Cisco Cisco TelePresence Video Communication Server Expressway 릴리즈 노트
Resolved issues
Cisco TelePresence Video Communication Server Software Release Notes (X8.2.1)
Page 12 of 32
Resolved in X8.1.1
Identifier
Description
CSCuo16472
Symptom: VCS includes a version of OpenSSL that is affected by the vulnerability identified by
the Common Vulnerability and Exposures (CVE) ID CVE-2014-0160. This bug has been opened
to address the potential impact on this product.
the Common Vulnerability and Exposures (CVE) ID CVE-2014-0160. This bug has been opened
to address the potential impact on this product.
Conditions: Device with default configuration, running one of the following versions: X7.2 X7.2.1
X7.2.2 X7.2.3 RC2 X8.1. Version X7.1 and all prior versions are NOT vulnerable to this issue.
X7.2.2 X7.2.3 RC2 X8.1. Version X7.1 and all prior versions are NOT vulnerable to this issue.
Workaround: Not currently available.
Further Problem Description: Additional details about this vulnerability can be found at
http://cve.mitre.org/cve/cve.html
http://cve.mitre.org/cve/cve.html
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score.
The Base and Temporal CVSS scores as of the time of evaluation are 5/4.4:
https://intellishield.cisco.com/security/alertmanager/cvss?target=new&version=2.0&vector
=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:H/RL:OF/RC:C The Cisco PSIRT has assigned this score based
on information obtained from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not reflect the actual impact
on the Cisco Product. CVE-2014-0160 has been assigned to document this issue. Additional
information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
The Base and Temporal CVSS scores as of the time of evaluation are 5/4.4:
https://intellishield.cisco.com/security/alertmanager/cvss?target=new&version=2.0&vector
=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:H/RL:OF/RC:C The Cisco PSIRT has assigned this score based
on information obtained from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not reflect the actual impact
on the Cisco Product. CVE-2014-0160 has been assigned to document this issue. Additional
information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
CSCul12855
Symptom: VCS systems enable a number of SSL ciphers by default. The default configuration in
X8.1 is: ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4-SHA:HIGH:!ADH:!aNULL.
This means that suites that may be affected by issues such as the RC4 weakness (CVE-2013-
2566), BEAST (CVE-2011-3389), or Lucky 13 (CVE-2013-0169). By default no GUI method is
provided to allow the customization of these values to a customer's security policy.
X8.1 is: ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4-SHA:HIGH:!ADH:!aNULL.
This means that suites that may be affected by issues such as the RC4 weakness (CVE-2013-
2566), BEAST (CVE-2011-3389), or Lucky 13 (CVE-2013-0169). By default no GUI method is
provided to allow the customization of these values to a customer's security policy.
Conditions: VCS systems running a version of VCS software prior to X8.1.1.
Workaround: Customers may modify the ssl.conf file of the device and modify the cipher list to
that required to meet their security policy. Customers are advised to consult with Cisco TAC or
their authorized support provider for assistance with this modification.
that required to meet their security policy. Customers are advised to consult with Cisco TAC or
their authorized support provider for assistance with this modification.
Further Problem Description: This defect is opened as an enhancement to the current
operation of the VCS. Future versions of the product will be modified to remove all known
affected ciphers. This may also include a migration to TSL 1.2, and the ability to modify the
ciphers in use from the GUI.
operation of the VCS. Future versions of the product will be modified to remove all known
affected ciphers. This may also include a migration to TSL 1.2, and the ability to modify the
ciphers in use from the GUI.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score.
The Base and Temporal CVSS scores as of the time of evaluation are 2.6/2.1:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1
&version=2&vector=AV:N/AC:H/Au:N/C:N/I:P/A:N/E:U/RL:W/RC:C CVE-2013-2566, CVE-2011-
3389 and CVE-2013-0169 have been assigned to this issue. Additional information on Cisco's
security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
The Base and Temporal CVSS scores as of the time of evaluation are 2.6/2.1:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1
&version=2&vector=AV:N/AC:H/Au:N/C:N/I:P/A:N/E:U/RL:W/RC:C CVE-2013-2566, CVE-2011-
3389 and CVE-2013-0169 have been assigned to this issue. Additional information on Cisco's
security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
CSCul83652
Symptoms: All endpoint registrations are lost. A kernel panic is logged in the kernel log. The
system continues to run, but network traffic is affected for the VCS application. The only way to
recover is to reboot the system.
system continues to run, but network traffic is affected for the VCS application. The only way to
recover is to reboot the system.
Conditions: Occurs only on VCS X8.1. On systems where it does occur, it happens very
infrequently. Has only been seen on systems behind a GRE tunnel.
infrequently. Has only been seen on systems behind a GRE tunnel.
Workaround: Use a cluster for registration resiliency.
Table 3: Issues resolved in X8.1.1