GUI.
operation of the Expressway. Future versions of the product will be modified to remove all known
affected ciphers. This may also include a migration to TSL 1.2, and the ability to modify the
ciphers in use from the GUI.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score.
The Base and Temporal CVSS scores as of the time of evaluation are 2.6/2.1:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1
&version=2&vector=AV:N/AC:H/Au:N/C:N/I:P/A:N/E:U/RL:W/RC:C CVE-2013-2566, CVE-2011-
3389 and CVE-2013-0169 have been assigned to this issue. Additional information on Cisco's
security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
The Base and Temporal CVSS scores as of the time of evaluation are 2.6/2.1:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1
&version=2&vector=AV:N/AC:H/Au:N/C:N/I:P/A:N/E:U/RL:W/RC:C CVE-2013-2566, CVE-2011-
3389 and CVE-2013-0169 have been assigned to this issue. Additional information on Cisco's
security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
CSCul83652
Symptoms: All endpoint registrations are lost. A kernel panic is logged in the kernel log. The
system continues to run, but network traffic is affected for the Expressway application. The only
way to recover is to reboot the system.
system continues to run, but network traffic is affected for the Expressway application. The only
way to recover is to reboot the system.
Conditions: Occurs only on Expressway X8.1. On systems where it does occur, it happens very
infrequently. Has only been seen on systems behind a GRE tunnel.
infrequently. Has only been seen on systems behind a GRE tunnel.
Workaround: Use a cluster for registration resiliency.
Table 5: Issues resolved in X8.1.1