-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.3182
      Vulnerability in Java Deserialization Affecting Cisco Products
                             21 December 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco products
Publisher:         Cisco Systems
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
                   Mobile Device
                   Virtualisation
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-6420  

Original Bulletin: 
   http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization

- --------------------------BEGIN INCLUDED TEXT--------------------

Vulnerability in Java Deserialization Affecting Cisco Products

High

Advisory ID:

cisco-sa-20151209-java-deserialization

Last Updated:

2015 December 18 13:26 GMT

Published:

2015 December 9 16:00 GMT

Version 1.4:

Interim

Workarounds:

No workarounds available

CVE-2015-6420

CWE-20

Summary

    A vulnerability in the Java deserialization used by the Apache Commons 
Collections (ACC) library could allow an unauthenticated, remote attacker to 
execute arbitrary code.

    The vulnerability is due to insecure deserialization of user-supplied 
content by the affected software. An attacker could exploit this vulnerability
by submitting crafted input to an application on a targeted system that uses 
the ACC library. After the vulnerable library on the affected system 
deserializes the content, the attacker could execute arbitrary code on the 
system, which could be used to conduct further attacks.

    On November 6, 2015, Foxglove Security Group published information about a
remote code execution vulnerability that affects multiple releases of the ACC
library. The report contains detailed proof-of-concept code for a number of 
applications, including WebSphere Application Server, JBoss, Jenkins, OpenNMS,
and WebLogic. This is a remotely exploitable vulnerability that allows an 
attacker to inject any malicious code or execute any commands that exist on 
the server. A wide range of potential impacts includes allowing the attacker 
to obtain sensitive information.

    Object serialization is a technique that many programming languages use to
convert an object into a sequence of bits for transfer purposes. 
Deserialization is a technique that reassembles those bits back to an object.
This vulnerability occurs in Java object serialization for network transport 
and object deserialization on the receiving side.

    Many applications accept serialized objects from the network without 
performing input validation checks before deserializing it. Crafted serialized
objects can therefore lead to execution of arbitrary attacker code.

    Although the problem itself is in the serialization and deserialization 
functionality of the Java programming language, the ACC library is known to be
affected by this vulnerability. Any application or application framework could
be vulnerable if it uses the ACC library and deserializes arbitrary, 
user-supplied Java serialized data.

    Additional details about the vulnerability are available at the following
links:

    Official Vulnerability Note from CERT

Foxglove Security

    Apache Commons Statement

    Oracle Security Alert

    Cisco will release software updates that address this vulnerability. There
are no workarounds that mitigate this vulnerability.

    This advisory is available at the following link:

    
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization

Affected Products

    Products Under Investigation

    The following products are under active investigation to determine whether
they are affected by the vulnerability that is described in this advisory.

    Collaboration and Social Media

        Cisco WebEx Meetings

    Endpoint Clients and Client Software

        Cisco Jabber for iOS

    Network Application, Service, and Acceleration

        Cisco Extensible Network Controller (XNC)

        Cisco Nexus Data Broker (NDB)

    Network and Content Security Devices

        Cisco Physical Access Control Gateway

        Cisco Physical Access Manager

        Cisco Virtual Security Gateway for Microsoft Hyper-V

    Network Management and Provisioning

        Cisco Packet Tracer

        Cisco Prime Central for SPs

        Cisco Prime Infrastructure Standalone Plug and Play Gateway

        Cisco Prime Infrastructure

        Cisco Prime License Manager

        Cisco Prime Network

        Cisco Prime Security Manager

        CiscoWorks Network Compliance Manager

    Routing and Switching - Enterprise and Service Provider

        Cisco IOS Software

        Cisco ONS 15454 Series Multiservice Provisioning Platforms

    Unified Computing

        Cisco UCS Director

        Cisco Unified Computing System E-Series Blade Server

        Cisco Virtual Security Gateway

    Voice and Unified Communications Devices

        Cisco Agent Desktop for Cisco Unified Contact Center Express

        Cisco Agent Desktop

        Cisco Desktop Collaboration Experience DX70 and DX80

        Cisco USC8088

        Cisco Unified Integration for IBM Sametime

        Cisco Unified Workforce Optimization

        Cisco Unity Connection (UC)

