Cisco Security Advisory
Apache Struts Remote Code Execution Vulnerability Affecting Cisco Products: August 2018
-
A vulnerability in Apache Struts could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.
The vulnerability exists because the affected software insufficiently validates user-supplied input, allowing the use of results with no namespace value and the use of url tags with no value or action. In cases where upper actions or configurations also have no namespace or a wildcard namespace, an attacker could exploit this vulnerability by sending a request that submits malicious input to the affected application for processing. If successful, the attacker could execute arbitrary code in the security context of the affected application on the targeted system.The following Snort rules can be used to detect possible exploitation of this vulnerability: Snort SID 29639, 39190, 39191, and 47634
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180823-apache-struts
-
The Vulnerable Products section includes Cisco bug IDs for each affected product or service. The bugs are accessible through the Cisco Bug Search Tool and contain additional platform-specific information, including workarounds (if available) and fixed software releases.
Any product or service not listed in the Vulnerable Products section of this advisory is to be considered not vulnerable.
Vulnerable Products
Vulnerable products marked with an asterisk (*) contain an affected Struts library, but due to how the library is used within the product, these products are not vulnerable to any of the exploitation vectors known to Cisco at the time of publication.
The following table lists Cisco products that are affected by the vulnerability that is described in this advisory:
Product Cisco Bug ID Fixed Release Availability Collaboration and Social Media Cisco SocialMiner * CSCvk78903 Patch available 11-Sept-2018 Endpoint Clients and Client Software Cisco Prime Service Catalog * CSCvm13989 Network and Content Security Devices Cisco Identity Services Engine (ISE) CSCvm14030 Patch file available 31-Aug-2018 Voice and Unified Communications Devices Cisco Emergency Responder * CSCvm14044 1151es (21-Sep-2018)
Standalone COP (21-Sep-2018)Cisco Finesse * CSCvk78905 Patch file available 7-Sept-2018. Cisco Hosted Collaboration Solution for Contact Center * CSCvm14052 Patch file available 12-Sep-2018 Cisco MediaSense * CSCvk78906 Patch file available 12-Sep-2018 Cisco Unified Communications Manager * CSCvm14042 1151es and 1201es (14-Sep-2018)
Standalone COP (20-Sep-2018)Cisco Unified Communications Manager IM & Presence Service (formerly CUPS) * CSCvm14049 1151es and 1201es (21-Sep-2018)
Standalone COP (20-Sep-2018)Cisco Unified Contact Center Enterprise * CSCvm13986 Patch file available 12-Sept-2018 Cisco Unified Contact Center Enterprise - Live Data server * CSCvk78902 Patch file available 7-Sept-2018 Cisco Unified Contact Center Express * CSCvm21744 Patch file available 12-Sep-2018 Cisco Unified Intelligence Center * CSCvm13984 Patch file available 12-Sep-2018 Cisco Unified Intelligent Contact Management Enterprise * CSCvm13986 Patch file available 12-Sept-2018 Cisco Unified SIP Proxy Software * CSCvm13980 918es (28-Sep-2018) Cisco Unified Survivable Remote Site Telephony Manager * CSCvm13979 Patch file available 12-Sep-2018 Cisco Unity Connection * CSCvm14043 1151es and 1201su (18-Sep-2018)
Standalone COP (21-Sep-2018)Cisco Virtualized Voice Browser * CSCvm14056 Patch file available 12-Sep-2018 Video, Streaming, TelePresence, and Transcoding Devices Cisco Video Distribution Suite for Internet Streaming (VDS-IS) * CSCvm14027 2.3.35 (15-Sept-2018) Cisco Cloud Hosted Services Cisco Network Performance Analysis CSCvm14040
Products Confirmed Not Vulnerable
Only products and services listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following products and services. All members of the product families in the following list are not considered to be affected by this vulnerability unless they are explicitly listed in the preceding Vulnerable Products section:
Cable Modems
- Cisco 3G Femtocell Wireless
Network Application, Service, and Acceleration
- Cisco Data Center Network Manager
Network and Content Security Devices
- Cisco Secure Access Control System (ACS)
Network Management and Provisioning
- Cisco MXE 3500 Series Media Experience Engines
- Cisco Prime Access Registrar
- Cisco Prime Central for Service Providers
- Cisco Prime Collaboration Assurance
