Vulnslist

find the latest Cisco vulnerabilities

Multiple Vulnerabilities in Cisco Unified Customer Voice Portal Software

cisco-sa-20130508-cvp · Critical · Published · Updated

Cisco Unified Customer Voice Portal Software (Unified CVP) contains multiple vulnerabilities. Various components of Cisco Unified CVP are affected; see the "Details" section for more information on the vulnerabilities. These vulnerabilities can be exploited independently; however, more than one vulnerability could be exploited on the same device. Cisco has released software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130508-cvp

Cisco advisory ·CSAF JSON

Workarounds

A workaround is available for the Cisco Unified Customer Voice Portal Software XML Entity Expansion Vulnerability documented in Cisco Bug ID CSCub38366 https://bst.cloudapps.cisco.com/bugsearch/bug/CSCub38366 (registered http://tools.cisco.com/RPF/register/register.do customers only).

To implement the workaround for the Cisco Unified Customer Voice Portal Software XML Entity Expansion Vulnerability, the communication between the Cisco Unified CVP devices must be secured using SSL. For more information on how to secure the communications between Cisco Unified CVP devices, refer to the "Unified CVP security" section of the Configuration and Administration Guide for Cisco Unified Customer Voice Portal at the following location:

http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/customer_voice_portal/cvp9_0/configuration/guide/cvp-configuration-and-administration-guide.pdf
A workaround is available for the Cisco Unified Customer Voice Portal Software Tomcat Web Application Vulnerability documented in Cisco Bug ID CSCub38384 https://bst.cloudapps.cisco.com/bugsearch/bug/CSCub38384 (registered http://tools.cisco.com/RPF/register/register.do customers only).

To implement the workaround for the Cisco Unified Customer Voice Portal Software Tomcat Web Application Vulnerability, the Manager and Host-Manager web applications must be removed manually from the Tomcat instances on CVP servers. Follow the instructions to remove the Manager and Host-Manager web applications:

Stop the services of respective server:

The “manager” and “host-manager” web applications need to be manually removed from Tomcat instances of your CVP servers.

CVP VXML Server
Go to the C:\Cisco\CVP\VXMLServer\Tomcat\server\webapps folder. Delete the Manager and Host-Manager folders.

CVP Call Server
Go to the C:\Cisco\CVP\CallServer\Tomcat\server\webapps folder. Delete the Manager and Host-Manager folders.

CVP Operation Console Server
Go to the C:\Cisco\CVP\OPSConsoleServer\Tomcat\server\webapps folder. Delete the Manager and Host-Manager folders.

CVP Reporting Server
Go to the C:\Cisco\CVP\CallServer\Tomcat\server\webapps folder. Delete the Manager and Host-Manager folders.
A workaround is available for the CVP: Insecure Tomcat Configuration Instance documented in Cisco Bug ID CSCub38379 https://bst.cloudapps.cisco.com/bugsearch/bug/CSCub38379 (registered http://tools.cisco.com/RPF/register/register.do customers only).

To implement the workaround for the CVP: Insecure Tomcat Configuration Instance, follow these steps:

Stop the service of VXML Server:

Go to the C:\Cisco\CVP\VXMLServer\Tomcat\conf folder and edit server.xml file.

Modify autoDeploy to false. Earlier it was true.

CVEsCVE-2013-1220, CVE-2013-1221, CVE-2013-1222, CVE-2013-1223, CVE-2013-1224, CVE-2013-1225
Cisco Bug IDsCSCua65148, CSCub38366, CSCub38369, CSCub38372, CSCub38379, CSCub38384
CVSS ScoreBase 7.8
Base 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
Base 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C
Base 7.8 AV:N/AC:L/Au:N/C:N/I:C/A:N/E:F/RL:OF/RC:C
Base 7.8 AV:N/AC:L/Au:N/C:C/I:N/A:N/E:F/RL:OF/RC:C
Base 7.1 AV:N/AC:M/Au:N/C:N/I:C/A:N/E:F/RL:OF/RC:C
Product Names From Source
Cisco Unified Customer Voice Portal (CVP)

Related Products

Product CVE Evidence
Cisco Nexus Dashboard CVE-2013-1225 Cisco OpenVuln
Cisco Nexus Dashboard CVE-2013-1224 Cisco OpenVuln
Cisco Nexus Dashboard CVE-2013-1223 Cisco OpenVuln
Cisco Nexus Dashboard CVE-2013-1222 Cisco OpenVuln
Cisco Nexus Dashboard CVE-2013-1221 Cisco OpenVuln
Cisco Nexus Dashboard CVE-2013-1220 Cisco OpenVuln
Cisco Catalyst PON Series Switches CVE-2013-1225 Cisco OpenVuln
Cisco Catalyst PON Series Switches CVE-2013-1224 Cisco OpenVuln
Cisco Catalyst PON Series Switches CVE-2013-1223 Cisco OpenVuln
Cisco Catalyst PON Series Switches CVE-2013-1222 Cisco OpenVuln
Cisco Catalyst PON Series Switches CVE-2013-1221 Cisco OpenVuln
Cisco Catalyst PON Series Switches CVE-2013-1220 Cisco OpenVuln
Cisco Unified Customer Voice Portal (CVP) CVE-2013-1225 Cisco OpenVuln
Cisco Unified Customer Voice Portal (CVP) CVE-2013-1224 Cisco OpenVuln
Cisco Unified Customer Voice Portal (CVP) CVE-2013-1223 Cisco OpenVuln
Cisco Unified Customer Voice Portal (CVP) CVE-2013-1222 Cisco OpenVuln
Cisco Unified Customer Voice Portal (CVP) CVE-2013-1221 Cisco OpenVuln
Cisco Unified Customer Voice Portal (CVP) CVE-2013-1220 Cisco OpenVuln