CISCO Critical Vulnerability
History:
- 18/12/2021 --- v1.0 -- Initial publication
Summary
On December 16th, CISCO updated its security advisory related to CVE-2021-44228 affecting many of its products [1]. While this CVE affects the Java logging library log4j, all products using this library are vulnerable to at least Unauthenticated Remote Code Execution [2].
Technical Details
The vulnerability exists in the Java logging library log4j. An unauthenticated remote attacker might exploit this vulnerability by sending specially crafted content to the application to execute malicious code on the server [2].
Affected products and Fixed Release
Vulnerable Product | Fixed Release (Availability) | |
---|---|---|
Cisco Webex Meetings Server | CWMS-3.0MR4SP3 patch (21 Dec 2021) CWMS-4.0MR4SP3 patch (21 Dec 2021 CWMS-3.0MR4SP2 patch (14 Dec 2021) CWMS-4.0MR4SP2 patch (14 Dec 2021) | |
Cisco CX Cloud Agent Software | 1.12.2 (available) | |
Cisco Nexus Insights | 6.0.2 (17 Dec 2021) | |
Cisco Firepower Threat Defense (FTD) managed by Firepower Device Manager (FDM) | 6.2.3 hotfix (23 Dec 2021) 6.4.0 hotfix (23 Dec 2021) 6.6.5 hotfix (23 Dec 2021) 7.0.1 hotfix (23 Dec 2021) 7.1.0 hotfix (23 Dec 2021) | |
Cisco Identity Services Engine (ISE) | 2.4 hotfix (15 Dec 2021) 2.6 hotfix (15 Dec 2021) 2.7 hotfix (15 Dec 2021) 3.0 hotfix (15 Dec 2021) 3.1 hotfix (17 Dec 2021) | |
Cisco Automated Subsea Tuning | 2.1.0 (22 Dec 2021) | |
Cisco Business Process Automation | 3.0.000.115 patch (17 Dec 2021) 3.1.000.044 patch (17 Dec 2021) 3.2.000.009 patch (17 Dec 2021) | |
Cisco CloudCenter Cost Optimizer | 5.5.2 (23 Dec 2021) | |
Cisco CloudCenter Suite Admin | 5.3.1 (23 Dec 2021) | |
Cisco CloudCenter Workload Manager | 5.5.2 (23 Dec 2021) | |
Cisco CloudCenter | 4.10.0.16 (23 Dec 2021) | |
Cisco Common Services Platform Collector (CSPC) | 2.10.0.1 (22 Dec 2021) 2.9.1.3 (22 Dec 2021) | |
Cisco Crosswork Data Gateway | 2.0.2 (21 Dec 2021) 3.0.1 (21 Dec 2021) | |
Cisco Crosswork Network Controller | 2.0.1 (22 Dec 2021) 3.0.1 (22 Dec 2021) | |
Cisco Crosswork Optimization Engine | 2.0.1 (21 Dec 2021) 3.0.1 (21 Dec 2021) | |
Cisco Crosswork Platform Infrastructure | 4.0.1 (21 Dec 2021) 4.1.1 (21 Dec 2021) | |
Cisco Crosswork Zero Touch Provisioning (ZTP) | 2.0.1 (21 Dec 2021) 3.0.1 (21 Dec 2021) | |
Cisco Cyber Vision Sensor Management Extension | 4.0.3 (22 Dec 2021) | |
Cisco DNA Spaces Connector | 2.5 (15 Dec 2021) 2.8.2 (12 Dec 2021) 2.11.0 (12 Dec 2021) 2.11.2 (12 Dec 2021) 2.13.3 (13 Dec 2021) | |
Cisco Data Center Network Manager (DCNM) | 12.0(2d) (23 Dec 2021) 11.5(3) patch (23 Dec 2021) 11.5(2) patch (23 Dec 2021) 11.5(1) patch (23 Dec 2021) 11.4(1) patch (23 Dec 2021) 11.3(1) patch (23 Dec 2021) | |
Cisco Evolved Programmable Network Manager | 5.1.3.1 patch (22 Dec 2021) 5.0.2.1 patch (13 Jan 2022) 4.1.1.1 patch (13 Jan 2022) | |
Cisco Intersight Virtual Appliance | 1.0.9-361 (20 Dec 2021) | |
Cisco Network Services Orchestrator (NSO) | nso-5.3.5.1 (17 Dec 2021) nso-5.4.5.2 (17 Dec 2021) nso-5.5.4.1 (17 Dec 2021) nso-5.6.3.1 (17 Dec 2021) | |
Cisco Nexus Dashboard, formerly Cisco Application Services Engine | 2.1.2 (23 Dec 2021) | |
Cisco Prime Service Catalog | 12.1 (20 Dec 2021) | |
Cisco Smart PHY | 3.2.1 patch (20 Dec 2021) | |
Cisco Virtual Topology System (VTS) | 2.6.7 (22 Dec 2021) | |
Cisco Virtualized Infrastructure Manager | 3.2.x patch (17 Dec 2021) 3.4.4 patch (17 Dec 2021) 3.4.6 patch (17 Dec 2021) 4.2.0 patch (17 Dec 2021) 4.2.1 patch (17 Dec 2021) | |
