ESB-2018.3513.16 - UPDATE [Cisco] Cisco products: Multiple vulnerabilities 2019-02-11

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                             ESB-2018.3513.16
      Apache Struts Commons FileUpload Library Remote Code Execution
           Vulnerability Affecting Cisco Products: November 2018
                             11 February 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco products
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Modify Arbitrary Files          -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-1000031  

Reference:         ESB-2018.1307
                   ESB-2018.0372
                   ESB-2017.3099

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-struts-commons-fileupload

Revision History:  February 11 2019: Updated vulnerable products
                   December  6 2018: Updated information about fixed release availability. Removed references to ongoing investigation.
                   December  3 2018: Updated the lists of products under investigation, vulnerable products, and products confirmed not vulnerable. Updated information about fixed release availability.
                   November 29 2018: Updated information about fixed release availability.
                   November 27 2018: Updated information about fixed release availability.
                   November 23 2018: Updated information about Cisco Webex Centers exposure. Updated information about fixed release availability.
                   November 22 2018: Updated the list of vulnerable products. Updated information about fixed release availability.
                   November 21 2018: Updated the lists of products under investigation, vulnerable products, and products confirmed not vulnerable. Updated information about fixed release availability.
                   November 20 2018: Updated the lists of products under investigation, vulnerable products, and products confirmed not vulnerable. Updated information about fixed release availability.
                   November 19 2018: Updated the lists of products under investigation, vulnerable products, and products confirmed not vulnerable. Updated information about fixed release availability.
                   November 16 2018: Updated the lists of products under investigation, vulnerable products, and products confirmed not vulnerable. Updated information about fixed release availability.
                   November 15 2018: Updated the lists of products under investigation, vulnerable products, and products confirmed not vulnerable. Updated information about fixed release availability.
                   November 14 2018: Updated the lists of products under investigation, vulnerable products, and products confirmed not vulnerable. Updated information about fixed release availability. Indicated that the Cisco TAC is a resource for the Webex environment.
                   November 13 2018: Updated the lists of products under investigation, vulnerable products, and products confirmed not vulnerable. Updated information about fixed release availability.
                   November 12 2018: Updated the lists of products under investigation, vulnerable products, and products confirmed not vulnerable. Updated information about fixed release availability.
                   November  8 2018: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Apache Struts Commons FileUpload Library Remote Code Execution Vulnerability
Affecting Cisco Products: November 2018

Priority:        Critical
Advisory ID:     cisco-sa-20181107-struts-commons-fileupload
First Published: 2018 November 7 00:00 GMT
Last Updated:    2019 February 7 14:49 GMT
Version 1.17:    Final
Workarounds:     No workarounds available
CVE-2016-1000031 
CWE-502

Summary

  o On November 5, 2018, the Apache Struts Team released a security
    announcement urging an upgrade of the Commons FileUpload library to version
    1.3.3 on systems using Struts 2.3.36 or earlier releases. Systems using
    earlier versions of this library may be exposed to attacks that could allow
    execution of arbitrary code or modifications of files on the system. The
    issue is caused by a previously reported vulnerability of the Apache
    Commons FileUpload library, assigned to CVE-2016-1000031.

    The vulnerability is due to insufficient validation of user-supplied input
    by the affected software. An attacker could exploit this vulnerability by
    submitting crafted data to an affected system. A successful exploit could
    allow the attacker to execute arbitrary code or manipulate files on the
    targeted system.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20181107-struts-commons-fileupload

Affected Products

  o Cisco investigated its product line to determine which products and
    services may be affected by this vulnerability.

    The Vulnerable Products section of this advisory includes Cisco bug IDs for
    each affected product or service. The bugs are accessible through the Cisco
    Bug Search Tool and contain additional platform-specific information,
    including workarounds (if available) and fixed software releases.

    Any product or service not listed in the "Vulnerable Products" section of
    this advisory is to be considered not vulnerable.

    Vulnerable Products

    The following table lists Cisco products and services that are affected by
    the vulnerability that is described in this advisory. The software
    availability dates in the Fixed Release Availability column are estimates,
    and actual software availability may differ from the dates provided in the
    following table.

