Yesterday morning, December 13, 2021, we issued a security advisory regarding a critical severity CVE that impacted an Apache library (Log4j 2) and anything which used this. This includes Elasticsearch (ES). Elasticsearch is a component within VQ Conference Manager.

We got to work in-house testing to better understand the issue, its implications and the impact it has on VQCM VMs. One of the conclusions from this analysis and testing was that it would be non-trivial for the CVE to be successfully exploited because of VQCM’s logging architecture. Especially for an external facing attacker.

Whilst this gives a degree of assurance, we strongly recommend customers apply a mitigation script we have created. The script follows mitigation advice from Elasticsearch. Details of how to get the script and how to run it can be found below.

In addition, Elasticsearch will be producing a new version of Elasticsearch (7.16.1) which removes the affected module. VQCM 3.9 is due mid-January and will contain Elasticsearch 7.16.1.

Our guidance is:

• Download and apply the mitigation script as soon as possible.
• Plan on upgrading to VQCM 3.9 in January (due 1/17/2022)
• Minimize public internet exposure wherever possible. If you do need to expose a public service, ensure only HTTPS ports are open and use a reverse proxy or equivalent.

Downloading and installing the mitigation script

Please note this script will bring the system down, so it is recommended to be run out of working hours. 

• Navigate to the https://www.vqcomms.com/resources/ page, log in and download the “log4j2-cve.zip” file from the “CVE-2021-44228 Mitigation Script” category.
• Enable SSH from the CM-Admin page (port 1234) under the “Start / Manage / SSH Access” section, and create an SSH user if you don’t already have one (Note: SSH is enabled if the button shows “Disable SSH access”).
• Using WinSCP or SCP, copy the “log4j2-cve.zip” file on the VQCM Virtual Machine (VM), under the home directory of your SSH user.
• Open an SSH session using Putty (or similar tool) with the VQCM VM, authenticating with the same SSH user.
• Run the following commands:
  • unzip log4j2-cve.zip
  • chmod +x log4j2-cve.sh
  • sudo ./log4j2-cve.sh

• This command will ask you for your password to escalate privileges, this is the same password as the SSH user you are logged in as.
• The tool will run for a moment (10-15 mins, could be more depending on how much data your system has). If it runs successfully to the end, it will output “SUCCESS the mitigation has been applied“:

PLAY RECAP **********************************************************************************************************************************************************************************************************************************************************************************************************************

localhost                  : ok=13   changed=7    unreachable=0    failed=0    skipped=8    rescued=0    ignored=0

All pods are running, exiting

usename

———-

postgres

(1 row)

ALTER ROLE

~~~

SUCCESS the migitation has been applied

~~~

If you see the SUCCESS message, the mitigation has been applied successfully. If you see the “ERROR the mitigation was NOT applied“, please contact VQ support at support@vqcomms.com, with as much information as possible.

Which versions of VQ can I use the mitigation script with? 

Versions 3.6, 3.7 and 3.8; please run the mitigation script.

For 3.x versions 3.5 and below, please contact support@vqcomms.com.

Regards

The VQ team

Here we are about to press the ‘go’ button again on a new VQ Conference Manager release.

VQ Conference Manager 3.8 is very personal for me. We finally got to the point where we addressed some of my personal pet peeves. I’m delighted to say I’m really pleased with how it looks.

Let’s start with what customers are asking for: a solution that enables them to deliver conferencing services on CMS (call quality/experience, interoperability, scale and media security) that gives a user experience similar to the cloud based offerings. TMS customers are looking for a TMS replacement that addresses their OBTP, Directory Services and Device Management needs.

Then let’s throw in my pet peeves:

1.      It was difficult to find a soft client that worked consistently and well. There was also the challenge that we wanted to use one that we knew all our customers could use. We really needed a great soft client that shipped with every CMS that didn’t rely on a cloud based service.

2.      It was too difficult to share join details with the people I wanted to have calls with. It was embarrassing how many times I had people ask me to send them the details for their space/meeting so the people they wanted to meet could join their call.

VQ Conference Manager 3.8.0 and CMS 3.3 come together really nicely. Add Expressway with MRA and Web App works incredibly well; it gives us a client that ships with every CMS and VQCM’s new “Home” coApp makes it really easy to get the join details for a Space or Meeting. From the VQ UI, you can click Join for click to call ‘ease of join’. Sharing the details is a breeze; preview them or simply copy them and paste them into a mail, slack or meeting appointment.

What I really like is that in about 4 clicks, I can get the details for a Role on a Space (or meeting), copy and paste it into an email, send it out to people and then have them join from wherever they are – room system, soft client or out on the road, from their iPhone. It’s especially satisfying joining a call either via the Web App or Webex client from my phone – I still have that sense of disbelief how good the video is and I can do it from wherever I have Wi-Fi or 4G.

The results are sensational. I’m completely sold and have been loving the experience.

Activity got a pretty major rework and looks really good for it. Active Speaker now works across all call types. Recurring Meetings got some love and now support irregular patterns and a selectable end date (how did we miss that the first time around)?

Other ‘make my life easier’ functionality includes the addition of Local Users for those of us without AD/LDAP.