        Cisco Unity Connection

        Cisco Voice Portal (CVP)

    Video, Streaming, TelePresence, and Transcoding Devices

        Cisco Model D9485 DAVIC QPSK

        Cisco TelePresence 1310

        Cisco TelePresence System 1000

        Cisco TelePresence System 1100

        Cisco TelePresence System 1300

        Cisco TelePresence System 3000 Series

        Cisco TelePresence System 500-32

        Cisco TelePresence System 500-37

        Cisco TelePresence TX 9000 Series

        Cisco VEN501 Wireless Access Point

    Wireless

        Cisco Mobility Services Engine (MSE)

        Cisco Wireless Control System (WCS)

    Cisco Hosted Services

        Cisco Cloud Services

        Cisco Smart Care

        Cisco WebEx11 Application Server

        Life Cycle Management Agent Manager (LCM)

        Network Performance Analytics (NPA)

    Vulnerable Products

    The following table lists Cisco products that are affected by the 
    vulnerability that is described in this advisory.

    Product Defect Fixed releases availability

    Cable Modems

    Digital Life RMS 1.8.1.1 Cisco Broadband Access Center Telco Wireless 3.8.1 CSCux34660

    Collaboration and Social Media

    Cisco SocialMiner CSCux34833

    Cisco WebEx Meetings Server versions 1.x CSCux34612

    Cisco WebEx Meetings Server versions 2.x CSCux34612

    Endpoint Clients and Client Software

    Cisco NAC Agent for Windows CSCux35102

    Network Application, Service, and Acceleration

    Cisco InTracer CSCux35041

    Cisco Network Admission Control (NAC) CSCux35101

    Cisco Visual Quality Experience Server CSCux34725

    Cisco Visual Quality Experience Tools Server CSCux34725

    Network and Content Security Devices

    Cisco ASA CX and Cisco Prime Security Manager CSCux34742

    Cisco ASA Content Security and Control (CSC) Security Services Module CSCux34736

    Cisco Clean Access Manager CSCux34981

    Cisco Email Security Appliance (ESA) CSCux35048

    Cisco Identity Services Engine (ISE) CSCux34754

    Cisco NAC Appliance (Clean Access Server) CSCux34982

    Cisco NAC Guest Server CSCux34984

    Cisco NAC Server CSCux34983

    Cisco Secure Access Control System (ACS) CSCux34781

    Network Management and Provisioning

    Cisco Access Registrar Appliance CSCux34652

    Cisco Cloupia Unified Infrastructure Controller CSCux35070

    Cisco Configuration Professional CSCux35040

    Cisco Digital Media Manager CSCux34692

    Cisco Insight Reporter CSCux34694

    Cisco Prime Access Registrar Appliance CSCux34652

    Cisco Prime Access Registrar CSCux34955

    Cisco Prime Collaboration Provisioning CSCux34669

    Cisco Prime Home CSCux34668

    Cisco Prime LAN Management Solution (LMS - Solaris) CSCux34647

    Cisco Prime Network Services Controller CSCux34672

    Cisco Prime Optical for SPs CSCux34656

    Cisco Prime Performance Manager CSCux34953

    Cisco Prime Provisioning for SPs CSCux34664

    Cisco Prime Provisioning CSCux35084

    Cisco Prime Service Catalog Virtual Appliance CSCux34715

    Cisco Security Manager CSCux34671

    Data Center Analytics Framework (DCAF) CSCux34575

    Local Collector Appliance (LCA) CSCux34812

    Unified Communications Deployment Tools CSCux34584

    Routing and Switching - Enterprise and Service Provider

    Cisco Broadband Access Center Telco Wireless CSCux34645

    Unified Computing

    Cisco Unified Computing System (Management software) CSCux35113

    Voice and Unified Communications Devices

    Cisco Computer Telephony Integration Object Server (CTIOS) CSCux34589

    Cisco Emergency Responder CSCux34852

    Cisco Hosted Collaboration Mediation Fulfillment CSCux34859

    Cisco IM and Presence Service (CUPS) CSCux34855

    Cisco IP Interoperability and Collaboration System (IPICS) CSCux34720

    Cisco Management Heartbeat Server CSCux35009

    Cisco MediaSense CSCux34874 11.0, 10.5 (March 2016), 11.5 (June 2016)

