Operating System:

[Cisco]

Published:

26 August 2021

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.2871
    Cisco Application Policy Infrastructure Controller security update
                              26 August 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Application Policy Infrastructure Controller
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Root Compromise                 -- Existing Account      
                   Execute Arbitrary Code/Commands -- Existing Account      
                   Create Arbitrary Files          -- Remote/Unauthenticated
                   Cross-site Scripting            -- Existing Account      
                   Access Confidential Data        -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-1582 CVE-2021-1581 CVE-2021-1580
                   CVE-2021-1579 CVE-2021-1578 CVE-2021-1577

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-capic-chvul-CKfGYBh8
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-capic-frw-Nt3RYxR2
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-capic-mdvul-HBsJBuvW
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-capic-pesc-pkmGK4J
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-capic-scss-bFT75YrM

Comment: This bulletin contains five (5) Cisco Systems security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco Application Policy Infrastructure Controller App Privilege Escalation
Vulnerability

Priority:        High
Advisory ID:     cisco-sa-capic-chvul-CKfGYBh8
First Published: 2021 August 25 16:00 GMT
Version 1.0:     Final
Workarounds:     No workarounds available
Cisco Bug IDs:   CSCvw57164
CVE Names:       CVE-2021-1579
CWEs:            CWE-250

Summary

  o A vulnerability in an API endpoint of Cisco Application Policy
    Infrastructure Controller (APIC) and Cisco Cloud Application Policy
    Infrastructure Controller (Cloud APIC) could allow an authenticated, remote
    attacker with Administrator read-only credentials to elevate privileges on
    an affected system.

    This vulnerability is due to an insufficient role-based access control
    (RBAC). An attacker with Administrator read-only credentials could exploit
    this vulnerability by sending a specific API request using an app with
    admin write credentials. A successful exploit could allow the attacker to
    elevate privileges to Administrator with write privileges on the affected
    device.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-capic-chvul-CKfGYBh8

Affected Products

  o Vulnerable Products

    This vulnerability affects Cisco APIC and Cisco Cloud APIC devices if they
    have installed and enabled apps with admin write privileges.

    To determine if a device has admin write enabled apps, do the following:

     1. Open the web UI and click the Apps tab.
     2. Hover the mouse pointer over an installed and enabled app ( Open is
        displayed). Four icons will appear in the upper right.
     3. Click the left-most icon to see the Permissions and Permission Level of
        the app. If Permissions:admin and Permission Level:write are displayed,
        the device is affected by this vulnerability.

    For information about which Cisco software releases are vulnerable, see the
    Fixed Software section of this advisory.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

Workarounds

  o There are no workarounds that address this vulnerability. However,
    administrators may disable or remove all apps with admin write privileges
    enabled.

    To disable or remove these apps, do the following:

     1. Open the web UI and click the Apps tab.
     2. Hover the mouse pointer over an installed and enabled app ( Open is
        displayed). Four icons will appear in the upper right.
     3. To disable the app, click the icon that is a circle with a line. To
        remove the app, click the icon that is an X.

    While this mitigation has been deployed and was proven successful in a test
    environment, customers should determine the applicability and effectiveness
    in their own environment and under their own use conditions. Customers
    should be aware that any workaround or mitigation that is implemented may
    negatively impact the functionality or performance of their network based
    on intrinsic customer deployment scenarios and limitations. Customers
    should not deploy any workarounds or mitigations before first evaluating
    the applicability to their own environment and any impact to such
    environment.

Fixed Software

  o Cisco has released free software updates that address the vulnerabilities
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license:
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories page , to determine exposure and a complete
    upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
    /en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Fixed Releases

    In the following table(s), the left column lists Cisco software releases.
    The right column indicates whether a release is affected by the
    vulnerability described in this advisory and the first release that
    includes the fix for this vulnerability. Customers are advised to upgrade
    to an appropriate fixed software release as indicated in this section.