On the theme of ‘make my life easier’ – system installers will love the certificate management changes now in CM-Admin. Trusted certs, cert chain editor along with issuer labels and the ability to paste certs. Ansible playbooks start to appear with CMS backup playbooks and one for CMS certificate renewal.

VQ Conference Manager 3.8.0 paves the way for two follow-on releases:

·         VQCM 3.8.1 adds Pane Placement and more filtering of Meeting Lists (e.g., relative dates)

·         VQCM 3.8+ adds One Button To Push. 

VQCM 3.8.1 is currently planned for the January 2022 time frame; VQCM 3.8+ will be made available as an update to VQCM 3.8.0. No dates yet for 3.8+; we’re hoping sooner rather than later.

For all the details, please read the release notes available from the vqcomms.com (Menu->VQ conference Manager->release notes).

We’re really pleased with how it looks and we hope you like it too.

Keep up to date with the latest VQ news, join our ‘Ask VQ’ Webex Space

VQCM 3.7 is now available to download and we think you’ll like it.

Here’s what’s new…

• Active Speaker indications for Scheduled Meetings
• People in Lobby indicators
• Meeting List filters
• Duplication/Cloning of LDAP Configs, UX Profiles, Space Templates, Email Templates
• Automatic Gain Control on Space Template Roles
• System use Terms and Conditions pre-login message
• Refinements to Elasticsearch data collection for CMS syslogs and Expressway syslogs, call data records and metric data; early adopter program extended
• Public API early adopter program
• Ansible CMS provisioning automation early adopter program

The API, Ansible CMS Provisioning and expanded Elasticsearch data collection from CMS/Expressway features are examples of how VQ starts to evolve into becoming a platform for UC solutions; more is coming and we’re very pleased to be making the first steps.

For the details, please see the vqcomms.com customer portal under knowledge base/release notes.

For customers wary of updating to the latest 3.7 release, now’s a good time to consider updating to VQCM 3.6.1. It’s been in the field now for about 3 months and is performing extremely well.

If you would like to be part of one of our early adopter programs, please email support@vqcomms.com

Please contact support@vqcomms.com to arrange installs or upgrades.

VQ’s simple licensing model aligns with Cisco’s models for CMS, accessible via  the Cisco Global price list and available to purchase via your usual Cisco Partner.

The purpose of this article is to explain our licensing model and a couple of small changes we have made effective 6^th March 2021.

At VQ we have kept our licensing model simple; we made the decision to align our licensing to match Cisco’s for Cisco Meeting Server (CMS). As VQ Conference Manager (VQCM) is a platform for the management of CMS, we match the Cisco “buying models”. There are now three options:

1. Enterprise Agreement (EA)
2. Active User (AU)
3. Named User (or al a carte PMP & SMP licensing)

As you may know VQCM is available to purchase via your usual Cisco Partner. If you are a Cisco Partner you know how to get quotes for all things Cisco already – VQ is available in exactly the same way as any Cisco product.

The changes I mentioned are threefold.

1. Addition of the AU model – more on this in a bit.
2. Realignment of the EA price tiers and entry point.
   Up until this change, the VQCM entry point for an EA was 5,000 users (Knowledge Workers, a term to be discussed shortly). As the Cisco Flex Plan and CMS subscription both have an entry point of 250 Knowledge Workers, we have moved our EA entry point to match the price tiers in the Flex Plan pricing (if using the CMS Subscription rather than Flex there are no price tiers – but you still get them with VQCM).

Enterprise Agreement	Previous Model	New Model
Tier 1	5000-9999	250-1999
Tier 2	10000-19999	2000-9999
Tier 3	20000-39999	10000+
Tier 4	40000+

3. Realignment of the PMP & SMP al a carte pricing, or named user pricing, to align with the Flex plan.

As per the EA, there is no tiering in the CMS subscription; it is a flat rate. Our price tiers now align with the Flex Plan.

PMP	Previous Model	New Model
Tier 1	1-499	1-249
Tier 2	500-999	250+
Tier 3	1000-4999
SMP
Tier 1	1-24	1-24
Tier 2	25-49	25+
Tier 3	50+

This is starting to sound complicated, but it is quite simple. However you purchase your CMS licensing, you use the same model for VQCM. The table below shows how they match up.

CMS Model	VQ Model
CMS Subscription PMP & SMP	PMP & SMP
CMS Enterprise Agreement	Enterprise Agreement
Flex Plan Named User	PMP & SMP
Flex Plan Active User	Active User
Flex Plan Enterprise Agreement	Enterprise Agreement

VQ Conference Manager Options

I have been asked recently by a couple of customers whether they could just buy elements of the VQ Conference Manager platform; the answer was a polite no. The Outlook Add-In is an option, but cannot work without the VQCM platform, and without the VQCM platform there would be no data for Analytics model to present.

So, once we know the purchasing model, there are a total of 3 additional options on top of the licensing model

1. Do you want to use one of the three end user applications?
   Either the Outlook Add In, Jabber Add In, or iOS app
2. Do you want to use more than one of these apps? If so, they come as a pack with all three included.
3. Do you require the advanced functionality within the VQ Analytics?