    Cisco MeetingPlace CSCux35147

    Cisco Unified Attendant Console Advanced CSCux34827

    Cisco Unified Attendant Console Business Edition CSCux34827

    Cisco Unified Attendant Console Department Edition CSCux34827

    Cisco Unified Attendant Console Enterprise Edition CSCux34827

    Cisco Unified Attendant Console Premium Edition CSCux34827

    Cisco Unified Communications Manager (UCM) CSCux34835

    Cisco Unified Communications Manager Session Management Edition (SME) CSCux34835

    Cisco Unified Contact Center Enterprise CSCux34589

    Cisco Unified E-Mail Interaction Manager CSCux34853

    Cisco Unified Intelligence Center CSCux34844

    Cisco Unified Intelligent Contact Management Enterprise CSCux34589

    Cisco Unified Sip Proxy CSCux34567

    Cisco Unified Web Interaction Manager CSCux34853

    Cisco Unity Express CSCux34922

    Video, Streaming, TelePresence, and Transcoding Devices

    Cisco Digital Transport Adapter Control System (DTACS) CSCux34796

    Cisco Media Experience Engines (MXE) CSCux34968

    Cisco Show and Share CSCux34708

    Cisco TelePresence Exchange System (CTX) CSCux34690

    Cisco VDS Service Broker CSCux34804

    Cisco Video Distribution Suite for Internet Streaming (VDS-IS/CDS-IS) CSCux34724

    Cisco Videoscape Conductor CSCux34792

    Cisco Videoscape Control Suite CSCux34974

    Explorer Controller (EC) system CSCux34795

    VDS-Recorder CSCux34722

    VDS-TV Caching GW CSCux34722

    VDS-TV Streamer CSCux34722

    VDS-TV Vault CSCux34722

    Cisco Hosted Services

    Business Video Services Automation Software (BV) CSCux34572

    Cisco Cloud Email Security CSCux34593

    Cisco Cloud Web Security CSCux35002

    Cisco Cloud and Systems Management CSCux34926

    Cisco Proactive Network Operations Center CSCux34582

    Cisco Registered Envelope Service (CRES) CSCux34591

    Cisco Services Provisioning Platform (SPP) CSCux34885 3.2.2 (Jan 2016)

    Cisco Unified Services Delivery Platform (CUSDP) CSCux34779

    Communication/Collaboration Sizing Tool, Virtue Machine Placement Tool, Cisco Unified Communications Upgrade Readiness Assessment CSCux34881

    DCAF UCS Collector CSCux34924

    Network Change and Configuration Management CSCux34580

    Partner Supporting Service (PSS) 1.x CSCux34739

    SI component of Partner Supporting Service CSCux34738

    Serial Number Assessment Service (SNAS) CSCux34991

    Services Analytic Platform CSCux35043

    Smart Net Total Care (SNTC) CSCux34987

    Smart Net Total Care CSCux34730

Products Confirmed Not Vulnerable

The following products are not affected by the vulnerability that is described
in this advisory.

