Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:
Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC:
Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.
To resolve the vulnerability, users must ensure that they have updated versions of the following:
- Cisco WebEx extensions for Google Chrome or Mozilla Firefox
- Cisco WebEx Desktop Applications
For the latest information about fixes for the following products, consult the appropriate Cisco bug ID:
The following subsections provide instructions for updating the Cisco WebEx browser extensions. Customers can allow their browsers to auto-update by launching the browser and keeping the browser window open for 3-6 hours, during which time the extensions will be auto-updated.
Should the browser window close before the auto-update check completes, the timer will reset, requiring a browser window to be launched at a later time and remain open for 3-6 hours to receive the update.
The Cisco WebEx extension for Google Chrome version 1.0.12 was released on July 13, 2017, and contains a fix for this vulnerability. Chrome users can ensure they are using the fixed version of the Cisco WebEx extension for Google Chrome by doing the following:
- In Chrome, click the menu button (three dots at the upper right of the application) and choose More Tools > Extensions.
- Check the Developer mode check box at the top of the extensions manager. Chrome will display a row of buttons.
- Click the Update extensions now button.
- Restart the Chrome browser.
The Cisco WebEx extension for Mozilla Firefox version 1.0.12 was released on July 12, 2017, and contains a fix for this vulnerability. Firefox users can ensure they are using the fixed version of the Cisco WebEx extension for Mozilla Firefox by doing the following:
Microsoft Internet Explorer
- In Firefox, click the menu button (three horizontal bars at the upper right of the application) and choose Add-ons
- Click the Extensions tab
- Locate Cisco WebEx Extension in the list of extensions and click the More link to obtain the version information
- Click the cogwheel next to the search bar and choose Check for Updates
Because there are shared components between the Google Chrome and Mozilla Firefox extensions and Internet Explorer, Internet Explorer users will be prompted to update Cisco WebEx plug-ins. The plug-ins are available as part of the Cisco WebEx client packages associated with each WebEx product, and will be available to download after a WebEx site has been upgraded to a fixed version. Upgraded clients are available from the Downloads
section of each site after an upgrade has been performed. Users that connect to an upgraded site without the updated client software may be prompted to perform an online upgrade.
Customers may check that the browser plug-in upgrade was successful by using the following procedures for Microsoft Internet Explorer:
The registered name of the plug-in in Internet Explorer may differ based on the installation method used for the plug-in. The version of the plug-in depends on the version of Cisco WebEx that provided the update. The update may have been applied either via the web when joining a WebEx meeting or by a local update of the client via an MSI file. When a fixed version of the plug-in from any version of Cisco WebEx is installed, it will not be downgraded or changed to a version installed by a different fixed version of Cisco WebEx. Internet Explorer users can ensure they are using the fixed version of the plug-in for Internet Explorer by doing the following:
- In Internet Explorer, click the Tools button (the cog icon at the upper right of the application) and choose Manage add-ons.
- From the Show drop-down menu, choose All add-ons.
- Select either the Download Manager or GpcContainer Class add-on under Cisco WebEx LLC. The version number is displayed at the bottom of the Manage add-ons window.
- Validate that the Download Manager version or GpcContainer Class version displayed is one of the version strings in the following table:
Validating Cisco WebEx Desktop Application Product Upgrades
|Cisco WebEx Major Version
||Fixed GPC Container or Download Manager Version
Cisco has released fixes for all major versions for Cisco WebEx Desktop Application for use with following products:
- Cisco WebEx Meeting Center
- Cisco WebEx Event Center
- Cisco WebEx Training Center
- Cisco WebEx Support Center
- Cisco WebEx Meetings
|Cisco WebEx Major Version
||Fixed Desktop Application Version
|| 31.14.3, 31.11.11
|| 30.20.3, 30.9.3, 30.6.7
There are no fixes available for WBS29.
Current WebEx customers can confirm that their site has received updated software by reviewing the Application Version
information in the Support
section of their WebEx page. Perform the following steps to view this information:
- Sign in to your WebEx account
- Click the Meeting Center tab
- Under Support, click Downloads
- The Application Version is displayed on the right side of the screen under the About Meeting Center heading
If you have not automatically received the update, please contact Cisco Support or a Cisco partner.
The clients for all licensed features of a Cisco WebEx product must be upgraded to ensure compatibility with the deployed site application version. Upgrading a single client will resolve the vulnerability documented by CVE-2017-6753. The following clients are available:
Cisco WebEx Meetings
- Cisco WebEx Meeting Center Client
- Cisco WebEx Event Center Client
- Cisco WebEx Training Center Client
- Cisco WebEx Support Center Client
- Cisco WebEx Access Anywhere Client
- Cisco WebEx Remote Access Client
Cisco has released a fix for Cisco WebEx Meetings. Cisco WebEx Meetings Software has been upgraded to T30.20.3.
Cisco WebEx Meetings Server
Customers who have deployed Cisco WebEx Meetings Server, the onsite Cisco WebEx offering, can download updated software at https://software.cisco.com/download/navigator.html?mdfid=282628019&flowid=76922
or choose the following options from the Cisco Software Center
Products > Conferencing > Web Conferencing > WebEx Meetings Server
It is recommended that customers utilizing Cisco WebEx Meetings Server version 2.6 migrate to Cisco WebEx Meetings Server 2.7 or later. The following releases of Cisco WebEx Meetings Server have been updated to address this vulnerability:
- WebEx Meetings Server 2.6MR3 Patch 5
- WebEx Meetings Server 2.7MR2 Patch 9
- WebEx Meetings Server 2.8 Patch 3