THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Revision | Publish Date | Comments |
---|---|---|
1.0 |
27-Feb-14 |
Initial Release |
10.0 |
16-Nov-17 |
Migration to new field notice system |
10.1 |
14-Jan-19 |
Fixed Broken Image Links and Updated the Defect Information Section |
Affected OS Type | Affected Software Product | Affected Release | Affected Release Number | Comments |
---|---|---|---|---|
NON-IOS |
Quality Management Software |
Ver 10 |
10.5(1) |
|
NON-IOS |
Quality Management Software |
Ver 8 |
8.5(2)_SR2, 8.5(2)_SR1, 8.5(2) |
|
NON-IOS |
Quality Management Software |
Ver 9 |
9.0(1)_SR4, 9.0(1)_SR3 |
Defect ID | Headline |
---|---|
CSCvf34445 | There were no defects filed with this field notice at the time of publication. |
As of Java Standard Edition (SE) 6 update 45 and Java SE 7 update 45, JavaScript code that calls code within a privileged applet is treated as mixed code, and warning dialogs are raised if the signed .JAR files are not tagged with the Trusted-Library attribute.
In Java SE 7 update 51, Java again changed the 'Permissions Attribute.'
Cisco code was implemented to account for this additional Java security. The Workaround/Solution section contains a list of versions where the issue will be corrected. This is part of a continued response to recent Java security issues that have recently been raised.
7u45 Caller-Allowable-Codebase and Trusted-Library
Manifest Attribute | 7u45 | 7u40 and Below |
---|---|---|
Only Caller-Allowable-Codebase
|
No dialog
|
Displays prompt
|
Only Trusted-Library
|
Displays prompt
|
No dialog
|
Both
|
Displays prompt *
|
No dialog
|
* This will be fixed in a future release so that both attributes can co-exist.
|
Known Issues (From Oracle)
Area: Deployment/Plugin
Synopsis: Caller-Allowable-Codebase may be ignored when used with Trusted-Library.
If a trusted, signed JAR file is using the Caller-Allowable-Codebase manifest attribute along with Trusted-Library, then the Caller-Allowable-Codebase manifest entry will be ignored. As a result, a JavaScript > Java call will show the native LiveConnect warning. The workaround is to remove the Trusted-Library manifest entry.
When one of the above applications is run in a browser, the user receives a new security warning similar to this:
Figure 1: Java 6 Security Warning
Click the More Information link in order to bring up this panel:
Figure 2: More Information Overview
Figure 3: Java 7 Security Warning
If the user is running Java 7 and chooses the Block option, the application will not run properly and the entire browser may lock up.
Defect Number: QM-5111: Issue with the new Java Release. This is the parent defect; this table details other affected versions.
Product | Version (where it will be fixed) | Vendor Bug # |
---|---|---|
WFO-QM | Cisco 8.5 SR2 ES5 | QM-5111 |
WFO-QM | Cisco 9.0 SR4 ES6 | QM-5111 |
WFO-QM | Cisco 10.0(1) ES3 | QM-5111 |
How to Verify
For WFO-QM, the easiest way to verify this issue is to click the Validate my PC configuration link on the Workforce Optimization login page, and look for the above security warning.
You can also open the Java application under Control Panel, and inspect the version.
Additional Resources Regarding Java Changes
Mixing Privileged Code and Sandbox Code
7u45 Caller-Allowable-Codebase and Trusted-Library
Update 51 release notes, which describe the 'Permission Attribute' changes
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
Cisco Notification Service—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.
Unleash the Power of TAC's Virtual Assistance