Cable Modems

    Cisco 3G Femtocell Wireless

    Cisco Unified IP Phone 6921

Collaboration and Social Media

    Cisco WebEx Node for MCS

Endpoint Clients and Client Software

    Cisco Agent for OpenFlow

    Cisco AnyConnect Secure Mobility Client for Android

    Cisco AnyConnect Secure Mobility Client for Linux

    Cisco AnyConnect Secure Mobility Client for Windows

    Cisco AnyConnect Secure Mobility Client for iOS

    Cisco IP Communicator

    Cisco Jabber Guest 10.0(2)

    Cisco Jabber Software Development Kit

    Cisco Jabber for Android

    Cisco Jabber for Mac

    Cisco Jabber for Windows

    Cisco MMP server

    Cisco NAC Agent for Mac

    Cisco NAC Agent for Web

    Cisco UC Integration for Microsoft Lync

    Cisco Virtualization Experience Media Engine

    Cisco WebEx Meetings Client - Hosted

    Cisco WebEx Meetings Client - On Premises

    Cisco WebEx Meetings for Android

    Cisco WebEx Meetings for BlackBerry

    Cisco WebEx Meetings for WP8

    Cisco WebEx Productivity Tools

    JCF components

    WebEx Meetings Server - SSL Gateway

    WebEx Recording Playback Client

Network Application, Service, and Acceleration

    Cisco ACE 30 Application Control Engine Module

    Cisco ACE 4710 Application Control Engine (A5)

    Cisco Adaptive Security Appliance (ASA) Software

    Cisco Application Control Engine (ACE30/ ACE 4710)

    Cisco Application and Content Networking System (ACNS)

    Cisco DC Health Check

    Content Services Switch

Network and Content Security Devices

    Cisco ASA Next-Generation Firewall Services

    Cisco Adaptive Security Appliance (ASA)

    Cisco Adaptive Security Device Manager

    Cisco Content Security Appliance Updater Servers

    Cisco Content Security Management Appliance (SMA)

    Cisco IPS

    Cisco Intrusion Prevention System Solutions (IPS)

    Cisco IronPort Encryption Appliance (IEA)

    Cisco Security Management Appliance (SMA)

    Cisco Web Security Appliance (WSA)

Network Management and Provisioning

    Cisco Application Networking Manager

    Cisco Connected Grid Device Manager

    Cisco Connected Grid Network Management System

    Cisco Linear Stream Manager

    Cisco MGC Node Manager (CMNM)

    Cisco Multicast Manager

    Cisco Netflow Collection Agent

    Cisco Network Analysis Module

    Cisco Prime Analytics

    Cisco Prime Cable Provisioning

    Cisco Prime Collaboration Assurance

    Cisco Prime Collaboration Deployment

    Cisco Prime Collaboration Manager

    Cisco Prime Data Center Network Manager (.ova and .iso installers)

    Cisco Prime Data Center Network Manager (DCNM)

    Cisco Prime IP Express

    Cisco Prime Network Registrar (CPNR) virtual appliance

    Cisco Prime Network Registrar (CPNR)

    Cisco Prime Network Registrar IP Address Manager (IPAM)

    Cisco UCS Central

    Cisco Unified Provisioning Manager (CUPM)

    Cisco Virtual Topology System (formally Virtual Systems Operations Center)

    Virtual Systems Operations Center for vPE project

Routing and Switching - Enterprise and Service Provider

    CRS-CGSE-PLIM

    CRS-CGSE-PLUS

    Cisco ASR 5000 Series

    Cisco ASR 9000 Series Integrated Service Module

    Cisco Application Policy Infrastructure Controller (APIC)

    Cisco Connected Grid Router - CGOS

    Cisco Connected Grid Router

    Cisco IOS-XE for ASR1k, ASR903, ISR4400, CSR1000v

    Cisco IOS-XE for Catalyst 3k, 4k, AIR-CT5760, and Cisco RF Gateway 10 
(RFGW-10)

    Cisco IOS-XR

    Cisco MDS 9000 Series Multilayer Switches

    Cisco Metro Ethernet 1200 Series Access Devices

    Cisco Nexus 1000V Series Switches (ESX)

    Cisco Nexus 1010

    Cisco Nexus 3000 Series Switches

    Cisco Nexus 4000 Series

    Cisco Nexus 5000 Series Switches

    Cisco Nexus 6000 Series Switches

    Cisco Nexus 7000 Series Switches

    Cisco Nexus 9000 (ACI/Fabric Switch)

    Cisco Nexus 9000 Series (standalone, running NxOS)

