Cisco UC Shellshock Shocktober Update!

So by now you’re probably aware of the Shellshock BASH bug that is sweeping the interwebs and causing panic across the globe. Ok that might be an exaggeration but it is getting quite a bit of media attention. If somehow you are not aware of Shellshock here’s a good explanation from Ars Technica about it. For reference this is identified as CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, and CVE-2014-7169.

For those of you that know about it here’s how it pertains to a Cisco UC environment. Here’s the Cisco PSIRT notification on it.

Products Affected:

  • CUCM
  • CUPS
  • UCCX
  • CUC – Unity Connection
  • VCS C/E
  • TC 7.x series endpoints

Now why Cisco isn’t updating the bug IDs they refer to for the above products is beyond me but here’s the gem i figured out this morning. The following products use the same COP.SGN file to patch them.

  • CUCM
  • CUPS
  • UCCX
  • CUC

Go ahead and download the COP file here (Valid CCO Required) also check that your version of software is covered in the original PSIRT notice. And for VCS head over to here fix in X8.2.2, and for the endpoints here fixed in X7.2.1.

Thankfully the updates to all the UCM / CUPS / UCCX / CUC systems can be done online without reboot. Remember to do each node in your cluster. The VCS / Video endpoint patches do require a reboot but hopefully those are less critical than call processing.

There you have it, everything you need to patch your Cisco UC Environment for Shellshock. Happy patching!

Permanent link to this article: https://tripplehelix.net/cisco-uc-shellshock-shocktober-update/

Leave a Reply