Thanks so much for the update. Sent from my iPhone
On 2014-04-10, at 10:08 PM, "Wes Sisk (wsisk)" <[email protected]> wrote: > Lelio, > > UCM information should be clear in the next update. > > -Wes > > From: Lelio Fulgenzi [[email protected]] > Sent: Thursday, April 10, 2014 7:24 PM > To: Wes Sisk (wsisk) > Cc: Brian Meade; cisco-voip voyp list > Subject: Re: [cisco-voip] openSSL and heartbleed > > Thanks Wes. > > I can imagine the amount of work involved in figuring all this out. > > My comment was more towards the verbiage included in the advisory. > > That is, does "Unified Communications Server 9.2" refer to "Unified > Communications Manager"? > > I only ask because I've made assumptions like this in the past only to be > surprised. > > Sent from my iPhone > > On 2014-04-10, at 6:27 PM, "Wes Sisk (wsisk)" <[email protected]> wrote: > >> Jumping in - >> >> Updates are WIP Lelio. My expectation, as of timestamp of this email, is >> that UCM 9.x may not be affected. 10.x may be affected. >> >> We are still validating. >> >> -Wes >> From: cisco-voip [[email protected]] on behalf of Lelio >> Fulgenzi [[email protected]] >> Sent: Thursday, April 10, 2014 4:47 PM >> To: Brian Meade >> Cc: cisco-voip voyp list >> Subject: Re: [cisco-voip] openSSL and heartbleed >> >> Brian, >> >> In reading the advisory, it's not clear if Communication Manager v9 and >> earlier is addressed. There is something called Cisco Unified Communication >> Server (UCM) 9.2 and earlier, but that's confusing because it's not the name >> and there is no v9.2 available. >> >> http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed >> >> Any chance on getting this cleared up? >> >> Lelio >> >> >> --- >> Lelio Fulgenzi, B.A. >> Senior Analyst, Network Infrastructure >> Computing and Communications Services (CCS) >> University of Guelph >> >> 519‐824‐4120 Ext 56354 >> [email protected] >> www.uoguelph.ca/ccs >> Room 037, Animal Science and Nutrition Building >> Guelph, Ontario, N1G 2W1 >> >> From: "Brian Meade" <[email protected]> >> To: "Lelio Fulgenzi" <[email protected]> >> Cc: "cisco-voip voyp list" <[email protected]> >> Sent: Tuesday, April 8, 2014 7:49:18 PM >> Subject: Re: [cisco-voip] openSSL and heartbleed >> >> Should all be the same underlying OS. 10.x would be the only one I'd worry >> about until someone can check if it is vulnerable since it may have a newer >> openssl version. >> >> On Apr 8, 2014 7:34 PM, "Lelio Fulgenzi" <[email protected]> wrote: >>> Thanks Brian. >>> >>> Can we assume that ELM and UCCx is also not affected? Same 9.x train. >>> >>> >>> >>> Sent from my iPhone >>> >>> On 2014-04-08, at 7:21 PM, Brian Meade <[email protected]> wrote: >>> >>> Here we can see CUCM does not respond to the Heartbeat Request with any >>> data: >>> <image.png> >>> >>> For the root inclined, we can find what openssl version is running: >>> [root@CUCM912 ~]# openssl version >>> OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 >>> >>> This new heartbeat bug isn't valid as OpenSSL didn't even implement >>> responding to the Heartbeat Requests until version 1.0.1. This is why CUCM >>> doesn't respond with any data. >>> >>> I don't have a 10.x box to check with right now. >>> >>> Brian >>> >>> >>> On Tue, Apr 8, 2014 at 7:01 PM, Brian Meade <[email protected]> wrote: >>>> Here's what I found testing against 9.1.2.10000.28 with a slightly >>>> modified python script: >>>> bmeade@ubuntu:~$ python vulnscript 10.3.11.250 >>>> Connecting... >>>> Sending Client Hello... >>>> Waiting for Server Hello... >>>> ... received message: type = 22, ver = 0301, length = 1012 >>>> Sending heartbeat request... >>>> Unexpected EOF receiving record header - server closed connection >>>> No heartbeat response received, server likely not vulnerable >>>> >>>> This is assuming the released script is checking for the vulnerability >>>> properly. >>>> >>>> Brian >>>> >>>> >>>> On Tue, Apr 8, 2014 at 5:51 PM, Brian Meade <[email protected]> wrote: >>>>> I haven't seen one. Currently trying to run the example python script >>>>> against one of my clusters but having some trouble. >>>>> >>>>> >>>>> On Tue, Apr 8, 2014 at 5:24 PM, Lelio Fulgenzi <[email protected]> wrote: >>>>>> weird. for some reason i fixated on the date beneath the entry in the >>>>>> search listing which had 2011, which made more sense. >>>>>> >>>>>> do you know if there is a more recent advisory? >>>>>> >>>>>> >>>>>> --- >>>>>> Lelio Fulgenzi, B.A. >>>>>> Senior Analyst, Network Infrastructure >>>>>> Computing and Communications Services (CCS) >>>>>> University of Guelph >>>>>> >>>>>> 519‐824‐4120 Ext 56354 >>>>>> [email protected] >>>>>> www.uoguelph.ca/ccs >>>>>> Room 037, Animal Science and Nutrition Building >>>>>> Guelph, Ontario, N1G 2W1 >>>>>> >>>>>> From: "Brian Meade" <[email protected]> >>>>>> To: "Lelio Fulgenzi" <[email protected]> >>>>>> Cc: "cisco-voip voyp list" <[email protected]> >>>>>> Sent: Tuesday, April 8, 2014 5:16:32 PM >>>>>> Subject: Re: [cisco-voip] openSSL and heartbleed >>>>>> >>>>>> >>>>>> I don't think that's the correct advisory. That's a DoS vulnerability >>>>>> from 2004. >>>>>> >>>>>> Brian >>>>>> >>>>>> >>>>>> On Tue, Apr 8, 2014 at 5:11 PM, Lelio Fulgenzi <[email protected]> wrote: >>>>>>> nevermind... my first search did not produce results... >>>>>>> >>>>>>> http://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20040317-openssl.html >>>>>>> >>>>>>> >>>>>>> --- >>>>>>> Lelio Fulgenzi, B.A. >>>>>>> Senior Analyst, Network Infrastructure >>>>>>> Computing and Communications Services (CCS) >>>>>>> University of Guelph >>>>>>> >>>>>>> 519‐824‐4120 Ext 56354 >>>>>>> [email protected] >>>>>>> www.uoguelph.ca/ccs >>>>>>> Room 037, Animal Science and Nutrition Building >>>>>>> Guelph, Ontario, N1G 2W1 >>>>>>> >>>>>>> From: "Lelio Fulgenzi" <[email protected]> >>>>>>> To: "cisco-voip voyp list" <[email protected]> >>>>>>> Sent: Tuesday, April 8, 2014 5:09:01 PM >>>>>>> Subject: openSSL and heartbleed >>>>>>> >>>>>>> >>>>>>> >>>>>>> Does anyone know if/when Cisco will be coming out with a security >>>>>>> advisory about Open SSL and heartbleed? >>>>>>> >>>>>>> http://threatpost.com/seriousness-of-openssl-heartbleed-bug-sets-in/105309 >>>>>>> >>>>>>> >>>>>>> >>>>>>> --- >>>>>>> Lelio Fulgenzi, B.A. >>>>>>> Senior Analyst, Network Infrastructure >>>>>>> Computing and Communications Services (CCS) >>>>>>> University of Guelph >>>>>>> >>>>>>> 519‐824‐4120 Ext 56354 >>>>>>> [email protected] >>>>>>> www.uoguelph.ca/ccs >>>>>>> Room 037, Animal Science and Nutrition Building >>>>>>> Guelph, Ontario, N1G 2W1 >>>>>>> >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> cisco-voip mailing list >>>>>>> [email protected] >>>>>>> https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________ cisco-voip mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-voip
