Security and Hot Fix Policy

Cisco closely monitors security bulletins from Microsoft and evaluates them based on the impact to Cisco CallManager and other IP telephony applications.

When Microsoft posts a security patch, Cisco determines whether the patch affects applications and operating system components in Cisco CallManager and applications that share the same operating system installation process. Cisco then tests the relevant patches to verify correct operation with Cisco applications. This is a list of applications and operating system components that might be affected by a patch:

• Microsoft Windows 2000 Server (including any Windows component or subcomponent installed by Cisco)
• Microsoft Internet Information Server (IIS)
• Microsoft Internet Explorer
• Microsoft Structured Query Language (SQL) Server 2000

Caution

The operating system upgrades provided by Cisco are not the same as upgrades provided by Microsoft. The operating system upgrades and patches provided by Cisco are tailored for IP telephony applications. If a Microsoft service pack (SP) or hot fix is installed for the Cisco IP Telephony Operating System, the applications running on the Cisco IP Telephony Operating System might be adversely affected.

The security patch and hot fix policy for Cisco CallManager specifies that any applicable patch deemed Severity 1 or Critical must be tested and posted to Cisco.com within 24 hours as a hot fix. All other applicable patches are consolidated and posted once a month as incremental service releases. Notification tools (e-mail service) for providing automatic notification of new fixes, operating system updates, and patches for Cisco CallManager and associated products are also available:

• Cisco CallManager Notification Tool This e-mail service provides automatic notification of new fixes, operating system updates, and service releases that are available for Cisco CallManager and related products, including Cisco CallManager Attendant Console, Cisco IP Manager Assistant (IPMA), and Bulk Administration Tool (BAT). To subscribe, go to http://www.cisco.com/cgi-bin/Software/Newsbuilder/Builder/VOICE.cgi and follow the instructions on the web page.
• Cisco Product Security Incident Response Team (PSIRT) Advisory Notification Tool This e-mail service provides automatic notification of all Cisco security advisories released by Cisco PSIRT. Advisories that describe security issues that directly impact Cisco products provide a set of actions required to repair these products. To subscribe, go to http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html and follow the instructions on the web page.

Note

The Cisco IP Telephony Operating System configuration and patch process does not currently allow an automated patch-management process.