[cisco-voip] Appliance OS patch info & is CM susceptible to CVE-2009-0040 ???

Ryan Ratliff rratliff at cisco.com
Thu Apr 23 10:45:35 EDT 2009 

I believe the SU patches are for security updates and their release  
notes should indicate what is being patched (or point to a field  
notice if it's a bad issue).

As for which updates get included even in Windows we only patched for  
vulnerabilities that didn't require active participation by a user on  
the system.  This included most of the IE patches that required the  
user to visit a malicious web page, etc.  The reasoning is that your  
CUCM server is not intended to be browsing the web.  There will be a  
similar benchmark used for patching vulnerabilities in the linux OS  
packages.   For this particular one if you can think of a way you can  
get an application on a CUCM appliance to process a specially crafted  
png file (without root access) then this would definitely need to be  
patched.

If you need to get confirmation about any particular vulnerability  
and whether it has been or is intended to be fixed then you should  
open a TAC SR so it can be tracked (and archived).

-Ryan

On Apr 23, 2009, at 10:20 AM, paul dial wrote:

I'm hoping someone can shed some light on obtaining OS update
information for the appliance model.  Not to long ago we moved from
4.1.3 to 6.1.2 (and we've since upgraded to 6.1(3b)SU1).  With windows
as the OS, Cisco would provide Cisco scrubbed versions of the monthly
windows patches and it was pretty clear what was being patched and the
vulnerability being addressed.

With the appliance model, my understanding is that the OS and
Application updates both take place when applying service updates.
Again, I believe Cisco is providing Cisco scrubbed updates to the OS.
I'm not able to find any documentation similar to what was provided with
the windows patches.  I have no idea what was patched or the
vulnerability being addressed.  I've looked thru some of the release
notes for Engineering Specials and Service Updates, but was not able to
find any OS related information.

Can someone please confirm that OS updates are included in service
updates and or engineering specials.

Does anyone know where to find information on OS patches for the
appliance model?

Another related concern:  I frequently get alerts from our security
team, some of which contain vulnerabilities or exploits for redhat
packages that are part of the base release used for CM.  As an example,
at the end of Feb '09 I received information about a vulnerability for
'libpng':

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0040

Running 'show packages active' on CM 6.1(3b)SU1 shows this:

admin:show packages active libpng
Active Side Package(s): for libpng package(s)
libpng-1.2.2-25

Based on CVE-2009-0040, I believe this version is susceptible to the
vulnerability, but I'm not sure how to confirm or if it has been fixed?

Granted, this is somewhat after the fact, but when these alerts are
first announced, how does one find out if:

1) Cisco has already addressed the issue and what patch contains the  
fix.
2) Cisco is aware of the vulnerability but it does not affect CM
3) Cisco is working on fix

I've checked my PAT profile and I have security advisory, notice, and
response selected for Communication Manager. Most of these announcements
appear to be application related as opposed to OS.

Thanks,

-- Paul


_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

More information about the cisco-voip mailing list