Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.2266 Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products: September 2017 8 September 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco products Publisher: Cisco Systems Operating System: Cisco Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Mitigation CVE Names: CVE-2017-9805 CVE-2017-9804 CVE-2017-9793 Reference: ASB-2017.0139 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2 Comment: Cisco advises its products are under investigation. The vulnerable products table will continue to be updated. - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco Security Advisory Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products: September 2017 Critical Advisory ID: cisco-sa-20170907-struts2 First Published: 2017 September 7 21:00 GMT Version 1.0: Interim Workarounds: No workarounds available CVE-2017-9793 CVE-2017-9804 CVE-2017-9805 CWE-20 CWE-399 Summary On September 5, 2017, the Apache Software Foundation released security bulletins that disclose three vulnerabilities in the Apache Struts 2 package. Of these vulnerabilities, the Apache Software Foundation classifies one as Critical Severity, one as Medium Severity, and one as Low Severity. For more information about the vulnerabilities, refer to the Details section of this advisory. Multiple Cisco products incorporate a version of the Apache Struts 2 package that is affected by these vulnerabilities. This advisory will be updated as additional information becomes available. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2 Affected Products Cisco is investigating its product line to determine which products may be affected by these vulnerabilities and the impact on each affected product. As the investigation progresses, Cisco will update this advisory with information about affected products, including the ID of the Cisco bug for each affected product. For information about whether a product is affected by these vulnerabilities, refer to the Vulnerable Products and Products Confirmed Not Vulnerable sections of this advisory. The Vulnerable Products section includes Cisco bug IDs for each affected product. The bugs are accessible through the Cisco Bug Search Tool and contain additional platform-specific information, including any available workarounds and fixed software releases. If a Cisco product is not listed in the Vulnerable Products or Products Confirmed Not Vulnerable section, it is assumed to not be vulnerable. Products Under Investigation The following Cisco products are under active investigation to determine whether they are affected by the vulnerabilities described in this advisory. Collaboration and Social Media Cisco Unified MeetingPlace Cisco WebEx Meetings Server Endpoint Clients and Client Software Cisco Prime Service Catalog Network Management and Provisioning Cisco Digital Media Manager Cisco MXE 3500 Series Media Experience Engines Cisco Prime Central for Service Providers Cisco Prime Collaboration Assurance Cisco Prime Home Cisco Prime Infrastructure Cisco Prime LAN Management Solution - Solaris Cisco Prime Network Cisco Unified Intelligence Center Voice and Unified Communications Devices Cisco Enterprise Chat and Email Cisco Hosted Collaboration Mediation Fulfillment Cisco Hosted Collaboration Solution for Contact Center Cisco Unified Contact Center Enterprise Cisco Unified E-Mail Interaction Manager Cisco Unified Intelligent Contact Management Enterprise Cisco Unified Survivable Remote Site Telephony Manager Cisco Unified Web Interaction Manager Cisco Unity Connection Cisco Unity Express Cisco Virtualized Voice Browser Video, Streaming, TelePresence, and Transcoding Devices Cisco Enterprise Content Delivery System (ECDS) Cisco Video Distribution Suite for Internet Streaming (VDS-IS) Cisco Hosted Services Cisco Cloud Web Security Cisco Deployment Automation Tool Cisco Network Device Security Assessment Service Cisco Network Performance Analysis Cisco Partner Support Service 1.x Cisco Services Provisioning Platform Cisco Smart Net Total Care - Contracts Information System Process Controller Cisco Smart Net Total Care Cisco Tidal Performance Analyzer Cisco Unified Service Delivery Platform Cisco WebEx Network-Based Recording (NBR) Management Vulnerable Products The following table lists Cisco products that are affected by the vulnerabilities described in this advisory. If an asterisk (*) appears after a product name, the product is affected by the critical severity vulnerability, CVE-2017-9805 (Apache Struts REST plug-in XML processing arbitrary code execution vulnerability). At the time of this publication, no Cisco products are known to be affected by CVE-2017-9805. Detailed information about fixed software releases will be documented in the Cisco bugs that are listed in this table. The bugs are accessible through the Cisco Bug Search Tool. When planning a software upgrade, customers should review the bugs directly because the bugs will have the most current and up-to-date information. Product Cisco Bug ID Fixed Release Availability Voice and Unified Communications Devices Cisco Emergency Responder CSCvf86138 Products Confirmed Not Vulnerable Cisco has confirmed that the following products are not affected by the vulnerabilities described in this advisory. Network Application, Service, and Acceleration Cisco Data Center Network Manager