The purchasing of these works in largely the same way as the VQCM platform. If you are subscribing to an EA or an Active User model, then you buy the apps in the same quantity. If you are buying al a carte we license here on a per user basis as it is a user tool – so if you are buying 20 SMP licenses you need to know how many users will need the App or App’s you plan to deploy.

The advanced analytics is licensed on a per VQCM node basis; for now, most customers are single node but as we move to High Availability it will be necessary to license each node in the environment. Please contact us to discuss your plans so we can advise you on this.

Named User, Active User or Enterprise Agreement?

Determining the appropriate buying model for VQCM, as I have discussed relates to the the buying model for CMS. This is a process that your Cisco partner would usually model out and compare options to present the costs and benefits of one route vs another. They should include VQCM in this modelling and we are happy to work with you or your partner in building out these options.

Typically for smaller environments the al la carte model works out best. Where there are over 250 knowledge workers in the company and you want to provide services to the whole (or significant part of) an organization then the Active User or Enterprise Agreements work are a great option.

For an Enterprise Agreement, once we know the Knowledge Worker count, your Cisco partner can easily produce a quote for an Enterprise Agreement.

The Active User model for VQCM is only applicable in an environment where the customer has an Active User Flex Plan with on-premise meetings or as we know it, CMS included.

In this environment we again match the number of Active Users on the Flex plan, and we align with the True Forwards methodology for determining future licensing.

The VQCM Active User buying model, is subject to a True Forward process; an annual review to ensure the KW and AU numbers are correct for the following year. It is vital that the VQCM subscription is updated for licensing to remain in compliance when the Cisco True Forward is carried out.

The content of this article is intended for end user organisations, providing some context to the licensing model choices for VQCM. The determination of the most appropriate CMS licensing model for your organization is something that should be discussed with your Cisco partner or with your Cisco account manager.

VQ Communications are happy to help Cisco partners and Cisco employees with building out the correct licensing options for VQ.

Feel free to fire your questions to info@vqcomms.com or join the AskVQ Webex space at https://eurl.io/#1IrlwmHkN

Steve Holmes, 15^th March 2021

---

Cisco License definitions

I hope this has been helpful so far; the complicated bit is coming up. As we align to the Cisco models, we also tie up with their terminology and definitions. This is supporting information about Cisco licensing models rather than being specifically relevant to VQ licensing.

The two things to cover in this section are the definition and calculation of Knowledge Works and Active Users.

PMP (or Named Users) and SMP licensing is simple – how many people do you want to be able to schedule calls, or to share a pool of licenses.

Enterprise and Active User agreements, however, use the terminology Knowledge Workers, and in the case of the Active User model what defines an Active User must be understood.

Cisco’s definition of a Knowledge Worker is important, and they define it here:

They go on to say:

An employee means number of full or part-time employees, a contractor means a non-employee who works under your control and has access to your systems.

A device means a computing or communications device capable of running software, or browser plugins. This would include a desk phone, mobile device, computer, tablet or video device.

Therefore, the Knowledge Worker count is simply the number of employees or contractors that utilize a computer, tablet or phone in the course of their duties.

The purpose of defining this here is to explain that the definition of a Knowledge Worker to VQ is the same as it is to Cisco. These calculations are required to license CMS in the first place; the VQ licensing as I have said before just matches back to Cisco’s.

Cisco also define some best practices for counting the number of Knowledge Workers in an organisation:

There are exceptions to these rules, in shared role positions such as reception or service desks, and shift working environments such as manufacturing and nursing environments.

There is a Cisco document that this information has been taken from which should be read in full for the determination of an organizations Knowledge Worker count.

See “Cisco – Knowledge Worker Definition and EUIF” available on the Cisco website or via your search engine of choice.

The Active User license model provides your entire organization with access to Flex Plan Meetings, in this case on-premise meetings on CMS.

The AU Model price tier is based on the same thresholds as the EA, but you only pay for the number of anticipated Active Users. This may increase during the contract term as your organization grows or the number of meetings increases. There is a minimum threshold of 15% of the KW count, or 40, which-ever is higher.

So, the minimum sizing for a Flex Plan is 250 KW’s and 40 AU’s.

The definition of an Active User is someone who schedules or creates a conference on CMS once within any given month.

The Cisco Active User Flex Plan are subject to a True Forward process

This is a mechanism to catch up the paid for licensing to match the current usage requirements.

The True Forward is a Cisco defined process and measures the average number of Active Users, and the number of deployed Knowledge Workers. This is an annual activity. For example, on a three year contract a true forward calculation would be performed prior to year 2 and 3 to ensure the license usage being paid for is not lower than the number of Active Users and/or Knowledge Workers.

An average of the Active Users is taken across months 9, 10 and 11 and is used to determine whether an increase is required prior to the anniversary of the agreement.

The Cisco licensing requirements are a topic that should be discussed with your Cisco partner or Cisco Account Manager to determine the most appropriate model and to secure pricing, the information provided here is for advice and guidance only.

Steve Holmes, 15^th March 2021