Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.0610 Cisco Cloud Web Security SQL Injection Vulnerability 21 February 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco Cloud Web Security Publisher: Cisco Systems Operating System: Network Appliance Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-3154 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cws-inject-6YTdx7AO - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco Cloud Web Security SQL Injection Vulnerability Priority: Medium Advisory ID: cisco-sa-cws-inject-6YTdx7AO First Published: 2020 February 19 16:00 GMT Version 1.0: Final Workarounds: No workarounds availableCisco Bug IDs: CSCvr84279 CVE-2020-3154 CWE-89 CVSS Score: 4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N/E:X/RL:X/RC:X Summary o A vulnerability in the web UI of Cisco Cloud Web Security (CWS) could allow an authenticated, remote attacker to execute arbitrary SQL queries. The vulnerability exists because the web-based management interface improperly validates SQL values. An authenticated attacker could exploit this vulnerability sending malicious requests to the affected device. An exploit could allow the attacker to modify values on or return values from the underlying database. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-cws-inject-6YTdx7AO Affected Products o Vulnerable Products At the time of publication, this vulnerability affected Cisco CWS, which is cloud based. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has addressed this vulnerability in Cisco CWS, which is cloud based. No user action is required. Customers can determine the current remediation status or software version by using the Help function in the service GUI. Customers who need additional information are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during the resolution of a Cisco TAC support case. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-cws-inject-6YTdx7AO Revision History o +---------+-------------------------+---------+--------+------------------+ | Version | Description | Section | Status | Date | +---------+-------------------------+---------+--------+------------------+ | 1.0 | Initial public release. | - | Final | 2020-February-19 | +---------+-------------------------+---------+--------+------------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXk9MHWaOgq3Tt24GAQj0AQ/+OTSHyvuce8nM7xn/fV2UBAlYKcYQwQcm LEpWYXMXMUIo02xmOhI/p8fQ/b74XMpF9nGnV2i1uLY+Gyu5z7ybB2ydYC5hqUQY flW73/x3Wfe96IuQWzG5yljTJPUidMqiBxVNaetQi2albjB6+QoSxCmh5t+i2u+F 6IJFEcxfq+8CVNFEQ6qUi9OJTedcAuu5aKCy72jVUEFOHaSM7nZ8LiviaJUrZZZy q5B5ExPT/zuo54Dw01K7HGvs76CqDuENNc7dGTHrBfnLpkk4UU/BBbhiSfhVUrKD 8lWxpPVtcFRqxmGK1KsMJ7xdl8oj7ZPHXKOCZQoKjIj405ATmGsr/Ddqy38sJeKk TfWFSUO1zIevu+88UJq7IRsGfKdY91y7+WVl67KkZlkFiCBLavHH7lQPRgd/+bBA dPc0Rnu9z9KLvaHhpT4T2HGlltxVjm5hlZFFPI6Rvtqxf3YrzuBy2MHCc7rRIq/Y OQ913zLFH9X1+VSHmdA+UXRb+QG0IleHuNnqCdUHEd8lAnuV9k+Oom2Y2Ulangg/ XfRhi99WuqJI7WohDx+yM8t9hQJg2c0+8CidNTY+eC5mPyeS+58b9twwudH1CX6V ohcALVqh34qkzQfrXcvwXRMviYfz9ed5k/ZwbRvJpt6V7RQQm5+083SEI/YhBKAv 93MZ5p6EQ20= =zBME -----END PGP SIGNATURE-----