Network and Content Security Devices Cisco Identity Services Engine (ISE) Cisco Secure Access Control System (ACS) Network Management and Provisioning Cisco Prime Access Registrar Cisco Prime Collaboration Provisioning Cisco Prime License Manager Cisco Prime Network Registrar IP Address Manager (IPAM) Cisco Security Manager Cisco Smart Net Total Care - Local Collector appliance Routing and Switching - Enterprise and Service Provider Cisco Broadband Access Center for Telco and Wireless Voice and Unified Communications Devices Cisco Unified Communications Manager IM & Presence Service (formerly CUPS) Cisco Unified Communications Manager Cisco Unified Customer Voice Portal Cisco Unified SIP Proxy Software Cisco Hosted Services Cisco Business Video Services Automation Software Cisco WebEx Meeting Center - Windows Details Apache Struts REST Plug-In XML Processing Arbitrary Code Execution Vulnerability A vulnerability in the Representational State Transfer (REST) plug-in of Apache Struts could allow an unauthenticated, remote attacker to execute arbitrary code. The vulnerability is due to the improper deserialization of XML requests by the REST plug-in with the XStream handler of the affected software. An attacker could exploit this vulnerability by sending crafted XML content to a targeted system. A successful exploit could allow the attacker to execute arbitrary code on the system, which could result in a complete system compromise. This vulnerability has been assigned the following CVE ID: CVE-2017-9805 Apache Struts REST Plug-In Denial of Service Vulnerability A vulnerability in the REST plug-in for Apache Struts could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a targeted system. The vulnerability is due to insufficient validation of user-supplied input by the XStream library in the REST plug-in for the affected application. An attacker could submit crafted XML data to the affected system. A successful exploit could allow the attacker to cause a DoS condition on the targeted system. This vulnerability has been assigned the following CVE ID: CVE-2017-9793 Apache Struts URLValidator Resource Exhaustion Denial of Service Vulnerability A vulnerability in the URLValidator feature of Apache Struts could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected system. The vulnerability is due to insufficient validation of user-supplied input when the affected software uses the URLValidator feature to validate URLs. An attacker could exploit this vulnerability by submitting a crafted URL in a form field of an application utilizing an affected version of Apache Struts. An exploit could trigger a condition in the regular expression (regex) processing by the URLValidator that would consume excessive amounts of CPU resources, resulting in a DoS condition. This vulnerability has been assigned the following CVE ID: CVE-2017-9804 Indicators of Compromise To help detect possible exploitation of this vulnerability, Cisco has released Snort SID 44315. Workarounds Any workarounds that address these vulnerabilities will be documented in the Cisco bugs, which are accessible through the Cisco Bug Search Tool. Fixed Software Currently, there are no software updates that address the vulnerabilities described in this advisory. Updates for affected software releases will be published when they are available and information about those updates will be documented in Cisco bugs, which are accessible through the Cisco Bug Search Tool. When Cisco releases software updates that address these vulnerabilities, customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases To determine the affected and fixed releases for each vulnerable product, refer to the Cisco bug identified for the product in the Vulnerable Products section of this advisory. Cisco bugs are accessible through the Cisco Bug Search Tool. Exploitation and Public Announcements The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source On September 5, 2017, the Apache Software Foundation publicly disclosed these vulnerabilities in the following security bulletins: CVE-2017-9805: http://struts.apache.org/docs/s2-052.html CVE-2017-9804: http://struts.apache.org/docs/s2-050.html CVE-2017-9793: http://struts.apache.org/docs/s2-051.html URL https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2 Revision History Version Description Section Status Date 1.0 Initial public release. Interim 2017-September-07 LEGAL DISCLAIMER THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. CISCO EXPECTS TO UPDATE THIS DOCUMENT AS NEW INFORMATION BECOMES AVAILABLE. A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWbHdB4x+lLeg9Ub1AQj47g/+OkQzHVDL3MA90ULPNEhnSDliYCSp89vG tliza8il2ugZ/ZCEhWqSVaC+E5vZqtsUoOrwGUtGuMHsASeqr8yl8VBCX/ECUKlH f1UX/mGpU0iF2ElqKamIUlE6O3SsT8gEV4CU/YfNW/teCDtxcJ25LS0ErqbrpRJa R/NMjuGpCaIFVcKeWuCFyt+eqNL8kGuPhEJ6o74yzQu8AWOBGNRaLFvkfPFVgJ+g T2bbK5v+SxUem9zXdSBAlf8nKNm28xUI8duRWG0SiOcDoBYd1FEm59e/5zi08dcA zMku2CeKlOIjLUJ8mwBkNsM7tjAHh9eX7/fdU/kDgMD3P1GQMy5jz0CqpSSypoTK lOz4J7bpGyKJjkS6Eu4rSJOQmdKrapyewxMw5s1iSdtH+WlbuZ2LWtW5SvX1abNB w+hDtfKT7I9z/l4leZlNV5zNjIBujRYU81LgDTrdQb5SYTuYCVDO9egO8J+UE9uX 3lw/vxa8l29VNyiAuPfnxLi/xOB4ajj4lZDDSl5/5d87aE4rpq7r084KYu7A/Gog god7yfJgQx/2VjeIGrr/lNXGseTddeF7jNzMtN1RGf2nPKU8bx+EI9IgS6PyBYCo cwdqcs54grO/FRdViscmG8hTdS6bPyXzqA2VBtBHge7o5vjpB/mFfeGppiJ3qn0S je2xd32tgyk= =x8/S -----END PGP SIGNATURE-----