    Cisco APIC or Cisco Cloud APIC Software Release First Fixed Release
    Earlier than 3.2                                Migrate to a fixed release.
    3.2                                             3.2(10f)
    4.0                                             Migrate to a fixed release.
    4.1                                             Migrate to a fixed release.
    4.2                                             4.2(7l)
    5.0                                             Migrate to a fixed release.
    5.1                                             Migrate to a fixed release.
    5.2                                             5.2(2f)

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during internal security testing by the Cisco
    Advanced Security Initiatives Group (ASIG).

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-capic-chvul-CKfGYBh8

Revision History

  o +----------+---------------------------+----------+--------+--------------+
    | Version  |        Description        | Section  | Status |     Date     |
    +----------+---------------------------+----------+--------+--------------+
    | 1.0      | Initial public release.   | -        | Final  | 2021-AUG-25  |
    +----------+---------------------------+----------+--------+--------------+


- --------------------------------------------------------------------------------


Cisco Application Policy Infrastructure Controller Arbitrary File Read and
Write Vulnerability

Priority:        Critical
Advisory ID:     cisco-sa-capic-frw-Nt3RYxR2
First Published: 2021 August 25 16:00 GMT
Version 1.0:     Final
Workarounds:     No workarounds available
Cisco Bug IDs:   CSCvw57556
CVE Names:       CVE-2021-1577
CWEs:            CWE-284

Summary

  o A vulnerability in an API endpoint of Cisco Application Policy
    Infrastructure Controller (APIC) and Cisco Cloud Application Policy
    Infrastructure Controller (Cloud APIC) could allow an unauthenticated,
    remote attacker to read or write arbitrary files on an affected system.

    This vulnerability is due to improper access control. An attacker could
    exploit this vulnerability by using a specific API endpoint to upload a
    file to an affected device. A successful exploit could allow the attacker
    to read or write arbitrary files on an affected device.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-capic-frw-Nt3RYxR2

Affected Products

  o Vulnerable Products

    This vulnerability affects Cisco APIC and Cisco Cloud APIC.

    For information about which Cisco software releases are vulnerable, see the
    Fixed Software section of this advisory.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o Cisco has released free software updates that address the vulnerabilities
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license:
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories page , to determine exposure and a complete
    upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
    /en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Fixed Releases

    In the following table(s), the left column lists Cisco software releases.
    The right column indicates whether a release is affected by the
    vulnerability described in this advisory and the first release that
    includes the fix for this vulnerability. Customers are advised to upgrade
    to an appropriate fixed software release as indicated in this section.

    Cisco APIC or Cisco Cloud APIC Software Release First Fixed Release
    Earlier than 3.2                                Migrate to a fixed release.
    3.2                                             3.2(10e)
    4.0                                             Migrate to a fixed release.
    4.1                                             Migrate to a fixed release.
    4.2                                             4.2(6h)
    5.0                                             Migrate to a fixed release.
    5.1                                             5.1(3e)
    5.2                                             Not vulnerable.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during internal security testing by the Cisco
    Advanced Security Initiatives Group (ASIG).

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-capic-frw-Nt3RYxR2

Revision History

  o +----------+---------------------------+----------+--------+--------------+
    | Version  |        Description        | Section  | Status |     Date     |
    +----------+---------------------------+----------+--------+--------------+
    | 1.0      | Initial public release.   | -        | Final  | 2021-AUG-25  |
    +----------+---------------------------+----------+--------+--------------+


- --------------------------------------------------------------------------------


Cisco Application Policy Infrastructure Controller Command Injection and File
Upload Vulnerabilities

Priority:        Medium
Advisory ID:     cisco-sa-capic-mdvul-HBsJBuvW
First Published: 2021 August 25 16:00 GMT
Version 1.0:     Final
Workarounds:     No workarounds available
Cisco Bug IDs:   CSCvw57577 CSCvw57581
CVE Names:       CVE-2021-1580 CVE-2021-1581
CWEs:            CWE-284 CWE-78

Summary

  o Multiple vulnerabilities in the web UI and API endpoints of Cisco
    Application Policy Infrastructure Controller (APIC) or Cisco Cloud APIC
    could allow a remote attacker to perform a command injection or file upload
    attack on an affected system.