                   Product                 Cisco Bug        Fixed Release
                                               ID           Availability
                          Collaboration and Social Media
                                                      Patch file available for
    Cisco SocialMiner                      CSCvn22343 11.5/11.6 by Dec 2018
                                                      12.0.1 (Jan 2019)
                                                      2.8MR3 Security Patch 1
    Cisco Webex Meetings Server            CSCvn18895 (Dec 2018)
                                                      3.0MR2 Security Patch 2
                                                      (Dec 2018)
                       Endpoint Clients and Client Software
    Cisco Webex Management - SuperAdmin    CSCvn18901 T33.7.2 (Dec 2018)
    Control Panel
                       Network and Content Security Devices
                                                      Hot patch available for
                                                      2.1 Patch 7/2.3 Patch 5
    Cisco Identity Services Engine (ISE)   CSCvn17524 2.2 Patch 12 (Nov 2018)
                                                      2.3 Patch 6 (Feb 2019)
                                                      2.4 Patch 5 (Nov 2018)
                                                      2.5 (Dec 2018)
    Cisco Secure Access Control System     CSCvn18934 No fix planned ^1
    (ACS)
                        Network Management and Provisioning
    Cisco Evolved Programmable Network     CSCvn44132 2.2.1.2 (Dec 2018)
    Manager
    Cisco Prime Collaboration Provisioning CSCvn18919 12.6 (Nov 2018)
                                                      3.3.1 Update 04 (Feb
                                                      2019)
    Cisco Prime Infrastructure             CSCvn18917 3.4.1 Update 03 (Mar
                                                      2019)
                                                      3.5 (Dec 2018)
    Cisco Prime License Manager            CSCvn18924 Patch file available for
                                                      10.5.2/11.5.1 by Dec 2018
    Cisco Prime Network Registrar IP       CSCvn18913 No fix planned
    Address Manager (IPAM)
                                                      Patch file available for
    Cisco Prime Network                    CSCvn18910 5.1 by Dec 2018
                                                      5.2 (May 2019)
    Cisco Prime Service Catalog            CSCvn22307 12.1 v7 Patch (Dec 2018)
              Routing and Switching - Enterprise and Service Provider
    Cisco IOx Fog Director                 CSCvn19758 1.7.1 (Jan 2019)
                                                      1.8 (Feb 2019)
    Cisco IoT Field Network Director
    (formerly Cisco Connected Grid Network CSCvn20600 4.3.2 (Dec 2018)
    Management System)
                     Voice and Unified Communications Devices
                                                      Patch file available for
    Cisco Emergency Responder              CSCvn18956 11.5.1/12.0.1 by Dec 2018
                                                      12.5.1 (Jan 2019)
    Cisco Enterprise Chat and Email        CSCvn18957 11.6 ES6 (Jan 2019)
                                                      12.0.1 (Jan 2019)
                                                      Patch file available for
    Cisco Finesse                          CSCvn22344 11.6 by Dec 2018
                                                      12.0.1 (Jan 2019)
    Cisco Hosted Collaboration Mediation   CSCvn18961 11.5(4) (Available)
    Fulfillment
    Cisco Hosted Collaboration Solution    CSCvn18962 12.0.1 (Jan 2019)
    for Contact Center
    Cisco MediaSense                       CSCvn22346 No fix planned
                                                      Patch file available for
    Cisco Unified Communications Manager   CSCvn18959 10.5.2/11.5.1/12.0.1 by
    IM & Presence Service (formerly CUPS)             Dec 2018
                                                      12.5.1 (Jan 2019)
                                                      Patch file available for
    Cisco Unified Communications Manager   CSCvn18952 10.5.2/11.5.1/12.0.1 by
                                                      Dec 2018
                                                      12.5.1 (Jan 2019)
    Cisco Unified Contact Center           CSCvn18888 12.0.1 (Jan 2019)
    Enterprise
                                                      Patch file available for
    Cisco Unified Contact Center Express   CSCvn18955 11.5/11.6 by Dec 2018
                                                      12.0.1 (Jan 2019)
    Cisco Unified E-Mail Interaction       CSCvn18958 No fix planned
    Manager
                                                      Patch file available for
    Cisco Unified Intelligence Center      CSCvn18887 11.5/11.6 by Dec 2018
                                                      12.0.1 (Jan 2019)
    Cisco Unified Intelligent Contact      CSCvn18888 12.0.1 (Jan 2019)
    Management Enterprise
    Cisco Unified Web Interaction Manager  CSCvn18958 No fix planned
                                                      Patch file available for
    Cisco Unity Connection                 CSCvn18954 10.5.2/11.5.1/12.0.1 by
                                                      Dec 2018
                                                      12.5.1 (Jan 2019)
                                                      Patch file available for
    Cisco Virtualized Voice Browser        CSCvn18963 11.5/11.6 by Dec 2018
                                                      12.0.1 (Jan 2019)
              Video, Streaming, TelePresence, and Transcoding Devices
    Cisco Video Distribution Suite for     CSCvn18928 Patch file available by
    Internet Streaming (VDS-IS)                       Dec 2018
                                     Wireless
    Cisco Mobility Services Engine         CSCvn22305 Patch file available by
                                                      Dec 2018
    Cisco Universal Small Cell RAN         CSCvn18939 No fix planned
    Management System (USC RMS)
                            Cisco Cloud Hosted Services
    Cisco Prime Network Change and         CSCvn19865 3.6.1 (Dec 2018)
    Configuration Management                          3.7 (Mar 2019)
    Cisco Smart Connected Spaces           CSCvn22310 Patch file available by
                                                      Dec 2018
    Cisco Smart Net Total Care - Contracts CSCvn18884 4.3.6 (Dec 2018)
    Information System Process Controller
    Cisco Webex Centers - Meeting Center,             T33.7.2 (Dec 2018)
    Training Center, Event Center, Support CSCvn24113 T32.20.2 (Dec 2018)
    Center
                                                      Cisco will update
    Cisco Webex Meetings                   CSCvn18908 affected systems in Dec
                                                      2018


