Jumping in - Updates are WIP Lelio. My expectation, as of timestamp of this email, is that UCM 9.x may not be affected. 10.x may be affected.
We are still validating. -Wes ________________________________ From: cisco-voip [[email protected]] on behalf of Lelio Fulgenzi [[email protected]] Sent: Thursday, April 10, 2014 4:47 PM To: Brian Meade Cc: cisco-voip voyp list Subject: Re: [cisco-voip] openSSL and heartbleed Brian, In reading the advisory, it's not clear if Communication Manager v9 and earlier is addressed. There is something called Cisco Unified Communication Server (UCM) 9.2 and earlier, but that's confusing because it's not the name and there is no v9.2 available. http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed Any chance on getting this cleared up? Lelio --- Lelio Fulgenzi, B.A. Senior Analyst, Network Infrastructure Computing and Communications Services (CCS) University of Guelph 519‐824‐4120 Ext 56354 [email protected] www.uoguelph.ca/ccs Room 037, Animal Science and Nutrition Building Guelph, Ontario, N1G 2W1 ________________________________ From: "Brian Meade" <[email protected]> To: "Lelio Fulgenzi" <[email protected]> Cc: "cisco-voip voyp list" <[email protected]> Sent: Tuesday, April 8, 2014 7:49:18 PM Subject: Re: [cisco-voip] openSSL and heartbleed Should all be the same underlying OS. 10.x would be the only one I'd worry about until someone can check if it is vulnerable since it may have a newer openssl version. On Apr 8, 2014 7:34 PM, "Lelio Fulgenzi" <[email protected]<mailto:[email protected]>> wrote: Thanks Brian. Can we assume that ELM and UCCx is also not affected? Same 9.x train. Sent from my iPhone On 2014-04-08, at 7:21 PM, Brian Meade <[email protected]<mailto:[email protected]>> wrote: Here we can see CUCM does not respond to the Heartbeat Request with any data: <image.png>[X] For the root inclined, we can find what openssl version is running: [root@CUCM912 ~]# openssl version OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 This new heartbeat bug isn't valid as OpenSSL didn't even implement responding to the Heartbeat Requests until version 1.0.1. This is why CUCM doesn't respond with any data. I don't have a 10.x box to check with right now. Brian On Tue, Apr 8, 2014 at 7:01 PM, Brian Meade <[email protected]<mailto:[email protected]>> wrote: Here's what I found testing against 9.1.2.10000.28 with a slightly modified python script: bmeade@ubuntu:~$ python vulnscript 10.3.11.250 Connecting... Sending Client Hello... Waiting for Server Hello... ... received message: type = 22, ver = 0301, length = 1012 Sending heartbeat request... Unexpected EOF receiving record header - server closed connection No heartbeat response received, server likely not vulnerable This is assuming the released script is checking for the vulnerability properly. Brian On Tue, Apr 8, 2014 at 5:51 PM, Brian Meade <[email protected]<mailto:[email protected]>> wrote: I haven't seen one. Currently trying to run the example python script against one of my clusters but having some trouble. On Tue, Apr 8, 2014 at 5:24 PM, Lelio Fulgenzi <[email protected]<mailto:[email protected]>> wrote: weird. for some reason i fixated on the date beneath the entry in the search listing which had 2011, which made more sense. do you know if there is a more recent advisory? --- Lelio Fulgenzi, B.A. Senior Analyst, Network Infrastructure Computing and Communications Services (CCS) University of Guelph 519‐824‐4120 Ext 56354<tel:519%E2%80%90824%E2%80%904120%20Ext%2056354> [email protected]<mailto:[email protected]> www.uoguelph.ca/ccs<http://www.uoguelph.ca/ccs> Room 037, Animal Science and Nutrition Building Guelph, Ontario, N1G 2W1 ________________________________ From: "Brian Meade" <[email protected]<mailto:[email protected]>> To: "Lelio Fulgenzi" <[email protected]<mailto:[email protected]>> Cc: "cisco-voip voyp list" <[email protected]<mailto:[email protected]>> Sent: Tuesday, April 8, 2014 5:16:32 PM Subject: Re: [cisco-voip] openSSL and heartbleed I don't think that's the correct advisory. That's a DoS vulnerability from 2004. Brian On Tue, Apr 8, 2014 at 5:11 PM, Lelio Fulgenzi <[email protected]<mailto:[email protected]>> wrote: nevermind... my first search did not produce results... http://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20040317-openssl.html --- Lelio Fulgenzi, B.A. Senior Analyst, Network Infrastructure Computing and Communications Services (CCS) University of Guelph 519‐824‐4120 Ext 56354<tel:519%E2%80%90824%E2%80%904120%20Ext%2056354> [email protected]<mailto:[email protected]> www.uoguelph.ca/ccs<http://www.uoguelph.ca/ccs> Room 037, Animal Science and Nutrition Building Guelph, Ontario, N1G 2W1 ________________________________ From: "Lelio Fulgenzi" <[email protected]<mailto:[email protected]>> To: "cisco-voip voyp list" <[email protected]<mailto:[email protected]>> Sent: Tuesday, April 8, 2014 5:09:01 PM Subject: openSSL and heartbleed Does anyone know if/when Cisco will be coming out with a security advisory about Open SSL and heartbleed? http://threatpost.com/seriousness-of-openssl-heartbleed-bug-sets-in/105309 --- Lelio Fulgenzi, B.A. Senior Analyst, Network Infrastructure Computing and Communications Services (CCS) University of Guelph 519‐824‐4120 Ext 56354<tel:519%E2%80%90824%E2%80%904120%20Ext%2056354> [email protected]<mailto:[email protected]> www.uoguelph.ca/ccs<http://www.uoguelph.ca/ccs> Room 037, Animal Science and Nutrition Building Guelph, Ontario, N1G 2W1 _______________________________________________ cisco-voip mailing list [email protected]<mailto:[email protected]> https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________ cisco-voip mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-voip
