This document provides installation instructions for Unified CCE 12.5(1) ES20. It also contains a list of Unified CCE issues resolved by this engineering special. Review all installation information before installing the product. Failure to install this engineering special as described can result in inconsistent Unified CCE behavior.
This document contains these sections:
In the Product
Alert Tool, you can set up profiles to receive email notification of new
Field Notices, Product Alerts, or End of Sale information for your selected
products.
The Product
Alert Tool is available at https://www.cisco.com/cisco/support/notifications.html.
Ghostcat vulnerability (CVE-2020-1938) which allows remote code execution in
certain condition where tomcat listens on port 8009 for all external IP
addresses. ICM applications are not found to be vulnerable since it uses
reverse proxy where IIS intercepts all external requests and redirects to
tomcat which listens only on local IP address for port 8009. However, for those
who are impacted with this vulnerability where Tomcat listens on port 8009 for
all external addresses, Apache has made changes to default behavior by updating
Server.xml to include a new field called 'secretRequired'
with default value as "true". This breaks even the
web-applications that are not impacted by Ghostcat since they don't provision
option to provide secret in external requests. Apache Tomcat updates are
cumulative in nature and any future minor update for Tomcat is not possible
without change to Server.xml file of Tomcat. This proactive ES will facilitate
future updates to Tomcat by Customers using Cisco provided Tomcat Upgrade Utility
by delivering the Cisco customizer server.xml along with options to support ES
rollback if required so that web-apps continue to work even after any ES
uninstallation.
Background:
·
12.5(1) Shipped with Tomcat 9.0.21.
·
Tomcat 9.0.21 is vulnerable to Ghostcat
(CVE-2020-1938) and is fixed with Tomcat 9.0.31 onwards.
·
Customers were recommended to use Cisco provided
'Tomcat Upgrade Utility' for minor version upgrade.
For customers in older release where
defect CSCvt31436 fix is not available, A field notice is
provided with problem description and work-around: https://www.cisco.com/c/en/us/support/docs/field-notices/705/fn70542.html.
Though the field notice talks about Tomcat 7, it applies to Tomcat 9 as
well.
After using utility to upgrade Tomcat, manual steps were provided to
update required Server.xml and get things working. However still an issue
remained opened CSCvt60447(websetup
throwing error after patch uninstall). Customer would potentially hit this when
they uninstall a ES on older release where manual work-around is applied post
tomcat upgrade.
THIS ES WILL DELIVER CUSTOM SERVER.XML SO THAT CUSTOMERS DON’T
NEED TO MANUALLY MODIFY THEM AS SPECIFIED IN FIELD NOTICE. ALSO IT WILL FIX ANY
ES UNINSTALATION ISSUES RELATED TO SERVER.XML FILE.
TOMCAT UPGRADE UTILITY POSTED AT CCO FOR
12.0(1) CAN BE USED FOR MINOR VERSION UPGRADE.
IF A CUSTOMER HAS APPLIED MANUL WORKAROUND AS INDICATED IN FIELD NOTICE,
CUSTOMER SHOULD STILL APPLY THIS ES. IT WILL RESOLVE THE UNINSTALL ISSUE.
12.5(1)
This section lists the Unified CCE
components on which you can and cannot install this engineering special.
You can install Unified CCE 12.5(1) ES20 on these Unified CCE
components:
·
AW, Router, Logger, PG – all CCE machines
which has tomcat installed.
Do not install this engineering special
on the following components:
·
Admin client machine.
Installation
of this patch requires the all CCE services to be shut down during the entire
period of installation. It is always recommended to install this ES during a
scheduled downtime.
Note: Remove patches in the reverse order of their installation. For example, if you installed patches 3, then 5, then 10 for a product, you must uninstall patches 10, 5, and 3, in that order, to remove the patches from that product.
This section provides a list of significant Unified CCE defects resolved by this engineering special. It contains these subsections:
Note: You can view more information on and track individual Unified CCE defects using the Cisco Bug Search tool, located at: https://bst.cloudapps.cisco.com/bugsearch/search?null.
This section lists caveats specifically resolved by Unified CCE 12.5(1) ES20.
Caveats in this section are ordered by UNIFIED CCE component, severity, and then identifier.
|
Identifier |
Severity |
Component |
Headline |
|
CSCvt31436 |
2 |
web.setup |
CCE
- Upgrading tomcat to version 7.0.100 or greater breaks cceadmin
and websetup |
|
CSCvt60447 |
3 |
web.setup |
websetup
throwing error after patch uninstall |
Caveats are ordered by severity then defect number.