    ^ 1 Cisco Secure Access Control System (ACS) has reached the End of
    Software Maintenance (EoSWM) milestone . Only authenticated attackers with
    access to the Cisco ACS admin console could exploit this vulnerability. An
    administrator could also limit access to the Cisco ACS admin panel from
    trusted hosts in their environment.


    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect the following
    products and services:

    Network Application, Service, and Acceleration
       Cisco Data Center Network Manager

    Network and Content Security Devices
       Cisco Firepower Management Center
       Cisco Stealthwatch Endpoint Concentrator
       Cisco Stealthwatch FlowCollector NetFlow
       Cisco Stealthwatch FlowCollector sFlow
       Cisco Stealthwatch FlowSensor
       Cisco Stealthwatch Management Console (SMC)
       Cisco Stealthwatch UDP Director

    Network Management and Provisioning
       Cisco Prime Access Registrar
       Cisco Prime Central for Service Providers
       Cisco Prime Collaboration Assurance
       Cisco Prime Collaboration Deployment
       Cisco Prime LAN Management Solution
       Cisco Prime Provisioning
       Cisco Security Manager

    Routing and Switching - Enterprise and Service Provider
       Cisco Broadband Access Center for Telco and Wireless

    Unified Computing
       Cisco HyperFlex System

    Voice and Unified Communications Devices
       Cisco Unified Customer Voice Portal
       Cisco Unified SIP Proxy Software
       Cisco Unified Survivable Remote Site Telephony Manager
       Cisco Unity Express

    Video, Streaming, TelePresence, and Transcoding Devices
       Cisco StadiumVision Director
       Cisco TelePresence Management Suite

    Cisco Cloud Hosted Services
       Cisco Business Video Services Automation Software
       Cisco Cloud Web Security
       Cisco Common Services Platform Collector
       Cisco Network Device Security Assessment Service
       Cisco Network Performance Analysis
       Cisco Smart Net Total Care - On-Premises
       Cisco Smart Net Total Care
       Cisco Unified Service Delivery Platform
       Cisco Webex Network-Based Recording (NBR) Management

Workarounds

  o Any workarounds for a specific Cisco product or service will be documented
    in product-specific or service-specific Cisco bugs, which are identified in
    the Vulnerable Products section of this advisory.

