THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Revision | Publish Date | Comments |
---|---|---|
1.0 |
12-Mar-21 |
Initial Release |
Affected OS Type | Affected Software Product | Affected Release | Affected Release Number | Comments |
---|---|---|---|---|
NON-IOS |
Application Patches |
22.0 |
22.0.2019.09, 22.0.2019.10, 22.0.2019.11, 22.0.2019.12, 22.0.2020.01, 22.0.2020.02, 22.0.2020.03, 22.0.2020.04, 22.0.2020.05, 22.0.2020.06, 22.0.2020.07, 22.0.2020.08, 22.0.2020.09, 22.0.2020.10, 22.0.2020.11, 22.0.2020.12, 22.0.2021.01 |
Cisco Broadworks R22 |
NON-IOS |
Application Patches |
23.0 |
23.0.2019.09, 23.0.2019.10, 23.0.2019.11, 23.0.2019.12, 23.0.2020.01, 23.0.2020.02, 23.0.2020.03, 23.0.2020.04, 23.0.2020.05, 23.0.2020.06, 23.0.2020.07, 23.0.2020.08, 23.0.2020.09, 23.0.2020.10, 23.0.2020.11, 23.0.2020.12, 23.0.2021.01 |
Cisco Broadworks R23 |
NON-IOS |
Application Patches |
24.0 |
24.0.2020.07, 24.0.2020.08, 24.0.2020.09, 24.0.2020.10, 24.0.2020.11, 24.0.2020.12, 24.0.2021.01 |
Cisco Broadworks R24 |
Defect ID | Headline |
---|---|
CSCvx13555 | [BW Eng] OCI-P Login Request has security issue |
When logging in to a Cisco BroadWorks Application Server with an Open Client Interface - Provisioning (OCI-P) request over the OpenClientServer or OCIOverSoap, it is possible for users with an invalid password to successfully authenticate and log in.
On 2019-09-19, patch ap366656 was released for Cisco BroadWorks which contained a password authentication vulnerability that affects OCI-P requests received over OpenClientServer or OCIOverSoap. This vulnerability was also included when Release 24 became available in July 2020.
This vulnerability was discovered internally by Cisco Engineering. At this time Cisco is not aware of any instances of this vulnerability being exploited in production systems.
This vulnerability is not able to be detected from the Application Server logs, as the log in will be captured as a successful authentication.
These patches are now available and must be applied in order to correct the issue:
Release 22
Release 23
Release 24
The version of BroadWorks that is currently deployed as well as the patches activated can be checked by executing the get versions all
command from the CLI. More information on how to check the patch level can be found in section 8.2 of the Cisco Broadworks Maintenance Guide as well as information on how to apply and activate BroadWorks patches.
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.
Unleash the Power of TAC's Virtual Assistance