Outdated Java and IE security settings for CUCM. When did this become okay?!



  • Okay, a little bit of a rant. Just had to edit a holiday schedule for a customer and help them record a greeting for being closed for said holiday...

    Have IE11 which usually has to be used because it doesnt load the scripts properly in chrome. Well, that stopped working due to security issues with the call manager. Okay... Download Firefox, turn off some security settings that it yells about, and boom. I'm in...

    Okay, let's check out the recording. you need java to run this Damn. Alright. Download and install Java...

    Okay, now let's try again. security issue: this applet doesn't meet the requirements for high or very high security and has been blocked. Really?! Okay. Reconfigure Java to allow exemptions. Reconfigure again because it didn't like taking IP's very well...

    This entire process took half an hour. and all because of antiquated UI's with poor security, and if I recall right there's Cisco Call Manager, and also there's a lot of bank UI's that require certain versions of Java, and only run in IE. When did any of this become okay to just let sit idle like this and everyone be like "Yeah, that's just how it is."?! Are these applications just going to continue to callously disregard security because "Oh, well, it shouldn't matter in an internal environment or with all of these other security checks in place."? To the point where we have developed full workarounds as standards to accessing these things?
    </rant>

    Just looking to hear your thoughts on this. I know at least a handful of you have ran into things like this.



  • That seems pretty bad.



  • @scottalanmiller said in Outdated Java and IE security settings for CUCM. When did this become okay?!:

    That seems pretty bad.

    For firefox, had to follow this: http://stokebrand.com/blog/2015/7/6/cannot-login-to-cisco-callmanager-after-firefox-update
    For Java, I had to drop the security from very high to just high, disable some "Block these apps" settings and add an exemption for the https://IP:port of the CUCM server.

    For those who don't want to follow the link for firefox, I had to set these in about:config
    security.ssl3.dhe_rsa_aes_128_sha=false
    security.ssl3.dhe_rsa_aes_256_sha=false



  • I have 6 computers scattered around my environment because of this. An old EHR that's not compatible with modern things.

    I still have old HP switches that require Java to use the webconsole (luckily soon they should be gone).

    One thing that almost no one takes into account is the replacement timeframe for any technology. Enterprises might do a better job than most, but I've seen it be a problem even there.

    Many places feel that they should just be able to run their tech until it physically dies. Now days that's pushing past 10 years. For things like switches, it's been a lot longer than 10 years. My switches are 9 years old and were a new model that year I bought them.

    Looking at total cost of ownership - up to and including replacement when a technology needs to be replaced, not just hardware dieing, is important.

    let's all hope that HTML 5 isn't replaced any time soon.



  • @FiyaFly said in Outdated Java and IE security settings for CUCM. When did this become okay?!:

    @scottalanmiller said in Outdated Java and IE security settings for CUCM. When did this become okay?!:

    That seems pretty bad.

    For firefox, had to follow this: http://stokebrand.com/blog/2015/7/6/cannot-login-to-cisco-callmanager-after-firefox-update
    For Java, I had to drop the security from very high to just high, disable some "Block these apps" settings and add an exemption for the https://IP:port of the CUCM server.

    For those who don't want to follow the link for firefox, I had to set these in about:config
    security.ssl3.dhe_rsa_aes_128_sha=false
    security.ssl3.dhe_rsa_aes_256_sha=false

    Perhaps you need to setup a VM specifically for managing that old equipment.