    For more information about these vulnerabilities, see the Details section
    of this advisory.

    Cisco has released software updates that address these vulnerabilities.
    There are no workarounds that address these vulnerabilities.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-capic-mdvul-HBsJBuvW

Affected Products

  o Vulnerable Products

    At the time of publication, these vulnerabilities affected Cisco APIC and
    Cloud APIC.

    For information about which Cisco software releases are vulnerable, see the
    Fixed Software section of this advisory. See the Details section in the bug
    ID(s) at the top of this advisory for the most complete and current
    information.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by these vulnerabilities.

Details

  o The vulnerabilities are not dependent on one another. Exploitation of one
    of the vulnerabilities is not required to exploit the other vulnerability.
    In addition, a software release that is affected by one of the
    vulnerabilities may not be affected by the other vulnerability.

    Details about the vulnerabilities are as follows:

    CVE-2021-1580: Cisco APIC Command Injection Vulnerability

    A vulnerability in the web UI of Cisco APIC or an API endpoint of Cisco
    Cloud APIC could allow an authenticated, remote attacker to perform a
    command injection attack on an affected device.

    This vulnerability is due to improper input validation in the web UI and
    API endpoint. An attacker with high privileges could exploit this
    vulnerability by injecting crafted input during a specific command
    execution. A successful exploit could allow the attacker to execute
    arbitrary commands with root -level privileges on an affected device.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    Bug ID(s): CSCvw57577
    CVE ID: CVE-2021-1580
    Security Impact Rating (SIR): Medium
    CVSS Base Score: 6.5
    CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

    CVE-2021-1581: Cisco APIC File Upload Vulnerability

    A vulnerability in an API endpoint of Cisco APIC or Cisco Cloud APIC could
    allow an unauthenticated, remote attacker to upload files on an affected
    device.

    This vulnerability is due to improper access control. An attacker could
    exploit this vulnerability by using a specific API endpoint to upload files
    on an affected device. A successful exploit could allow the attacker to
    fill the upload partition of the affected device.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    Bug ID(s): CSCvw57581
    CVE ID: CVE-2021-1581
    Security Impact Rating (SIR): Medium
    CVSS Base Score: 6.5
    CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Workarounds

  o There are no workarounds that address these vulnerabilities.

Fixed Software

  o When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories page , to determine exposure and a complete
    upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Fixed Releases

    At the time of publication, the release information in the following table
    (s) was accurate. See the Details section in the bug ID(s) at the top of
    this advisory for the most complete and current information.

    The left column lists Cisco software releases, and the right column
    indicates whether a release was affected by the vulnerabilities described
    in this advisory and which release included the fix for these
    vulnerabilities.

    APIC Command Injection Vulnerability: CSCvw57577

    Cisco APIC and Cloud APIC Release First Fixed Release for This
                                      Vulnerability
    Earlier than 3.2                  Migrate to a fixed release.
    3.2                               3.2(10e)
    4.0                               Migrate to a fixed release.
    4.1                               Migrate to a fixed release.
    4.2                               4.2(6h)
    5.0                               Migrate to a fixed release.
    5.1                               5.1(3e)
    5.2                               5.2(1g)

    APIC File Upload Vulnerability: CSCvw57581

    Cisco APIC and Cloud APIC Release First Fixed Release for This
                                      Vulnerability
    Earlier than 3.2                  Migrate to a fixed release.
    3.2                               3.2(10f)
    4.0                               Migrate to a fixed release.
    4.1                               Migrate to a fixed release.
    4.2                               4.2(7l)
    5.0                               Migrate to a fixed release.
    5.1                               Migrate to a fixed release.
    5.2                               5.2(1g)

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerabilities that are
    described in this advisory.

Source

  o These vulnerabilities were found during internal security testing by the
    Cisco Advanced Security Initiatives Group (ASIG).