    Cisco Nexus 9000 Series Switches

    Cisco OnePK All-in-One VM

    Cisco Service Control Application for Broadband

    Cisco Service Control Collection Manager

    Cisco Service Control Operating System

    Cisco Service Control Subscriber Manager

    Cisco VPN Acceleration Engine

    IOS-XR for Cisco Network Convergence System (NCS) 6000

Routing and Switching - Small Business

    Cisco Small Business AP500 Series Wireless Access Points

    Cisco Small Business RV 120W Wireless-N VPN Firewall

    Cisco Small Business RV Series Routers 0xxv3

    Cisco Small Business RV Series Routers RV110W

    Cisco Small Business RV Series Routers RV130x

    Cisco Small Business RV Series Routers RV215W

    Cisco Small Business RV Series Routers RV220W

    Cisco Small Business RV Series Routers RV315W

    Cisco Small Business RV Series Routers RV320

    Cisco Sx220 switches

    Cisco Sx300 switches

    Cisco Sx500 switches

    Cisco WAP4410N Wireless-N Access Point

Unified Computing

    Cisco Common Services Platform Collector

    Cisco Standalone rack server CIMC

    Cisco UCS ADA

    Cisco UCS Invicta Series Solid State Systems

    Cisco UCS Invicta Series

    Cisco UCS Manager

    Cisco Unified Computing System B-Series (Blade) Servers

    UCS IO Modules

Voice and Unified Communications Devices

    Cisco 190 ATA Series Analog Terminal Adaptor

    Cisco 7937 IP Phone

    Cisco 8800 Series IP Phones - VPN Feature

    Cisco ATA 187 Analog Telephone Adaptor

    Cisco Billing and Measurements Server

    Cisco Broadband Access Center for Cable Tools Suite 4.1

    Cisco Broadband Access Center for Cable Tools Suite 4.2

    Cisco DX Series IP Phones

    Cisco H.323 Signaling Interface

    Cisco Paging Server (Informacast)

    Cisco Paging Server

    Cisco Prime Cable Provisioning Tools Suite 5.0

    Cisco Prime Cable Provisioning Tools Suite 5.1

    Cisco Quantum Virtualized Packet Core

    Cisco Remote Silent Monitoring

    Cisco SPA112 2-Port Phone Adapter

    Cisco SPA122 ATA with Router

    Cisco SPA232D Multi-Line DECT ATA

    Cisco SPA30X Series IP Phones

    Cisco SPA50X Series IP Phones

    Cisco SPA51X Series IP Phones

    Cisco SPA525G

    Cisco SPA8000 8-port IP Telephony Gateway

    Cisco SPA8800 IP Telephony Gateway with 4 FXS and 4 FXO Ports

    Cisco TAPI Service Provider (TSP)

    Cisco Unified 3900 series IP Phones

    Cisco Unified 6901 IP Phones

    Cisco Unified 6945 IP Phones

    Cisco Unified 7800 Series IP Phones

    Cisco Unified 8831 series IP Conference Phone

    Cisco Unified 8961 IP Phone

    Cisco Unified 9951 IP Phone

    Cisco Unified 9971 IP Phone

    Cisco Unified Attendant Console Standard

    Cisco Unified Client Services Framework

    Cisco Unified Communications Domain Manager

    Cisco Unified IP Conference Phone 8831 for Third-Party Call Control

    Cisco Unified IP Phone 7900 Series

    Cisco Unified IP Phone 8941 and 8945 (SIP)

    Cisco Unified Operations Manager (CUOM)

    Cisco Unified Wireless IP Phone

    Cisco Universal Small Cell RAN Management System Wireless

    Cisco Virtual PGW 2200 Softswitch

    xony VIM/CCDM/CCMP

Video, Streaming, TelePresence, and Transcoding Devices

    Cisco 910 Industrial Router

Cisco AnyRes Live (CAL)

    Cisco AnyRes VOD (CAL)

    Cisco Command 2000 Server (cmd2k) (RH Based)

