Cisco Cisco TelePresence Video Communication Server Expressway 릴리즈 노트
Resolved caveats
Cisco TelePresence Video Communication Server X7.2 Software Release Notes
Page 26 of 46
Identifier
Summary
B2BUA will result in a 407 Proxy Authentication Required response from the VCS. Eventually
the B2BUA gives up sending SUBSCRIBE messages and this results in failed subscription
states for B2BUA/Lync users. This does not affect customers still using OCS Relay (rather
than the B2BUA).
This issue is resolved; subscribe messages now include a P-Asserted-Identity header.
the B2BUA gives up sending SUBSCRIBE messages and this results in failed subscription
states for B2BUA/Lync users. This does not affect customers still using OCS Relay (rather
than the B2BUA).
This issue is resolved; subscribe messages now include a P-Asserted-Identity header.
CSCtt14099
Duo Video fails from an H.323 endpoint: Duo Video from an H.323 endpoint can fail when
using BFCP and interworking with SIP.
using BFCP and interworking with SIP.
CSCtt41169
VCS rejects outgoing call from specific device registered on it
Requests to FindMe from an H.323 device which has a large number of aliases associated
with it will fail. This is especially relevant to large MCUs and MPSs.
with it will fail. This is especially relevant to large MCUs and MPSs.
CSCts60535
Encryption status under call summary is shown as none: active calls always show the
encryption status as none. When the call is completed the call history shows the correct
status.
The correct encryption status is now displayed for active calls.
encryption status as none. When the call is completed the call history shows the correct
status.
The correct encryption status is now displayed for active calls.
Resolved in X7.0.1
Identifier
Summary
CSCts87885
DNS lookup problems that make VCS appear to have a hardware fault: for a Cisco VCS
Expressway running X7.0 with DNS zones configured (e.g. for business to business calling),
it has been observed when there are DNS lookup issues that the VCS may get into a hung
state. When the DNS lookup problem occurs the VCS does not respond to Web, SSH, Telnet
or Serial access.
Expressway running X7.0 with DNS zones configured (e.g. for business to business calling),
it has been observed when there are DNS lookup issues that the VCS may get into a hung
state. When the DNS lookup problem occurs the VCS does not respond to Web, SSH, Telnet
or Serial access.
Resolved in X7.0
Security-related issues
Identifier
Summary
CSCtr80182
DNS cache poisoning attacks CVE-2008-1447: previous releases of Cisco VCS were
vulnerable to CVE-2008-1447. Version X7.0 has been upgraded to use dnsmasq 2.57 which
has resolved the issue.
vulnerable to CVE-2008-1447. Version X7.0 has been upgraded to use dnsmasq 2.57 which
has resolved the issue.
CSCtr80196
OpenSSL Ciphersuite Downgrade Attack CVE-2010-4180 and Openssl clienthello
vulnerability CVE-2011-0014: previous releases of Cisco VCS were vulnerable to CVE-
2010-4180 and CVE-2011-0014. Version X7.0 has been upgraded to use openssl 1.0.0d,
which has resolved the issue.
vulnerability CVE-2011-0014: previous releases of Cisco VCS were vulnerable to CVE-
2010-4180 and CVE-2011-0014. Version X7.0 has been upgraded to use openssl 1.0.0d,
which has resolved the issue.
CSCtr32396
VCS Command Injection Vulnerability
Symptoms: administrator entered values within the administrative interfaces of the Cisco
VCS may not be properly sanitized. This could allow a malicious administrator to cause
arbitrary commands to be executed on the underlying system.
Conditions: a device is running an affected version of Cisco VCS.
Workaround: restrict access to the administrative interfaces to trusted users only.
Further Problem Description: while this issue may allow an authenticated, remote attacker
to cause arbitrary commands to be executed. Any successful command execution is
performed under the restricted 'nobody' account, restricting the direct impact of this issue.
Malicious values that are entered via the command line interface may not be immediately
executed, and instead the malicious actions may be performed the next time an administrator
accesses a page containing the malicious value via the administrative web interface.
PSIRT Evaluation: the Cisco PSIRT has assigned this bug the following CVSS version 2
score. The Base and Temporal CVSS scores as of the time of evaluation are 6.5/5.4:
Symptoms: administrator entered values within the administrative interfaces of the Cisco
VCS may not be properly sanitized. This could allow a malicious administrator to cause
arbitrary commands to be executed on the underlying system.
Conditions: a device is running an affected version of Cisco VCS.
Workaround: restrict access to the administrative interfaces to trusted users only.
Further Problem Description: while this issue may allow an authenticated, remote attacker
to cause arbitrary commands to be executed. Any successful command execution is
performed under the restricted 'nobody' account, restricting the direct impact of this issue.
Malicious values that are entered via the command line interface may not be immediately
executed, and instead the malicious actions may be performed the next time an administrator
accesses a page containing the malicious value via the administrative web interface.
PSIRT Evaluation: the Cisco PSIRT has assigned this bug the following CVSS version 2
score. The Base and Temporal CVSS scores as of the time of evaluation are 6.5/5.4: