Field Notice: FN - 72432 - Unified Contact Center Enterprise (UCCE)/Packaged Contact Center Enterprise (PCCE)/Unified Contact Center Express (UCCX) Solution: Impact of Chrome Private Network Access Deprecation - Software Upgrade Recommended

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision	Publish Date	Comments
1.3	01-Feb-23	Updated the Title, Problem Description, Background, Problem Symptom, and Workaround/Solution Sections
1.1	31-Oct-22	Updated the Workaround/Solution Section
1.0	07-Oct-22	Initial Release

Products Affected

Affected OS Type	Affected Software Product	Affected Release	Affected Release Number	Comments
NON-IOS	Finesse Software	12	12.5(1), 12.6(1)	Finesse for Unified Contact Center Enterprise (UCCE)
NON-IOS	Cisco Virtualized Voice Browser Software Releases	VVB 12	12.5(1), 12.6(1)
NON-IOS	Cisco Customer Voice Portal Software Releases	CVP Ver 12	12.5(1), 12.6(1)
NON-IOS	Unified Contact Center Express Software	Unified CCX 12	12.5(1)	Finesse for Unified Contact Center Express (UCCX)
NON-IOS	Unified Contact Center Express Software	Unified CCX 12	12.5(1)	Customer Collaboration Platform (CCP) for UCCE and UCCX
NON-IOS	Cisco Unified Intelligent Contact Management Software Releases	12	12.5(1), 12.5(2), 12.6(1)	For UCCE/ICM/PCCE

Defect Information

Defect ID	Headline
CSCwc13647	Impact of Chrome deprecating direct access to private network endpoints on Finesse
CSCwc93530	Impact of Chrome deprecating Private Network Access on CVP
CSCwc93693	Impact of Chrome deprecating Private Network Access on VVB
CSCwc80228	CCP - Chrome Private Network Access
CSCwc49008	CCX- Impact of Chrome deprecating direct access to private network endpoints on Finesse
CSCwc98312	Impact of Chrome deprecating Private Network Access on CCE

Problem Description

Chrome will deprecate direct access to private network endpoints, as part of the Private Network Access (PNA) specification, which begins from Chrome version 111. This is also applicable for Chromium-based browsers such as Microsoft Edge.

Background

With Chrome version 111, Chrome will start to send a Cross Origin Resource Sharing (CORS) pre-flight request ahead of any private network request for a sub resource, as specified by the PNA specification which asks for explicit permission from the target server.

This pre-flight request will carry a new header, Access-Control-Request-Private-Network: true, and the response must carry a header that corresponds to it, Access-Control-Allow-Private-Network: true.

The aim is to protect users from Cross Site Request Forgery (CSRF) attacks that target routers and other devices on private networks.

Problem Symptom

When a web application tries to access a resource from a server that is in a "more" private network space (as defined in the Chrome Reference URL), the HTTP method to retrieve the resource will error out, and the corresponding page/UI component/widget and/or resource data will not load. The UI (depending on the web application) will likely display an error message which indicates the access failure.

For more details, refer to Chrome's Reference - Private Network Access: introducing preflights.

Note: At the time of publishing this article, these changes from the Chrome browser are planned from version 111, however ongoing changes can occur. Administrators are recommended to refer to the Chrome Rollout Plan for latest updates to this feature.

Workaround/Solution

It is recommended to upgrade to fixed versions as mentioned in this section. In cases where an upgrade is not chosen, but administrative control over Chrome users is available, PNA checks can be disabled through a workaround that uses Chrome Enterprise policies.

Refer to these Chrome developer blogs related to this topic for more information on how this can be achieved.

In order to disable PNA checks, see:

• InsecurePrivateNetworkRequestsAllowed
• InsecurePrivateNetworkRequestsAllowedForUrls (enterprise policies)

For more details, see:

• Chrome sends Private Network Access preflights for subresources.
• Chrome: Version 111 - Rollout Plan
• Edge: Version 111 - Site compatibility-impacting changes coming to Microsoft Edge
• Chromium: Version 115 - Private Network Access preflight requests for subresources

Component	Affected Version 12.5(1)	Affected Version 12.6(1)	Defect ID	12.5 ES Patch URL	12.6 ES Patch URL
UCCE/PCCE/ICM	Yes	Yes	CSCwc98312	CCE 12.5(2) ES8	CCE 12.6(1) ES45
CVP	Yes	Yes	CSCwc93530	CVP 12.5(1) ES30	CVP 12.6(1) ES17
VVB	Yes	Yes	CSCwc93693	VVB 12.5(1) ES15	VVB 12.6(1) ES
Finesse	Yes	Yes	CSCwc13647	Finesse 12.5(1) SU	Finesse 12.6(1) ES6
CCP	Yes	Not Applicable	CSCwc80228	CCP 12.5(1) SU02 ES04	Not Applicable
CCX	Yes	Not Applicable	CSCwc49008	CCX 12.5(1) SU02 ES04	Not Applicable

 

Note: For UCCE/PCCE/ICM 12.5(1), it is recommended upgrade to 12.5(2) MR and apply the 12.5(2) ES8 patch. If not, follow the information in this section.

For any further questions, contact the Cisco Technical Assistance Center (TAC).

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

• Open a service request on Cisco.com
• By email or telephone

Receive Email Notification For New Field Notices

My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.