    Cisco D9824 Advanced Multi Decryption Receiver

    Cisco D9854/D9854-I Advanced Program Receiver

    Cisco D9858 Advanced Receiver Transcoder

    Cisco D9859 Advanced Receiver Transcoder

    Cisco D9865 Satellite Receiver

    Cisco DCM Series 9900-Digital Content Manager

    Cisco DNCS Application Server (AppServer)

    Cisco Digital Media Players (DMP) 4300 Series

    Cisco Digital Media Players (DMP) 4400 Series

    Cisco Download Server (DLS) (Solaris)

    Cisco Edge 300 Digital Media Player

    Cisco Edge 340 Digital Media Player

    Cisco Enterprise Content Delivery System (ECDS)

    Cisco Expressway Series

    Cisco Headend System Release

    Cisco IPTV Service Delivery System (ISDS)

    Cisco International Digital Network Control System (iDNCS)

    Cisco Media Services Interface

    Cisco Powerkey CAS Gateway (PCG)

    Cisco Powerkey Encryption Server (PKES)

    Cisco TelePresence Advanced Media Gateway Series

    Cisco TelePresence Conductor

    Cisco TelePresence Content Server (TCS)

    Cisco TelePresence EX Series

    Cisco TelePresence ISDN GW 3241

    Cisco TelePresence ISDN GW MSE 8321

    Cisco TelePresence ISDN Link

    Cisco TelePresence MCU (8510, 8420, 4200, 4500 and 5300)

    Cisco TelePresence MX Series

    Cisco TelePresence Management Suite (TMS)

    Cisco TelePresence Management Suite Analytics Extension (TMSAE)

    Cisco TelePresence Management Suite Extension (TMSXE)

    Cisco TelePresence Management Suite Extension for IBM

    Cisco TelePresence Management Suite Provisioning Extension

    Cisco TelePresence Profile Series

    Cisco TelePresence SX Series

    Cisco TelePresence Serial Gateway Series

    Cisco TelePresence Server 8710, 7010

    Cisco TelePresence Server on Multiparty Media 310, 320

    Cisco TelePresence Server on Virtual Machine

    Cisco TelePresence Supervisor MSE 8050

    Cisco TelePresence Video Communication Server (VCS)

    Cisco Telepresence Integrator C Series

    Cisco Transaction Encryption Device (TED)

    Cisco Video Delivery System Recorder

    Cisco Video Surveillance 3000 Series IP Cameras

    Cisco Video Surveillance 4000 Series High-Definition IP Cameras

    Cisco Video Surveillance 4300E/4500E High-Definition IP Cameras

    Cisco Video Surveillance 6000 Series IP Cameras

    Cisco Video Surveillance 7000 Series IP Cameras

    Cisco Video Surveillance Media Server

    Cisco Video Surveillance PTZ IP Cameras

    Cisco Videoscape Distribution Suite Transparent Caching

    Cloud Object Store (COS)

    Tandberg Codian ISDN GW 3210/3220/3240

    Tandberg Codian MSE 8320 model

Wireless

    Cisco IOS Access Points

    Cisco RF Gateway 1 (RFGW-1)

    Cisco Small Business 121 Series Wireless Access Points

    Cisco Small Business 321 Series Wireless Access Points

    Cisco Small Business 500 Series Wireless Access Points

    Cisco WAP371 wireless access point

    Cisco Wireless LAN Controller (WLC)

    Cisco Wireless Security Gateway Application (WSG)

Cisco Hosted Services

    Cisco Connected Analytics For Collaboration

    Cisco Intelligent Automation for Cloud

    Cisco Partner Supporting Service

    Cisco SmartConnection

    Cisco SmartReports

    Cisco UCS Invicta Series Autosupport Portal

    Cisco Universal Small Cell 5000 Series running V3.4.2.x software

    Cisco Universal Small Cell 7000 Series running V3.4.2.x software

    Cisco Universal Small Cell CloudBase

    Cisco WebEx Messenger Service

    Cisco WebEx Node

    IMS

    MACD Process Controller (MPC)

    Network Device Security Assessment

    Partner Supporting Service (PSS) 2.x

    Sentinel

    Small Cell factory recovery root filesystem V2.99.4 or later

    Web Element Manager

Indicators of Compromise

    An attacker could cause a Java application or library that has the Apache
Commons Collections library in its classpath to execute arbitrary Java 
functions or bytecode.