Cisco WAN Automation Engine (WAE) | 7.5.0.1 (22 Dec 2021) 7.4.0.1 (21 Jan 2022) 7.3.0.2 (21 Jan 2022) | |
Cisco DNA Center | 2.2.2.8 (23 Dec 2021) 2.1.2.8 (Jan 2022) 2.2.3.4 (Jan 2022) | |
Cisco IOx Fog Director | 1.14.5 patch (16 Dec 2021) 1.16.4 patch (available) | |
Cisco Network Assurance Engine | 6.0.2 (23 Dec 2021) | |
Cisco Optical Network Controller | 1.1.0 (22 Dec 2021) | |
Cisco SD-WAN vManage | 20.3.4.1 (18 Dec 2021) 20.6.2.1 (18 Dec 2021) 20.5.1.1 (18 Dec 2021) 20.4.2.1 (18 Dec 2021) | |
Cisco Integrated Management Controller (IMC) Supervisor | 2.3.2.1 (22 Dec 2021) | |
Cisco UCS Central Software | 2.0(1p) (22 Dec 2021) | |
Cisco UCS Director | 6.8.2.0 (22 Dec 2021) | |
Cisco Workload Optimization Manager | 3.2.1 (18 Dec 2021) | |
Cisco BroadWorks | 2021.11_1.162 (13 Dec 2021) ap381882 (15 Dec 2021) | |
Cisco Cloud Connect | 12.6(1): (23 Dec 2021) | |
Cisco Contact Center Domain Manager (CCDM) | 12.5(1) (16 Dec 2021) 12.6(1) (16 Dec 2021) | |
Cisco Contact Center Management Portal (CCMP) | 12.5(1) (16 Dec 2021) 12.6(1) (16 Dec 2021) | |
Cisco Emergency Responder | 11.5(4)SU9 patch (17 Dec 2021) 11.5(4)SU10 patch (17 Dec 2021) | |
Cisco Enterprise Chat and Email | 12.0(1) (17 Dec 2021) 12.5 (1) (17 Dec 2021) 12.6(1) (17 Dec 2021) | |
Cisco Finesse | 12.5(1)ES09 (17 Dec 2021) 12.6(1)ES03 (15 Dec 2021) | |
Cisco Packaged Contact Center Enterprise | 11.6 (23 Dec 2021) 12.0(1) (23 Dec 2021) 12.5(1) (23 Dec 2021) 12.6(1) (23 Dec 2021) | |
Cisco Paging Server | 14.4.2 (20 Dec 2021) | |
Cisco Unified Communications Manager / Cisco Unified Communications Manager Session Management Edition | 11.5(1)SU7 (16 Dec 2021) 11.5(1)SU8 patch (16 Dec 2021) 11.5(1)SU9 patch (16 Dec 2021) 11.5(1)SU10 patch (16 Dec 2021) | |
Cisco Unified Communications Manager IM & Presence Service | 11.5(1)SU7 patch (17 Dec 2021) 11.5(1)SU8 patch (17 Dec 2021) 11.5(1)SU9 patch (17 Dec 2021) 11.5(1)SU10 patch (17 Dec 2021) | |
Cisco Unified Contact Center Enterprise - Live Data server | 11.6(1)23 (24 Dec 2021) 12.0(1)ES18 (24 Dec 2021) 12.5(1)ES13 (24 Dec 2021) 12.6(1)ES03 (17 Dec 2021) | |
Cisco Unified Contact Center Enterprise | 11.6(2) (23 Dec 2021) 12.0(1) (23 Dec 2021) 12.5(1) (23 Dec 2021) 12.6(1) (23 Dec 2021) | |
Cisco Unified Contact Center Express | 12.5(1)SU1 ES03 (23 Dec 2021) | |
Cisco Unified Customer Voice Portal | 11.6 (24 Dec 2021) 12.0(1) (24 Dec 2021) 12.5(1) (17 Dec 2021) 12.6(1) (17 Dec 2021) | |
Cisco Unified Intelligence Center | 12.6(1)ES03 (17 Dec 2021) | |
Cisco Unified SIP Proxy Software | 10.2.1v2 (23 Dec 2021) | |
Cisco Unified Workforce Optimization | 11.5(1) SR7 (20 Dec 2021) | |
Cisco Unity Connection | 11.5(1)SU7 patch (17 Dec 2021) 11.5(1)SU8 patch (17 Dec 2021) 11.5(1)SU9 patch (17 Dec 2021) 11.5(1)SU10 patch (17 Dec 2021) | |
Cisco Virtualized Voice Browser | 12.5(1) (17 Dec 2021) 12.6(1) (17 Dec 2021) | |
Cisco Video Surveillance Operations Manager | 7.14.4 (16 Dec 2021) | |
Cisco Connected Mobile Experiences (CMX) | 10.6.3-70 patch (16 Dec 2021) 10.6.3-105 patch (16 Dec 2021) 10.6.2-89 patch (16 Dec 2021) | -105 patch (16 Dec 2021 10.6.2-89 patch (16 Dec 2021) |
Recommendations
CERT-EU recommends applying the patches, or upgrading the products as soon as possible. Refer to the table in [Affected products and Fixed Release] section and to details provided by CISCO in [1] to find the fixed release of each product.
References
[1] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
[2] https://media.cert.europa.eu/static/SecurityAdvisories/2021/CERT-EU-SA2021-067.pdf