Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2011.0532.2 Vulnerabilities in CuOM and CiscoWorks 23 May 2011 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco Unified Operations Manager CiscoWorks Common Services Publisher: Cisco Systems Operating System: Cisco Windows Solaris Impact/Access: Cross-site Scripting -- Remote/Unauthenticated Execute Arbitrary Code/Commands -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2011.0959 CVE-2011.0960 CVE-2011.0961 CVE-2011.0962 CVE-2011.0966 Original Bulletin: http://tools.cisco.com/security/center/viewAlert.x?alertId=23085 http://tools.cisco.com/security/center/viewAlert.x?alertId=23086 http://tools.cisco.com/security/center/viewAlert.x?alertId=23087 http://tools.cisco.com/security/center/viewAlert.x?alertId=23088 http://tools.cisco.com/security/center/viewAlert.x?alertId=23089 Comment: Software update for ID 23089 is not currently available Revision History: May 23 2011: Added CVE references May 19 2011: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello, This is the Cisco PSIRT response to the vulnerabilities that were discovered and reported to Cisco Systems by Brett Gervasoni of Sense of Security, regarding multiple vulnerabilities in Cisco Unified Operations Manager (CuOM). We greatly appreciate the opportunity to work with researchers on security vulnerabilities and welcome the opportunity to review and assist in product reports. These vulnerabilities are documented in the following Cisco bug IDs and Intellishield vulnerability alerts: * CSCtn61716: XSS and SQL Blind Vulnerabilities in Cisco Unified Operations Manager Intellishield vulnerability alerts: SQL Blind Injection: http://tools.cisco.com/security/center/viewAlert.x?alertId=23085 CuOM XSS Vulnerabilities: http://tools.cisco.com/security/center/viewAlert.x?alertId=23086 * CSCto12704: Reflected Cross Site Scripting into ServerHelpEngine servlet Intellishield vulnerability alert: http://tools.cisco.com/security/center/viewAlert.x?alertId=23088 * CSCto12712: XSS vulnerability in CuOM Device Center Intellishield vulnerability alert: http://tools.cisco.com/security/center/viewAlert.x?alertId=23087 * CSCto35577: Directory Traversal vulnerabilities in CWHP Intellishield vulnerability alert: http://tools.cisco.com/security/center/viewAlert.x?alertId=23089 Information related to affected software versions and fixed software are available in the published Intellishield vulnerability alerts and the Cisco Bug ID release note enclosures. Cisco PSIRT - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iF4EAREIAAYFAk3T3YwACgkQQXnnBKKRMNA3lwD8DFK3dw5Gc5ZsGbajYDc0YuGx nGeYOvu2Hcp1gDBrFvcA/1DcbqvNMwMf0+04qWpUWSD+ckwfIh7LmNROFONwBCEI =ypJ9 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFN2eZE/iFOrG6YcBERAjBVAJ9vG5GDdPZslXeZsnoHQC85MtXmgACeKrTn 0vnKSo0yY5sXDjM/txeDgPo= =8XYA -----END PGP SIGNATURE-----