THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Revision | Publish Date | Comments |
---|---|---|
1.0 |
16-Apr-20 |
Initial Release |
Affected OS Type | Affected Software Product | Affected Release | Affected Release Number | Comments |
---|---|---|---|---|
NON-IOS |
Enterprise Chat and Email |
12 |
12.0(1), 12.0(1)_ES1, 12.0(1)_ES2, 12.0(1)_ES3, 12.5(1), 12.5(1)_ET1 |
Defect ID | Headline |
---|---|
CSCvt32156 | ECE gadget is not loading in PCCE SPOG after enabling LDAP signing on Domain controller |
What is Changing
Microsoft is currently updating security requirements for Lightweight Directory Access Protocol (LDAP) connections to Active Directory. After this update completes, Secure LDAP (LDAPS) will become mandatory for all LDAP connections to Active Directory from the specified Cisco Collaboration applications. After the update, LDAP connections to Active Directory from these applications will not work unless LDAPS is configured.
This security update is not expected to become mandatory until the second half of the calendar year 2020. However, it is recommended that you update the specified Cisco Collaboration applications to use LDAPS as soon as possible. This will both secure your LDAP connection and will also ensure that services remain up and running when the security update becomes mandatory.
Why this Change is Needed
The current default settings have a vulnerability that might expose Active Directory domain controllers to an elevation of privileges, and man-in-the-middle attacks. The LDAPS updates harden the connection to Active Directory's existing LDAP channel binding and LDAP signing mechanisms, which makes the system more secure. For more detailed information, see Microsoft Security Advisory ADV190023.
For additional configurations around LDAP signing, see How to enable LDAP signing in Windows Server.
CVE-2017-8563 | Windows Elevation of Privilege Vulnerability
An elevation of privilege vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully forward an authentication request to a Windows LDAP server such as a system running Active Directory Domain Services (AD DS).
The LDAP authentication mechanism is used in Unified CCE solution components, hence might have impact due to this change. This wiki captures the impact to the Unified CCE components, recommendations, and validation information.
Reference links from Microsoft:
For ECE, see Cisco bug ID CSCvt32156.
For core Unified Contact Center Enterprise, there are no changes required.
For ECE, you must enable SSL. Please refer to the Enterprise Chat and Email (ECE) Installation and Configuration guide under the chapter, "SSL Configuration" for instructions on enabling SSL.
Please also refer to the Workaround in defect CSCvt32156 on how to specify the keystore file path for installing SSL certificates for ECE.
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.
Unleash the Power of TAC's Virtual Assistance