The Real Risk Of Operating Out-Of-Date Software
Software Security Advisory – CVE-2021-44228 Log4j2 Vulnerability
December 20, 2021
Darrel, Bremer, Head of Customer Success, VOSS Solutions
Further to the recent publication of the security vulnerability CVE-2021-44228, it was confirmed that none of the products in the VOSS product suite are affected by this published security vulnerability.
CVE Reference: CVE-2021-44228
However, some Cisco HCS partners still operate CUCDM Classic and CUCDM Evolution, putting them at constant risk of being exposed to security vulnerabilities, due to underlying operating systems and software packages going out of support over time. As both these CUCDM versions are reaching the end of their respective lifecycles, there is no further planned product development.
The most prominent risk of operating software built on outdated operating systems (or make use of out-of-support third party software packages), is the inability to respond to security vulnerabilities as they arise. Should a vulnerability be identified on out-of-date CUCDM Classic or CUCDM Evolution platforms, it may not be possible for HCS partners to respond to their customers’ requests to resolve these issues, putting them at risk of not meeting their customers’ SLAs or expectations.
Specifically, older versions of CUCDM use earlier versions of Log4j – these earlier versions are not impacted by the recent security vulnerability and hence CUCDM is not exposed, but should this vulnerability be extended to older versions of Log4j, this could cause significant issues for CUCDM.
There are ongoing security challenges, recent examples of the identification of critical security vulnerabilities include:
- LOG4J2 (CVE-2021-44228)
- TCP SACK (CVE-2019-11477, CVE-2019-11478, CVE-2019-11479)
- FRAGMENTSMACK VULNERABILITY (CVE-2018-5391)
- MELTDOWN AND SPECTRE (CVE-2017-5754, CVE-2018-3640)
In addition to the security compliance and security vulnerability risk mitigation considerations of Cisco’s EOL for CUCDM, partners are also at risk of not having support and maintenance coverage for their HCS domain management platforms. Given that CUCDM reaches its end-of-life milestone on 28 February 2022 with no option for product support and maintenance to be extended, Cisco HCS partners may already be at risk of not being covered under their existing agreements.
VOSS recommends that all HCS partners convert their CUCDM Classic or CUCDM Evolution platforms to VOSS Automate before CUCDM end-of-life is reached to ensure that their UC domain management platform operates on supported operating systems and third-party software packages.
VOSS Automate provides significant scalability, stability, and performance improvements to support HCS partners’ operational processes, such as new customer onboarding projects, customer migration activities, as well as highly automated and dynamic day-2 operations. VOSS Automate’s rich multi-vendor support provides additional opportunities for business development and product expansion.
Should you require any support or assistance regarding your move to VOSS Automate, please contact your regional VOSS Account Management Team or contact the VOSS Customer Success Team.