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-capic-mdvul-HBsJBuvW

Revision History

  o +----------+---------------------------+----------+--------+--------------+
    | Version  |        Description        | Section  | Status |     Date     |
    +----------+---------------------------+----------+--------+--------------+
    | 1.0      | Initial public release.   | -        | Final  | 2021-AUG-25  |
    +----------+---------------------------+----------+--------+--------------+


- --------------------------------------------------------------------------------


Cisco Application Policy Infrastructure Controller Privilege Escalation
Vulnerability

Priority:        High
Advisory ID:     cisco-sa-capic-pesc-pkmGK4J
First Published: 2021 August 25 16:00 GMT
Version 1.0:     Final
Workarounds:     No workarounds available
Cisco Bug IDs:   CSCvw57550
CVE Names:       CVE-2021-1578
CWEs:            CWE-636

Summary

  o A vulnerability in an API endpoint of Cisco Application Policy
    Infrastructure Controller (APIC) and Cisco Cloud Application Policy
    Infrastructure Controller (Cloud APIC) could allow an authenticated, remote
    attacker to elevate privileges to Administrator on an affected device.

    This vulnerability is due to an improper policy default setting. An
    attacker could exploit this vulnerability by using a non-privileged
    credential for Cisco ACI Multi-Site Orchestrator (MSO) to send a specific
    API request to a managed Cisco APIC or Cloud APIC device. A successful
    exploit could allow the attacker to obtain Administrator credentials on the
    affected device.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-capic-pesc-pkmGK4J

Affected Products

  o Vulnerable Products

    This vulnerability affects Cisco APIC or Cisco Cloud APIC devices if they
    are running a vulnerable software release and the following conditions are
    true:

       The device is managed by Cisco ACI MSO.
       The Cisco ACI MSO is Release 3.0(2d) through Release 3.1(1i).
       The Cisco ACI MSO is installed on a Cisco Application Services Engine.

    For information about which Cisco software releases are vulnerable, see the
    Fixed Software section of this advisory.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o Cisco has released free software updates that address the vulnerability
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license:
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories page , to determine exposure and a complete
    upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
    /en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Fixed Releases

    In the following table(s), the left column lists Cisco software releases.
    The right column indicates whether a release is affected by the
    vulnerability described in this advisory and the first release that
    includes the fix for this vulnerability. Customers are advised to upgrade
    to an appropriate fixed software release as indicated in this section.

    Cisco APIC or Cisco Cloud APIC Software Release First Fixed Release
    Earlier than 3.2                                Not vulnerable
    3.2                                             Not vulnerable.
    4.0                                             Not vulnerable.
    4.1                                             Not vulnerable.
    4.2                                             Not vulnerable.
    5.0                                             Migrate to a fixed release.
    5.1                                             5.1(3e)
    5.2                                             Not vulnerable.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during internal security testing by the Cisco
    Advanced Security Initiatives Group (ASIG).

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-capic-pesc-pkmGK4J

Revision History

  o +----------+---------------------------+----------+--------+--------------+
    | Version  |        Description        | Section  | Status |     Date     |
    +----------+---------------------------+----------+--------+--------------+
    | 1.0      | Initial public release.   | -        | Final  | 2021-AUG-25  |
    +----------+---------------------------+----------+--------+--------------+


- --------------------------------------------------------------------------------


Cisco Application Policy Infrastructure Controller Stored Cross-Site Scripting
Vulnerability

Priority:        Medium
Advisory ID:     cisco-sa-capic-scss-bFT75YrM
First Published: 2021 August 25 16:00 GMT
Version 1.0:     Final
Workarounds:     No workarounds available
Cisco Bug IDs:   CSCvy64858
CVE Names:       CVE-2021-1582
CWEs:            CWE-79

Summary

  o A vulnerability in the web UI of Cisco Application Policy Infrastructure
    Controller (APIC) or Cisco Cloud APIC could allow an authenticated, remote
    attacker to perform a stored cross-site scripting attack on an affected
    system.