Defect Number: CSCvt31436
Component: web.setup
Severity: 2
Headline: CCE - Upgrading tomcat to version 7.0.100 or greater breaks cceadmin and websetup
Symptom: cceadmin and websetup page doesnot
load post Tomcat Upgrade 7.0.99 and above on CCE 11.6.
Conditions: It gives the following error. HTTP Error 500.0 - Internal
Server Error Calling LoadLibraryEx on ISAPI filter
"C:\icm\tomcat\bin\i386\isapi_redirect.dll" failed
Workaround:
https://www.cisco.com/c/en/us/support/docs/field-notices/705/fn70542.html
Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has
evaluated this issue and determined it does not meet the criteria for PSIRT
ownership or involvement. This issue will be addressed via normal resolution
channels. If you believe that there is new information that would cause a
change in the severity of this issue, please contact psirt@cisco.com for
another evaluation. Additional information on Cisco''s
security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Getting
the Patch: The following links take you to an emergency patch, called an
Engineering Special or ES. These emergency patches are meant for deployments
that are actively encountering a specific problem and cannot wait for a formal
release to include a fix. An ES receives limited testing compared to a formal
release. Installing an ES on a production system poses a risk of instability
due to that limited testing. If you are not directly experiencing this problem,
wait to install a major, minor, or maintenance release that includes the fix
for this issue. If you experience this problem and cannot wait for a later
formal release, select the ES that matches the base release of your deployment.
The base release is the front part of the ES name. Only install an ES that
matches the release that your deployment runs. Always read the release notes or
Readme file before running the patch installer.
Defect Number: CSCvt60447
Component: web.setup
Severity: 3
Headline: websetup throwing error after patch uninstall
$$PREFCS
Symptom: websetup throwing error after patch uninstall
Conditions:
Workaround:
Further Problem Description: seeing this as an issue from Patch ICM patch Getting
the Patch: The following links take you to an emergency patch, called an
Engineering Special or ES. These emergency patches are meant for deployments
that are actively encountering a specific problem and cannot wait for a formal
release to include a fix. An ES receives limited testing compared to a formal
release. Installing an ES on a production system poses a risk of instability
due to that limited testing. If you are not directly experiencing this problem,
wait to install a major, minor, or maintenance release that includes the fix
for this issue. If you experience this problem and cannot wait for a later
formal release, select the ES that matches the base release of your deployment.
The base release is the front part of the ES name. Only install an ES that
matches the release that your deployment runs. Always read the release notes or
Readme file before running the patch installer.
You can access current Cisco documentation on the Support pages at the following sites:
To provide comments about this document, send an email message to the following address:
contactcenterproducts_docfeedback@cisco.com
We appreciate your comments.
Cisco.com is a starting point for all technical assistance. Customers and partners can obtain documentation, troubleshooting tips, and sample configurations from online tools. For Cisco.com registered users, additional troubleshooting tools are available from the TAC site.
Cisco.com provides a broad range of features and services to help customers and partners streamline business processes and improve productivity. Through Cisco.com, you can find information about Cisco and our networking solutions, services, and programs. You can also resolve technical issues with online technical support and download software packages. Valuable online skill assessment, training, and certification programs are also available.
Customers and partners can self-register on Cisco.com to obtain additional personalized information and services. Registered users can order products, check on the status of an order, access technical support, and view benefits specific to their relationships with Cisco.
The Cisco TAC site is available to all customers who need technical assistance with a Cisco product or technology that is under warranty or covered by a maintenance contract.
If you have a priority level 3 (P3) or priority level 4 (P4) problem, contact TAC by going to https://www.cisco.com/c/en/us/support/index.html.
P3 and P4 level problems are defined as follows:
In each of the above cases, use the Cisco TAC site to quickly find answers to your questions.
If you cannot resolve your technical issue by using the TAC online resources, Cisco.com registered users can open a case online by using the TAC Case Open tool at the following site: https://mycase.cloudapps.cisco.com/create/start/
If you have a priority level 1(P1) or priority level 2 (P2) problem, contact TAC by telephone and immediately open a case. To obtain a directory of toll-free numbers for your country, go to the following sites:
P1 and P2 level problems are defined as follows: