Manualshelf

Release Notes

ManualsBrandsCisco Manualsvideo conferencing systemsCisco TelePresence Server on Multiparty Media 320
21222324252627282930
Identifier Description
CSCup22629 Symptom:
The following Cisco products:
Cisco TelePresence Server 8710 / 7010
Cisco TelePresence Server on Media 3x0
Cisco TelePresence Server on Virtual Machine
include a version of openssl that is affected by the vulnerabilities identified by the Common
Vulnerability and Exposures (CVE) IDs:
CVE-2014-0195 - DTLS invalid fragment vulnerability
CVE-2014-0221 - DTLS recursion flaw
CVE-2014-0224 - SSL/TLS MITM vulnerability
CVE-2014-3470 - Anonymous ECDH denial of service
This bug has been opened to address the potential impact on this product.
Conditions:
HTTPS or SIP/TLS in use. For CVE-2014-3470 to apply, certificate verification for outbound
connections must not have been enabled.
Workaround:
Only CVE-2014-3470 can be avoided by setting up trust stores and enabling certificate
verification for outbound connections, this will disable anonymous ciphers. Workaround to other
vulnerabilites are not available.
Further Problem Description:
Affected TS versions: 2.3(1.55), 2.3(1.57), 2.3(1.58), 3.0(2.24), 3.0(2.46), 3.0(2.48), 3.0(2.49), 3.1
(1.80), 3.1(1.82), 3.1(1.95), 3.1(1.96), 3.1(1.97), 3.1(1.98), 4.0(1.57)
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and
Temporal CVSS scores as of the time of evaluation are 10/9.5:
https://intellishield.cisco.com/security/alertmanager/cvss?target=new&version=2.0&vector=AV:N
/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:U/RC:C
The Cisco PSIRT has assigned this score based on information obtained from multiple sources.
This includes the CVSS score assigned by the third-party vendor when available. The CVSS
score assigned may not reflect the actual impact on the Cisco Product.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
CSCuo85864 In previous releases of the virtual TelePresence Server it was possible to upload a configuration
file which would disable the need for administrator login. This issue is now resolved.
CSCuo93120 In calls between a remotely managed Cisco TelePresence Server and a Cisco TelePresence
endpoint running TC software that was registered to Cisco Unified Communications Manager via
collaboration edge, Far End Camera control (FECC) did not work after the endpoint performs a
hold and resume. This issue is now resolved.
Cisco TelePresence Server Software Release Notes (4.0(2.8)) Page 24 of 36
Resolved issues