-
1
×InformationNeed Windows 11 help?Check documents on compatibility, FAQs, upgrade information and available fixes.
Windows 11 Support Center. -
-
1
×InformationNeed Windows 11 help?Check documents on compatibility, FAQs, upgrade information and available fixes.
Windows 11 Support Center. -
- HP Community
- Poly Phones
- Desk and IP Conference Phones
- Re: Polycom VVX 311 jquery vulnerability at software level 6...

Create an account on the HP Community to personalize your profile and ask a question
06-26-2024 08:04 AM
We're seeing an old jquery version of 1.4.4 getting hit with CVE-2020-11022 and CVE-2020-11023 on network scans with our Polycom VVX311 phones, currently at software level 6.3.1.11465. Everything that I have found shows that these vulnerabilities were resolved in earlier versions of software such as 5.9.x.x. Genesys Cloud support shows that this is their latest approved version of your software, so I cannot currently update the phone manually to any other version. Should 6.3.1.11465 show this version of jQuery? Where do I go from here?
06-26-2024 08:39 AM
Hello @Bnoon Welcome to the Poly HP Support Community.
Due to limited support, I would request that you contact HP Support, and our support engineers should be able to sort this out. HP Support can be reached by clicking on the following link:
https://support.hp.com/us-en/poly
Please contact us here anytime you need any further assistance.
I hope this helps! Keep me posted for further assistance. If you find the information provided useful or solves your problems, help other users find the solution more easily by giving Kudos/Thumbs Up and marking my post as an Accepted Solution.
Regards,
Meghana
Have a great day!
06-26-2024 09:17 AM
Hello @Bnoon ,
welcome to the HP Poly community.
You would need to contact Genesis as they approve our software. Considering we are already on UC Software 6.4.6 for VVX you are running an outdated release.
The 1st Gen VVX phones have UC Software 5.9.8 as the latest build.
Best Regards
Steffen Baier
Notice: I am an HP Poly employee but all replies within the community are done as a volunteer outside of my day role. This community forum is not an official HP Poly support resource, thus responses from HP Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge.
If you need immediate and/or official assistance for former Poly\Plantronics\Polycom please open a service ticket through your support channels
For HP products please check HP Support.
Please also ensure you always check the General VoIP , Video Endpoint , UC Platform (Microsoft) , PSTN
06-26-2024 09:29 AM
Steffen, you mention that first gen VVX phones should be running 5.9.8. Is this a first gen phone since it uses the legacy RFC 1035 host name format of Polycom_<MacAddress>? I have the MAC address of the phone, but I cannot find the serial number in the config web page of the phone anywhere if that's not considered the serial number... that's why I have not opened a case with HP support as of yet. It will not accept the MAC as the serial number to start a case.
06-26-2024 09:52 AM - edited 06-26-2024 09:54 AM
Hello @Bnoon
Legacy VVX is VVX without the 1 in the model name aka VVX 500, 600, etc. and not a current VVX like the VVX 501, 601 etc. The 311 you have is a "current" VVX and not a legacy VVX.
EDIT: legacy can only run a maximum of 5.9.x, current VVX run 6.x.x
From the FAQ again:
Oct 7, 2011 Question: What PVOS, SIP, or UC, or Obi Edition Software version or Updater / BootROM Version is supported by my Phone?
Resolution: Please check => here <=
I am unsure why you would open a ticket with HP Poly as Genesys needs to approve a currently supported software and not run a year-old software.
Try to upgrade to a currently supported version, re-run the scan, and then work with Genesys support.
Best regards
Steffen Baier
Notice: I am an HP Poly employee but all replies within the community are done as a volunteer outside of my day role. This community forum is not an official HP Poly support resource, thus responses from HP Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge.
If you need immediate and/or official assistance for former Poly\Plantronics\Polycom please open a service ticket through your support channels
For HP products please check HP Support.
Please also ensure you always check the General VoIP , Video Endpoint , UC Platform (Microsoft) , PSTN
06-26-2024 10:15 AM
I tried to run the current software but it did not upgrade. When I asked Genesys to update to the latest, they said they're on their latest approved version and asked me to contact Polycom support. I will go back to them with your recommendation to approve the latest version. Thank you.
07-01-2024 08:35 AM
Can anyone confirm that we should be seeing these jQuery issues on software 6.3.1.11465 though? This software level came out well after those CVE's were supposedly resolved on previous versions of software. I would not expect CVE's resolved in 2020 to still be showing up, but they are...
07-01-2024 08:58 AM
Hello @Bnoon ,
welcome back to the HP Poly community.
Using a currently supported version you should not see this. UC Software 6.4.6 or for legacy VVX phones 5.9.8 is a supported version.
If you still have a report on these please open a ticket with HP Poly Support. Details are in my signature.
Best Regards
Steffen Baier
Notice: I am an HP Poly employee but all replies within the community are done as a volunteer outside of my day role. This community forum is not an official HP Poly support resource, thus responses from HP Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge.
If you need immediate and/or official assistance for former Poly\Plantronics\Polycom please open a service ticket through your support channels
For HP products please check HP Support.
Please also ensure you always check the General VoIP , Video Endpoint , UC Platform (Microsoft) , PSTN
07-03-2024 06:23 AM
I understand that 6.4.6 should not see the jQuery finding. My question is: Should I be seeing the jQuery finding on 6.3.1 that is currently on the phones? From looking at the CVE history, that jQuery finding should have been resolved a few years before 6.3.1 even came out. I've asked Genesys to upgrade their version of software on these phones, but their process takes a long time to go through approvals/trials/etc, and I just need answers at this point to satisfy our security procedures.
07-03-2024 06:34 AM - edited 07-24-2024 01:12 PM
Is there a way to get the serial number from the web interface in order to open a ticket? The MAC address is not allowing me through to open the ticket, and neither is the Part Number.