- Cisco Prime Collaboration Provisioning
- Cisco Prime Infrastructure
- Cisco Prime LAN Management Solution - Solaris
- Cisco Prime License Manager
- Cisco Prime Network Registrar IP Address Manager (IPAM)
- Cisco Prime Network
- Cisco Prime Order Management
- Cisco Prime Provisioning
- Cisco Security Manager
- Cisco Smart Net Total Care - Local Collector appliance
Routing and Switching - Enterprise and Service Provider
- Cisco Broadband Access Center for Telco and Wireless
Voice and Unified Communications Devices
- Cisco Enterprise Chat and Email
- Cisco Hosted Collaboration Mediation Fulfillment
- Cisco Unified Customer Voice Portal
- Cisco Unified E-Mail Interaction Manager
- Cisco Unified Web Interaction Manager
- Cisco Unity Express
Video, Streaming, TelePresence, and Transcoding Devices
- Cisco Enterprise Content Delivery System (ECDS)
- Cisco Expressway Series
- Cisco TelePresence Video Communication Server (VCS)
Cisco Cloud Hosted Services
- Cisco Business Video Services Automation Software
- Cisco Cloud Web Security
- Cisco Deployment Automation Tool
- Cisco Network Device Security Assessment Service
- Cisco Services Provisioning Platform
- Cisco Smart Net Total Care - Contracts Information System Process Controller
- Cisco Smart Net Total Care
- Cisco Unified Service Delivery Platform
- Cisco Webex Meeting Center - Windows
- Cisco Webex Meeting Center
- Cisco Webex Network-Based Recording (NBR) Management
- Cisco Webex Teams (formerly Cisco Spark)
- Cloud and Managed Services Program (CMSP)
-
Any workarounds for a specific Cisco product or service will be documented in product-specific or service-specific Cisco bugs, which are identified in the Vulnerable Products section of this advisory.
-
For information about fixed software releases, consult the Cisco bugs identified in the Vulnerable Products section of this advisory. Questions concerning the Cisco Webex environment can be directed to the Cisco Technical Assistance Center (TAC).
When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco TAC or their contracted maintenance providers.
-
The Cisco Product Security Incident Response Team (PSIRT) is aware of attempted exploitation of this vulnerability.
-
On August 22, 2018, the Apache Software Foundation publicly disclosed this vulnerability in a security bulletin at the following link: https://cwiki.apache.org/confluence/display/WW/S2-057
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Version Description Section Status Date 1.12 Updated the software availability information for vulnerable products. Affected Products Final 2018-September-17 1.11 Updated the software availability information for vulnerable products. Affected Products Final 2018-September-13 1.10 Updated the list of vulnerable products; in the previous version the asterisk was inadvertently omitted. Affected Products Final 2018-September-10 1.9 Updated the software availability information for vulnerable products. Affected Products Final 2018-September-06 1.8 Updated the lists of vulnerable products and products confirmed not vulnerable. Removed references to ongoing investigation. Summary, Affected Products Final 2018-September-05 1.7 Updated the lists of products under investigation, vulnerable products, and products confirmed not vulnerable. Affected Products Interim 2018-September-04 1.6 Updated the lists of products under investigation, vulnerable products, and products confirmed not vulnerable. Affected Products Interim 2018-August-31 1.5 Updated the lists of products under investigation, vulnerable products, and products confirmed not vulnerable. Affected Products Interim 2018-August-30 1.4 Updated the lists of products under investigation, vulnerable products, and products confirmed not vulnerable, updated the awareness of exploitation attempts. Affected Products, Exploitation and Public Announcements Interim 2018-August-29 1.3 Updated the lists of products under investigation, vulnerable products, and products confirmed not vulnerable. Summary and Affected Products Interim 2018-August-28 1.2 Updated the lists of products under investigation, vulnerable products, and products confirmed not vulnerable. Summary and Affected Products Interim 2018-August-28 1.1 Added Snort SIDs. Updated the lists of products under investigation, vulnerable products, and products confirmed not vulnerable. Summary and Affected Products Interim 2018-August-24 1.0 Initial public release. - Interim 2018-August-23
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.