Broadband Developments

Cisco Security Advisory: Cisco Unified Communications Manager Denial
of Service and Authentication Bypass Vulnerabilities

Cisco Unified Communications Manager (CUCM), formerly Cisco
CallManager, contains a denial of service (DoS) vulnerability in the
Computer Telephony Integration (CTI) Manager service that may cause
an interruption in voice services and an authentication bypass
vulnerability in the Real-Time Information Server (RIS) Data
Collector that may expose information that is useful for
reconnaissance.

Cisco has released free software updates that address these
vulnerabilities. There are no workarounds for these vulnerabilities.

This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080625-cucm.shtml.

Affected Products

Vulnerable Products
The following products are vulnerable:

* Cisco Unified CallManager 4.1 versions
* Cisco Unified Communications Manager 4.2 versions prior to 4.2(3)SR4
* Cisco Unified Communications Manager 4.3 versions prior to 4.3(2)SR1
* Cisco Unified Communications Manager 5.x versions prior to 5.1(3c)
* Cisco Unified Communications Manager 6.x versions prior to 6.1(2)

Administrators of systems running Cisco Unified Communications
Manager (CUCM) version 4.x can determine the software version by
navigating to Help > About Cisco Unified CallManager and selecting
the Details button via the CUCM administration interface.

Administrators of systems that are running CUCM versions 5.x and 6.x
can determine the software version by viewing the main page of the
CUCM administration interface. The software version can also be
determined by running the command show version active via the command
line interface (CLI).