Cisco: Critical Java Flaw Strikes 'call Center In A Box', Patch Urgently

Thursday May 21, 2020.

Organizations using Cisco's call-center platform, Unified Contact Center Express (Unified CCX), should update the software urgently, Cisco has warned.

The company has released updates for the Unified CCX platform to address a critical deserialization vulnerability in its Java-based remote management interface, which could allow a remote attacker without credentials to install malware on the device.

Cisco describes Unified CCX as a "'contact center in a box' that provides a secure and easy to deploy customer interaction management solution for up to 400 agents".

Brenden Meeder, a security expert from Edward Snowden's former employer, Booze Allen Hamilton, found he could compromise Unified CCX systems from afar by sending a malicious serialized Java object to the remote management interface.

"A successful exploit could allow the attacker to execute arbitrary code as the root user on an affected device," Cisco warns.

Cisco says the bug doesn't affect the bigger Cisco Unified Contact Center, which supports contact centers with up to 24,000 agents.

To address the bug, Cisco is urging customers on Unified CCX major releases earlier than 12.0 and those on a 12.0 release to migrate to release 12.0(1)ES03. Unified CCX 12.5 is not vulnerable.

The vulnerability is being tracked as CVE-2020-3280 and has a CVSS severity score of 9.8 out of a possible 10.

However Cisco's Product Security Incident Response Team (PSIRT) said it wasn't aware of any attacks in the wild on this flaw.

Cisco also released updates to fix a high-severity denial-of-service vulnerability affecting the DHCP server of Cisco Prime Network Registrar.

There are two more recently fixed medium-severity flaws that were addressed, including an SQL injection affecting the web-based management interface of Cisco Prime Collaboration Provisioning Software, and a denial-of-service flaw affecting the file scan process of Cisco AMP for Endpoints Mac Connector Software.

More on Cisco and network security

Cisco: These 12 high-severity bugs in ASA and Firepower security software need patching

Cisco critical bug: Static password in Smart Software Manager – patch now, says Cisco

Cisco: Patch this critical firewall bug in Firepower Management Center

Critical Cisco DCNM flaws: Patch right now as PoC exploits are released

Cisco critical bugs: Nexus data center switch software needs patching now

Cisco: All these routers have the same embedded crypto keys, so update firmware

Cisco: These Wi-Fi access points are easily owned by remote hackers, so patch now

Cisco warning: These routers running IOS have 9.9/10-severity security flaw

Patch now: Cisco IOS XE routers exposed to rare 10/10-severity security flaw

Seriously? Cisco put Huawei X.509 certificates and keys into its own switches

How to improve cybersecurity for your business: 6 tips TechRepublic

New cybersecurity tool lets companies Google their systems for hackers CNET

Cisco: Critical Java Flaw Strikes 'call Center In A Box', Patch Urgently

More on Cisco and network security

Reassessing AI Investments: What The Correction In US Megacap Tech Stocks Signals

AI Hype Meets Reality: Assessing The Impact Of Stock Declines On Future Tech Investments

Technology Sector Fuels U.S. Economic Growth In Q2

Tech Start-Ups Advised To Guard Against Foreign Investment Risks

Global IT Outage Threatens To Cost Insurers Billions

Global IT Outage Disrupts Airlines, Financial Services, And Media Groups

navigation

media coverage

follow us