<Past |
Future> |
1.0.0 |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
1.0.1 |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
1.0.2 |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
1.0.3 |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
1.0.4 |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
1.0.5 |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
1.0.6 |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
Prohibited |
1.0.7 |
Divest [2, 3, 4, 5, 6] |
Divest [2, 4, 5, 7, 8] |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
1.1.0 |
Divest [2, 3, 4, 5, 6] |
Divest [2, 4, 5, 7, 8] |
Divest [2, 4, 5, 8, 9] |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
1.3.0 |
Approved w/Constraints [2, 3, 4, 5, 6] |
Divest [2, 4, 5, 7, 8] |
Divest [2, 4, 5, 8, 9] |
Divest [2, 4, 5, 8, 9] |
Divest [2, 4, 5, 8, 9] |
Divest [2, 4, 5, 8, 9] |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
1.5.0 |
Unapproved |
Unapproved |
Approved w/Constraints [2, 4, 5, 8, 9] |
Approved w/Constraints [2, 4, 5, 8, 9] |
Approved w/Constraints [2, 4, 5, 8, 9] |
Approved w/Constraints [2, 4, 5, 8, 9] |
Approved w/Constraints [2, 4, 5, 8, 9] |
Divest [2, 4, 5, 8, 10] |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
1.9.0 |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Approved w/Constraints [2, 4, 5, 8, 10] |
Approved w/Constraints [2, 5, 8, 10, 11] |
Approved w/Constraints [2, 5, 8, 10, 11] |
Approved w/Constraints [2, 5, 8, 10, 11] |
Approved w/Constraints [2, 5, 8, 10, 11] |
2.0.4 |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
| | [1] | Per the Initial Product Review, the following constraint must be followed:
A vulnerability in Cisco WebEx browser extensions could allow an unauthenticated remote attacker to execute arbitrary code with the privileges of the affected browser on an affected system. This vulnerability affects the browser extensions for Cisco WebEx Meetings Server and Cisco WebEx Centers (Meeting Center, Event Center, Training Center, and Support Center) when they are running on Microsoft Windows. Auto updates: Check is not enabled in the VA Group Policy, as ITOPS, Endpoint Engineering manages updates to Google Chrome. Cisco WebEx Extension for Google Chrome version 1.0.7 was released on January 26, 2017, and contains a fix for this vulnerability. Any versions prior to this release must not be used within the VA`s secured network infrastructure. In accordance with National Institute of Standards and Technology (NIST) SP 800-53 and SP 800-70, Information Security is an important business process that must be considered in all phases of the acquisition process to ensure data and information technology (IT) systems are adequately protected against risk of loss, misuse, and unauthorized access. In accordance with FISMA, government information or government IT systems require compliance with the agency IT Security Policy. All information technology acquisitions must meet the requirements outlined in the Federal Acquisition Regulation (FAR) Part 39.101 (d) policy ensuring the use of common security configuration checklists in the management of risk. | | [2] | Due to National Institute of Standards and Technology (NIST) identified security vulnerabilities, extra vigilance should be applied to ensure the versions remain properly patched to mitigate known and future vulnerabilities. The local ISO can provide assistance in reviewing the NIST vulnerabilities. | | [3] | Due to potential information security risks, cloud based technologies may not be used without the approval of the Enterprise Cloud Solution Office (ECSO). This body is in part responsible for ensuring organizational information, Personally Identifiable Information (PII), Protected Health Information (PHI), and VA sensitive data are not compromised. (Ref: VA Directive 6004, VA Directive 6517, VA Directive 6513 and VA Directive 6102). | | [4] | Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISO (Information Security Officer) to ensure compliance with VA Handbook 6500. | | [5] | Users should check with their supervisor, Information Security Office (ISO) or local OIT representative for permission to download and use this software. Downloaded software must always be scanned for viruses prior to installation to prevent adware or malware. Freeware may only be downloaded directly from the primary site that the creator of the software has advertised for public download and user or development community engagement. Users should note, any attempt by the installation process to install any additional, unrelated software is not approved and the user should take the proper steps to decline those installations. | | [6] | Per the Initial Product Review, the following constraint must be followed:
