A vulnerability in the Cisco Jabber client could allow an unauthenticated, remote attacker to perform a STARTTLS downgrade attack. The vulnerability exists because the client does not verify that an Extensible Messaging and Presence Protocol (XMPP) connection has been established with Transport Layer Security (TLS). An attacker could exploit this vulnerability by performing a man-in-the-middle attack to tamper with the XMPP connection and avoid TLS negotiation. A successful exploit could allow the attacker to cause the client to establish a cleartext XMPP connection. Cisco will release software updates that address this vulnerability. Workarounds that address this vulnerability are not available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151224-jab
Product | Defect | Fixed Release Availability |
---|---|---|
Client Side | ||
Cisco Jabber for Windows | CSCux88529 | 11.5(1) on-premises (Available) 11.5(1) cloud (4-Feb-2016) 11.1(3) on-premises (5-Feb-2016) 11.1(3) cloud (18-Feb-2016) 10.6(7) on-premises (12-Feb-2016) 10.6(7) cloud (25-Feb-2016) 10.5(5) (18-Feb-2016 - Tentative) 9.7(7) (23-Feb-2016 - Tentative) |
Cisco Jabber for Mac | CSCux74900 | 11.5(1) on-premises (3-Feb-2016) 11.5(1) cloud (4-Feb-2016) |
Cisco Jabber for Android | CSCux74895 | 11.5(1) (Available) |
Cisco Jabber for iPhone and iPad | CSCux74848 | 11.5(1) (5-Feb-2016 - Tentative) |
Server Side | ||
Cisco Unified Communications Manager IM & Presence Service | CSCux80122 | COP files (Available) |
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Version | Description | Section | Status | Date |
---|---|---|---|---|
2.1 | Updated information about the availability of fixed releases. | Affected Products - Vulnerable Products | Final | 2016-February-03 |
2.0 | Updated the information about vulnerable versions and fixed releases to reflect that 11.5(0) does not integrate a fix for this vulnerability: the code change addressing the vulnerability was removed from defect CSCuw87419 just prior to releasing 11.5(0) as it would result in on-premise connectivity issues for deployments using CUCM IM&P builds with limited cryptographic capabilities. New defects on all affected platforms have been opened to track the proper addressing of this vulnerability. | Affected Products - Vulnerable Products, Affected Products - Products Confirmed Not Vulnerable, Fixed Software | Final | 2016-January-18 |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.