Field Notice: FN70542 - Unified Contact Center Enterprise - Tomcat Upgrade to Resolve CVE-2020-1938 Breaks Cceadmin and Websetup Page - Software Upgrade Recommended
Available Languages
Notice
THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Products Affected
| Affected Software Product | Affected Release | Affected Release Number | Comments |
|---|---|---|---|
| Unified Contact Center Enterprise Virtual Machine Templates | 10 | 10.5 | |
| Unified Contact Center Enterprise Virtual Machine Templates | 11 | 11.0, 11.6 |
Defect Information
| Defect ID | Headline |
| CSCvt31436 | CCE - Upgrading tomcat to version 7.0.100 or greater breaks cceadmin and websetup |
Problem Description
An upgrade to Apache Tomcat on Unified Contact Center Enterprise (Unified CCE) components breaks the cceadmin and websetup page. This error message is given:
HTTP Error 500.0 - Internal Server Error Calling LoadLibraryEx on ISAPI filter "C:\icm\tomcat\bin\i386\isapi_redirect.dll" failed
This is a mandatory upgrade to address the vulnerability described in CVE-2020-1938. It might not be an option to revert back to an older Tomcat version.
Background
Tomcat version 7.0.100 or greater.
This error is given:
HTTP Error 500.0 - Internal Server Error Calling LoadLibraryEx on ISAPI filter "C:\icm\tomcat\bin\i386\isapi_redirect.dll" failed
Problem Symptom
The cceadmin and websetup page does not load after an upgrade to Tomcat 7.0.99 and later on Unified CCE 11.6.
Workaround/Solution
Workaround 1. Provide Permissions
The permissions message states:
C:\icm\tomcat folder does not have enough permissions.
In order to provide enough permissions in the Tomcat directory and subdirectories, complete these steps:
- In Tomcat, inherit the security permissions:
- Right-click the Tomcat folder.
- Choose Security > Advanced.
- Click Enable Inheritance.
- Click Apply.
- Stop Tomcat and modify these files:
-
<install_drive>:\icm\tomcat\conf\server.xml
-
<install_drive>:\icm\ssl\cfg\server-iis.xml
-
<install_drive>:\icm\bin\server.xml.IIS.custom
In each file, replace this line:
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="127.0.0.1" maxPostSize="5242880" />with this line:
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="127.0.0.1" maxPostSize="5242880" secretRequired="false" allowedRequestAttributesPattern=".*" /> -
Workaround 2. Security Patch
Roll back the Tomcat security patch.
Workaround 3. Apply Patch
Available patches:
Revision History
| Version | Description | Section | Date |
| 1.2 | Removed link and reference to 11.6(2)ES54 because this ES is no longer available and 11.6 is end of support. | Workaround/Solution | 2024-DEC-19 |
| 1.1 | Updated the Workaround/Solution section. | Workaround/Solution | 2021-AUG-17 |
| 1.0 | Initial Release | — | 2020-MAY-07 |
For More Information
For further assistance or for more information about this field notice, contact the Cisco Technical Assistance Center (TAC) using one of the following methods:
Receive Email Notification About New Field Notices
To receive email updates about Field Notices (reliability and safety issues), Security Advisories (network security issues), and end-of-life announcements for specific Cisco products, set up a profile in My Notifications.
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)
This Document Applies to These Products
Unleash the Power of TAC's Virtual Assistance