A vulnerability in Cisco WebEx browser extensions could allow an unauthenticated remote attacker to execute arbitrary code with the privileges of the affected browser on an affected system. This vulnerability affects the browser extensions for Cisco WebEx Meetings Server and Cisco WebEx Centers (Meeting Center, Event Center, Training Center, and Support Center) when they are running on Microsoft Windows. Auto updates: Check is not enabled in the VA Group Policy, as ITOPS, Endpoint Engineering manages updates to Google Chrome. Cisco WebEx Extension for Google Chrome version 1.0.7 was released on January 26, 2017, and contains a fix for this vulnerability. Any versions prior to this release must not be used within the VA`s secured network infrastructure. In accordance with National Institute of Standards and Technology (NIST) SP 800-53 and SP 800-70, Information Security is an important business process that must be considered in all phases of the acquisition process to ensure data and information technology (IT) systems are adequately protected against risk of loss, misuse, and unauthorized access. In accordance with FISMA (Federal Information Security Management Act), government information or government IT systems require compliance with the agency IT Security Policy. All information technology acquisitions must meet the requirements outlined in the Federal Acquisition Regulation (FAR) Part 39.101 (d) policy ensuring the use of common security configuration checklists in the management of risk.
This product may only be used to join web based conferences scheduled by non-organization users (e.g. vendor partners).If the software is left installed on a system after use, it must be patched on a regular basis and upgraded to comply with TRM approved versions. | | [7] | Per the Initial Product Review, Cisco WebEx Extension for Google Chrome version 1.0.7 was released on January 26, 2017, and contains a fix for this vulnerability. Any versions prior to this release must not be used within the VA`s secured network infrastructure.
Use of this technology is limited to JOINING external web-based training sessions scheduled by non-organization users (e.g. vendor partners). VA users must leverage the organization`s preferred teleconferencing solution, Skype for Business (Formerly Microsoft Lync), for internal hosted conferences. VA has selected Skype for Business as its preferred teleconferencing solution. No waiver or review is required for JOINING Cisco WebEx Extension meetings.
Any use of this technology to host a VA event must be authorized by a Strategic Technology Alignment Team (STAT) waiver. There are no exceptions to the required waiver process for any reason. The STAT Board must seek guidance and/or approval from the Enterprise Security Change Control Board (ESCCB) as needed when a waiver is granted to host conferences. | | [8] | Browser plug-ins and extensions may only be installed by VA IT Operations (ITOPS) and must be used with official VA browser installation packages that are managed by ITOPS. For installation, contact the National Service Desk [Mail Group: National Service Desk - Austin]. Browser extensions must be kept up to date with security patches and enhancements. | | [9] | Use of this technology on the VA network is limited to JOINING external web-based training sessions scheduled by non-organization users (e.g. vendor partners) until a full deployment of this technology is acquired.
Once the Software-as-a-Service (SaaS) implementation is in place, the SaaS must be used through a provided link directing the user to the FedRAMP platform, and it may be used to host meetings.
No other platform outside of the approved VA FedRAMP solution is authorized for hosting conferences.
Per the Initial Product Review, Cisco WebEx Extension for Google Chrome version 1.0.7 was released on January 26, 2017, and contains a fix for this vulnerability. Any versions prior to this release must not be used within the VA`s secured network infrastructure. | | [10] | Use of this technology must schedule new meetings through a VA provided link directing the user to the FedRAMP platform supported by VA, and it may be used to host meetings through the VA supported service.
No other WebEx platform outside of the approved VA FedRAMP solution is authorized for hosting VA WebEx conferences.
Per the Initial Product Review, Cisco WebEx Extension for Google Chrome version 1.0.7 was released on January 26, 2017, and contains a fix for this vulnerability. Any versions prior to this release must not be used within the VA`s secured network infrastructure. | | [11] | Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISO (Information Security Officer) to ensure compliance with VA Handbook 6500. |
|
Note: |
At the time of writing, version 2.0.4 is the most current version, released 07/22/2022. |