Workarounds

    There are no workarounds that mitigate this vulnerability.

Fixed Software

    When considering software upgrades, customers are advised to consult the 
Cisco Security Advisories and Responses archive at 
http://www.cisco.com/go/psirt and review subsequent advisories to determine 
exposure and a complete upgrade solution.

    In all cases, customers should ensure that the devices to upgrade contain
sufficient memory and confirm that current hardware and software 
configurations will continue to be supported properly by the new release. If 
the information is not clear, customers are advised to contact the Cisco 
Technical Assistance Center (TAC) or their contracted maintenance providers.

Exploitation and Public Announcements

    The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is 
described in this advisory.

Source

    January 2015: Researchers Gabriel Lawrence and Chris Frohoff disclosed a 
potential data deserialization vulnerability that could lead to arbitrary code
execution. The vulnerability is in the Java Object Serialization used in Java
applications and libraries.

    November 2015: Stephen Breen of Foxglove Security identified the ACC Java
library as being vulnerable to insecure data deserialization.

URL

    
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization

Revision History

    Version 	Description 			Section 		Status 	Date

    1.4 	Updated the affected products. 	Affected Products 	Interim 2015-December-18

    1.3		Updated the affected products. 	Affected Products 	Interim 2015-December-17

    1.2 	Updated the affected products. 	Affected Products 	Interim 2015-December-15

    1.1 	Assigned a unique CVE ID for	CVE; Affected Products 	Interim 2015-December-10
		Cisco products and updated the
		affected products. 

    1.0 	Initial public release. 				Interim 2015-December-09

Legal Disclaimer

    THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND
OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR 
FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR 
MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE 
RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. CISCO EXPECTS TO UPDATE 
THIS DOCUMENT AS NEW INFORMATION BECOMES AVAILABLE.

    A standalone copy or paraphrase of the text of this document that omits 
the distribution URL is an uncontrolled copy and may lack important 
information or contain factual errors. The information in this document is 
intended for end users of Cisco products

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVneC2H6ZAP0PgtI9AQJ8ZhAAwBT9oX1UWJ/ozSEUO4DzgG+bXc9vLpdJ
PdtR7BdpQ7VEsPyYQ6nyLsEGhxpIV58rXqwo8QGZvbZJz2EFkERYOdiIjqHTRk8a
YVgMefAzc78Xz9C77YXaik4W8i3l+ofYIjYBiVNCM5N+yo+p75BymBipl1vKkoAB
An4fVw2NlX9cOTcJ+fB1ZI8ZDTUia1MiGSa3gWeyRCkU1f3YTAmbNZaMmcHZj5GU
IiBzfDJK6rfx9ej8xleV/Fq1Ox7nrx1sWJLOSsrogSYmVnaDQ+9qt+Fy3sQdc8Q3
7UDaeo3hx+kyEfvd0QYAqRzgpL8Q0X2dotuK8htyb4dFXEkTtl/nN7t7jEoRaODJ
IwF3uIMc540ork4AFf7tFD2pXPXzvq6w8QRvldXt+pOy7s3b3X6Z5cxrnNsc9YEc
8GUVxVeaPVGPN4u7Sd962Zuvv041LANoQ1Qt1PYolCXy4escIeokc4rjDM5vFiER
tp+UZ5SeE7LfKL/92EiFMsmv0ZrHcEKl+ha8Omdc5VxKvsG75T0mOz7cay1cEKxl
u61V8IoLA7sa6/wZPuP86b5Ql6HdGTYIUSEORHhIqwmJ7Jt1OkEl19n0cI/yLrOY
UKHrS002P7X7biuVFFvEesvndEuDPS/pX4DU7u+B14/w/9S8aKacbLbwZN+/nroD
kLpoX4i7FIM=
=SADa
-----END PGP SIGNATURE-----