    This vulnerability is due to improper input validation in the web UI. An
    authenticated attacker could exploit this vulnerability by sending
    malicious input to the web UI. A successful exploit could allow the
    attacker to execute arbitrary script code in the context of the web-based
    interface or access sensitive, browser-based information.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-capic-scss-bFT75YrM

Affected Products

  o Vulnerable Products

    At the time of publication, this vulnerability affected Cisco APIC and
    Cisco Cloud APIC.

    For information about which Cisco software releases are vulnerable, see the
    Fixed Software section of this advisory. See the Details section in the bug
    ID(s) at the top of this advisory for the most complete and current
    information.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories page , to determine exposure and a complete
    upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Fixed Releases

    At the time of publication, the release information in the following table
    (s) was accurate. See the Details section in the bug ID(s) at the top of
    this advisory for the most complete and current information.

    The left column lists Cisco software releases, and the right column
    indicates whether a release was affected by the vulnerability described in
    this advisory and which release included the fix for this vulnerability.

    Cisco APIC and Cloud APIC Release First Fixed Release for This
                                      Vulnerability
    Earlier than 3.2                  Migrate to a fixed release.
    3.2                               3.2(10f)
    4.0                               Migrate to a fixed release.
    4.1                               Migrate to a fixed release.
    4.2                               4.2(7l)
    5.0                               Migrate to a fixed release.
    5.1                               Migrate to a fixed release.
    5.2                               5.2(1h) ^1
                                      5.2(2f) ^1

    1. Releases 5.2(1h) (Cloud APIC only), 5.2(2f), and later have the fix for
    this vulnerability.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o Cisco would like to thank Adrien Peter, Pierre Milioni, and Clement Amic of
    Synacktiv for reporting this vulnerability.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Related to This Advisory

  o Cross-Site Scripting

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-capic-scss-bFT75YrM

Revision History

  o +----------+---------------------------+----------+--------+--------------+
    | Version  |        Description        | Section  | Status |     Date     |
    +----------+---------------------------+----------+--------+--------------+
    | 1.0      | Initial public release.   | -        | Final  | 2021-AUG-25  |
    +----------+---------------------------+----------+--------+--------------+

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYSbh0uNLKJtyKPYoAQg76hAAmr5gv2VPhQYNoxlTR0aMmAqdw9KUG0+N
wPiHCa0ZjH1NgjN3SYo3tJP4Lt7FZmRmh6YXCHHECNrBJodRhbqhOZW7WqzdsWzo
FPb5Skwbpzb5lrG78HtrArrN8f5y15xjAfsDR3gXWI27LgFVtzuIfFsuwB0Oeczj
Ewjgx53wE5ywRa+xj+/j5CjzABg6GsVe+CrbsTGB4WO6PwQDYakZwgIg3IZ8mGxU
8BWXev4c1hGjGAMLPk3PkLF/ByNRcQsMZ0f+mMoTRHLvjhnKUT4T51U7KH4VstPr
0vHqMnQJ2Zko0tb9SOwS3xqIpFIw7Nsl/5LHWvhyGmkQuRCjsjqx6x6kTN3ssOWR
TG5h/547FF8YCGLLKLfiVwzaz1Q5/MkvJ46sCA9djZkt7uawvW+AiC80RZq7FvTi
JvyZ+7JU2OGvxKkF8miEZy1m47iJ7lnY473MmXzqtLR7RJwCVA0Yr+uzuMHPQRwb
pjlFvvS6xzJKwBgfHdzCULGowuJfSKi9c870nh0sidnRVNHkYn3zYMSxRz9bf2aa
rlOwaQgJeMW8Xk3hDamYT1FhifFACjyKJe0ZUDDKRwSYMF8u2tP9xTipi3WCesT2
JZtQIMcWebLgTVj5gFRsaCn/1/XrMRuRyb9qDMB7xDgXugX1p8TBJ+tTMQRmKHFf
fKWD66cfLNY=
=r1zq
-----END PGP SIGNATURE-----