Security Advisory 2021-074

Release Date:

CISCO Critical Vulnerability

Download

History:

  • 18/12/2021 --- v1.0 -- Initial publication

Summary

On December 16th, CISCO updated its security advisory related to CVE-2021-44228 affecting many of its products [1]. While this CVE affects the Java logging library log4j, all products using this library are vulnerable to at least Unauthenticated Remote Code Execution [2].

Technical Details

The vulnerability exists in the Java logging library log4j. An unauthenticated remote attacker might exploit this vulnerability by sending specially crafted content to the application to execute malicious code on the server [2].

Affected products and Fixed Release

Vulnerable ProductFixed Release (Availability)
Cisco Webex Meetings ServerCWMS-3.0MR4SP3 patch (21 Dec 2021) CWMS-4.0MR4SP3 patch (21 Dec 2021 CWMS-3.0MR4SP2 patch (14 Dec 2021) CWMS-4.0MR4SP2 patch (14 Dec 2021)
Cisco CX Cloud Agent Software1.12.2 (available)
Cisco Nexus Insights6.0.2 (17 Dec 2021)
Cisco Firepower Threat Defense (FTD) managed by Firepower Device Manager (FDM)6.2.3 hotfix (23 Dec 2021) 6.4.0 hotfix (23 Dec 2021) 6.6.5 hotfix (23 Dec 2021) 7.0.1 hotfix (23 Dec 2021) 7.1.0 hotfix (23 Dec 2021)
Cisco Identity Services Engine (ISE)2.4 hotfix (15 Dec 2021) 2.6 hotfix (15 Dec 2021) 2.7 hotfix (15 Dec 2021) 3.0 hotfix (15 Dec 2021) 3.1 hotfix (17 Dec 2021)
Cisco Automated Subsea Tuning2.1.0 (22 Dec 2021)
Cisco Business Process Automation3.0.000.115 patch (17 Dec 2021) 3.1.000.044 patch (17 Dec 2021) 3.2.000.009 patch (17 Dec 2021)
Cisco CloudCenter Cost Optimizer5.5.2 (23 Dec 2021)
Cisco CloudCenter Suite Admin5.3.1 (23 Dec 2021)
Cisco CloudCenter Workload Manager5.5.2 (23 Dec 2021)
Cisco CloudCenter4.10.0.16 (23 Dec 2021)
Cisco Common Services Platform Collector (CSPC)2.10.0.1 (22 Dec 2021) 2.9.1.3 (22 Dec 2021)
Cisco Crosswork Data Gateway2.0.2 (21 Dec 2021) 3.0.1 (21 Dec 2021)
Cisco Crosswork Network Controller2.0.1 (22 Dec 2021) 3.0.1 (22 Dec 2021)
Cisco Crosswork Optimization Engine2.0.1 (21 Dec 2021) 3.0.1 (21 Dec 2021)
Cisco Crosswork Platform Infrastructure4.0.1 (21 Dec 2021) 4.1.1 (21 Dec 2021)
Cisco Crosswork Zero Touch Provisioning (ZTP)2.0.1 (21 Dec 2021) 3.0.1 (21 Dec 2021)
Cisco Cyber Vision Sensor Management Extension4.0.3 (22 Dec 2021)
Cisco DNA Spaces Connector2.5 (15 Dec 2021) 2.8.2 (12 Dec 2021) 2.11.0 (12 Dec 2021) 2.11.2 (12 Dec 2021) 2.13.3 (13 Dec 2021)
Cisco Data Center Network Manager (DCNM)12.0(2d) (23 Dec 2021) 11.5(3) patch (23 Dec 2021) 11.5(2) patch (23 Dec 2021) 11.5(1) patch (23 Dec 2021) 11.4(1) patch (23 Dec 2021) 11.3(1) patch (23 Dec 2021)
Cisco Evolved Programmable Network Manager5.1.3.1 patch (22 Dec 2021) 5.0.2.1 patch (13 Jan 2022) 4.1.1.1 patch (13 Jan 2022)
Cisco Intersight Virtual Appliance1.0.9-361 (20 Dec 2021)
Cisco Network Services Orchestrator (NSO)nso-5.3.5.1 (17 Dec 2021) nso-5.4.5.2 (17 Dec 2021) nso-5.5.4.1 (17 Dec 2021) nso-5.6.3.1 (17 Dec 2021)
Cisco Nexus Dashboard, formerly Cisco Application Services Engine2.1.2 (23 Dec 2021)
Cisco Prime Service Catalog12.1 (20 Dec 2021)
Cisco Smart PHY3.2.1 patch (20 Dec 2021)
Cisco Virtual Topology System (VTS)2.6.7 (22 Dec 2021)
Cisco Virtualized Infrastructure Manager3.2.x patch (17 Dec 2021) 3.4.4 patch (17 Dec 2021) 3.4.6 patch (17 Dec 2021) 4.2.0 patch (17 Dec 2021) 4.2.1 patch (17 Dec 2021)
Cisco WAN Automation Engine (WAE)7.5.0.1 (22 Dec 2021) 7.4.0.1 (21 Jan 2022) 7.3.0.2 (21 Jan 2022)
Cisco DNA Center2.2.2.8 (23 Dec 2021) 2.1.2.8 (Jan 2022) 2.2.3.4 (Jan 2022)
Cisco IOx Fog Director1.14.5 patch (16 Dec 2021) 1.16.4 patch (available)
Cisco Network Assurance Engine6.0.2 (23 Dec 2021)
Cisco Optical Network Controller1.1.0 (22 Dec 2021)
Cisco SD-WAN vManage20.3.4.1 (18 Dec 2021) 20.6.2.1 (18 Dec 2021) 20.5.1.1 (18 Dec 2021) 20.4.2.1 (18 Dec 2021)
Cisco Integrated Management Controller (IMC) Supervisor2.3.2.1 (22 Dec 2021)
Cisco UCS Central Software2.0(1p) (22 Dec 2021)
Cisco UCS Director6.8.2.0 (22 Dec 2021)
Cisco Workload Optimization Manager3.2.1 (18 Dec 2021)
Cisco BroadWorks2021.11_1.162 (13 Dec 2021) ap381882 (15 Dec 2021)
Cisco Cloud Connect12.6(1): (23 Dec 2021)
Cisco Contact Center Domain Manager (CCDM)12.5(1) (16 Dec 2021) 12.6(1) (16 Dec 2021)
Cisco Contact Center Management Portal (CCMP)12.5(1) (16 Dec 2021) 12.6(1) (16 Dec 2021)
Cisco Emergency Responder11.5(4)SU9 patch (17 Dec 2021) 11.5(4)SU10 patch (17 Dec 2021)
Cisco Enterprise Chat and Email12.0(1) (17 Dec 2021) 12.5 (1) (17 Dec 2021) 12.6(1) (17 Dec 2021)
Cisco Finesse12.5(1)ES09 (17 Dec 2021) 12.6(1)ES03 (15 Dec 2021)
Cisco Packaged Contact Center Enterprise11.6 (23 Dec 2021) 12.0(1) (23 Dec 2021) 12.5(1) (23 Dec 2021) 12.6(1) (23 Dec 2021)
Cisco Paging Server14.4.2 (20 Dec 2021)
Cisco Unified Communications Manager / Cisco Unified Communications Manager Session Management Edition11.5(1)SU7 (16 Dec 2021) 11.5(1)SU8 patch (16 Dec 2021) 11.5(1)SU9 patch (16 Dec 2021) 11.5(1)SU10 patch (16 Dec 2021)
Cisco Unified Communications Manager IM & Presence Service11.5(1)SU7 patch (17 Dec 2021) 11.5(1)SU8 patch (17 Dec 2021) 11.5(1)SU9 patch (17 Dec 2021) 11.5(1)SU10 patch (17 Dec 2021)
Cisco Unified Contact Center Enterprise - Live Data server11.6(1)23 (24 Dec 2021) 12.0(1)ES18 (24 Dec 2021) 12.5(1)ES13 (24 Dec 2021) 12.6(1)ES03 (17 Dec 2021)
Cisco Unified Contact Center Enterprise11.6(2) (23 Dec 2021) 12.0(1) (23 Dec 2021) 12.5(1) (23 Dec 2021) 12.6(1) (23 Dec 2021)
Cisco Unified Contact Center Express12.5(1)SU1 ES03 (23 Dec 2021)
Cisco Unified Customer Voice Portal11.6 (24 Dec 2021) 12.0(1) (24 Dec 2021) 12.5(1) (17 Dec 2021) 12.6(1) (17 Dec 2021)
Cisco Unified Intelligence Center12.6(1)ES03 (17 Dec 2021)
Cisco Unified SIP Proxy Software10.2.1v2 (23 Dec 2021)
Cisco Unified Workforce Optimization11.5(1) SR7 (20 Dec 2021)
Cisco Unity Connection11.5(1)SU7 patch (17 Dec 2021) 11.5(1)SU8 patch (17 Dec 2021) 11.5(1)SU9 patch (17 Dec 2021) 11.5(1)SU10 patch (17 Dec 2021)
Cisco Virtualized Voice Browser12.5(1) (17 Dec 2021) 12.6(1) (17 Dec 2021)
Cisco Video Surveillance Operations Manager7.14.4 (16 Dec 2021)
Cisco Connected Mobile Experiences (CMX)10.6.3-70 patch (16 Dec 2021) 10.6.3-105 patch (16 Dec 2021) 10.6.2-89 patch (16 Dec 2021)-105 patch (16 Dec 2021 10.6.2-89 patch (16 Dec 2021)

Recommendations

CERT-EU recommends applying the patches, or upgrading the products as soon as possible. Refer to the table in [Affected products and Fixed Release] section and to details provided by CISCO in [1] to find the fixed release of each product.

References

[1] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd

[2] https://media.cert.europa.eu/static/SecurityAdvisories/2021/CERT-EU-SA2021-067.pdf

We got cookies

We only use cookies that are necessary for the technical functioning of our website. Find out more on here.