Cisco Security Advisory: On May 14 Cisco issued a security advisory for Cisco Unified Communications Manager (formerly 
Cisco CallManager). Patches are now available to fix four denial of service (DoS) vulnerabilities all of which were discovered internally by Cisco, the company says. The following Cisco Unified Communications Manager (CUCM) services are affected: Certificate Trust List (CTL) Provider, Certificate Authority Proxy Function (CAPF), Session Initiation Protocol (SIP), Simple Network Management Protocol (SNMP) Trap.
The CTL vulnerability affects CUCM version 5.x. It is a memory consumption hole that occurs when a series of malformed TCP packets are received by a vulnerable CUCM system and may result in a DoS condition. The CTL Provider service is enabled by default. The Certificate Authority Proxy Function (CAPF) vulnerability affects versions 4.1, 4.2 and 4.3. When handling malformed input, the hole may result in a DoS condition. The SIP vulnerabilities involve one that makes use of a hole in SIP JOIN and two that attack SIP INVITE. One of the holes for SIP INVITE does not have a workaround. The bug is fixed in the next service release, i.e. 4.1(3)SR7, 4.2(3)SR4, 4.3(2), 5.1(3) and 6.1(1).
More from Cisco Subnet:
FBI worried over counterfeit Cisco gear
Cisco meets Marc Andreessen's Ning social networking site
Ullal departure sign of Cisco transformation
New Cisco TelePresence unit gets personal
CCNP lab essentials
Jeff Doyle: Understanding MPLSGo to Cisco Subnet for more Cisco news, blogs, discussion forums, security alerts, book giveaways, and more.
20 useful sites for Cisco networking professionals
This month's Cisco Subnet giveaways
Network World's IT Buyer's Guide: Cisco products
Subscribe to Network World's Cisco Alert, which includes a weekly digest of all Cisco Subnet items
The Cisco Subnet blog is the official blog of the Network World Cisco Subnet community, managed by Editor Linda Leung. Cisco Subnet is the independent voice of Cisco customers and is your gateway to daily Cisco news, blogs, opinion, books, prize giveaways and more. Visit the Cisco Subnet home page daily and while you are there, subscribe to the Cisco Alert e-mail newsletter, which includes news and views generated by the Cisco Subnet community as well as Cisco-related stories on Network World and elsewhere on the Web.
(WAN community)
|
|
Why is it?
Why does network world always advertise Cisco's vulnerabilities solely? I just find it hard to believe that Nortel, Avaya, Juniper, Extreme, HP, Mitel, etc have no vulnerabilities in their products.
Is it just because Cisco advertises their vulnerabilities to Network World, therefore it is easier to make a story out of it?
Network World, can you explain this? It is good to know about all vendor issues, because in my network (probably like a lot of people here) I have more than just Cisco, but it seems like they are the only company that has their issues reported on this site.
We do cover all of them, here's a list of links
The Cisco Subnet site and blog covers Cisco vulnerabilities -- which is where you found this post. The main page for that is www.ciscosubnet.com. The Microsoft Subnet site covers all of the Microsoft patches. The main page for that is www.microsoftsubnet.com The Security Research Center (see nav bar on the left) covers all security related news. Our daily security newsletter summarizes our security news and our Security Threat Alert (used to be called the Bug Alert), covers ALL of the patches from all vendors. Take a look at that for more patch information http://www.networkworld.com/newsletters/bug/index.html. If you want this stuff to come to your inbox, subscribe to newsletters here http://www.networkworld.com/newsletters/
But I haven't
I accessed this article from the main page, www.networkworld.com, quite frankly I have been coming here for some time, and the only vendors bugs that make the main page is Cisco and Microsoft. I know both companies are proactive about their bugs. I would think since Nortel and Avaya collectively have more marketshare than Cisco, that some of their bugs would make the main page. Additionally, Juniper has a big install base, so I would think that a JunOS bug or two would make the main page.
Maybe it is my perception.
BTW...
I just went to that area, which goes back 3 months. I did not see Avaya, Nortel, Juniper, Foundry, Extreme, Force10, Mitel, Shoretel, Vyatta, Astrisk, or ANY other network or phone vendor.
Y'all need to cover everyone, it is unbalanced not to cover all vendor's bugs, and just highlight the vendors that conveniently let you know about the bugs.
Do some reporting...not just cut and pasting the emails from pro-active vendors like Microsoft, Oracle, or Cisco.