Fixed Software

  o For information about fixed software releases, consult the Cisco bugs
    identified in the Vulnerable Products section of this advisory. Questions
    concerning the Webex environment may be directed to the Cisco Technical
    Assistance Center (TAC).

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page , to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    TAC or their contracted maintenance providers.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any malicious use of the vulnerability that is described in this advisory.

Source

  o On November 5th, 2018, the Apache Software Foundation released a security
    announcement at the following link: Immediately upgrade commons-fileupload
    to version 1.3.3 when running Struts 2.3.36 or prior

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

  o Subscribe

Related to This Advisory

  o Apache Struts commons-fileupload Library DiskFileItem File Manipulation
    Arbitrary Code Execution Vulnerability

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20181107-struts-commons-fileupload

Revision History

  o +---------+--------------------+-------------+---------+------------------+
    | Version |    Description     |   Section   | Status  |       Date       |
    +---------+--------------------+-------------+---------+------------------+
    |         | Updated            |             |         |                  |
    |         | information about  |             |         |                  |
    |         | fixed release      |             |         |                  |
    |         | availability for   |             |         |                  |
    |         | Cisco Prime        |             |         |                  |
    |         | Infrastructure.    |             |         |                  |
    |         | The fix was not    |             |         |                  |
    |         | integrated in      |             |         |                  |
    |         | release 3.4.1      |             |         |                  |
    | 1.17    | Update 02 but will | Vulnerable  | Final   | 2019-February-07 |
    |         | be integrated in   | Products    |         |                  |
    |         | 3.4.1 Update 03.   |             |         |                  |
    |         | Corrected a typo   |             |         |                  |
    |         | referencing        |             |         |                  |
    |         | January 2018       |             |         |                  |
    |         | instead of January |             |         |                  |
    |         | 2019 as            |             |         |                  |
    |         | availability time  |             |         |                  |
    |         | for some fixed     |             |         |                  |
    |         | releases.          |             |         |                  |
    +---------+--------------------+-------------+---------+------------------+
    |         | Updated            |             |         |                  |
    |         | information about  |             |         |                  |
    |         | fixed release      |             |         |                  |
    |         | availability for   |             |         |                  |
    |         | Cisco Prime        |             |         |                  |
    | 1.16    | Infrastructure.    | Vulnerable  | Final   | 2019-January-11  |
    |         | The fix was not    | Products    |         |                  |
    |         | integrated in      |             |         |                  |
    |         | release 3.3.1      |             |         |                  |
    |         | Update 03 but will |             |         |                  |
    |         | be integrated in   |             |         |                  |
    |         | 3.3.1 Update 04.   |             |         |                  |
    +---------+--------------------+-------------+---------+------------------+
    |         | Updated            |             |         |                  |
    |         | information about  | Summary,    |         |                  |
    |         | fixed release      | Affected    |         |                  |
    | 1.15    | availability.      | Products,   | Final   | 2018-December-05 |
    |         | Removed references | Vulnerable  |         |                  |
    |         | to ongoing         | Products    |         |                  |
    |         | investigation.     |             |         |                  |
    +---------+--------------------+-------------+---------+------------------+
    |         | Updated the lists  |             |         |                  |
    |         | of products under  | Affected    |         |                  |
    |         | investigation,     | Products,   |         |                  |
    |         | vulnerable         | Vulnerable  |         |                  |
    |         | products, and      | Products,   |         |                  |
    | 1.14    | products confirmed | Products    | Interim | 2018-November-30 |
    |         | not vulnerable.    | Confirmed   |         |                  |
    |         | Updated            | Not         |         |                  |
    |         | information about  | Vulnerable  |         |                  |
    |         | fixed release      |             |         |                  |
    |         | availability.      |             |         |                  |
    +---------+--------------------+-------------+---------+------------------+
    |         | Updated            |             |         |                  |
    | 1.13    | information about  | Vulnerable  | Interim | 2018-November-28 |
    |         | fixed release      | Products    |         |                  |
    |         | availability.      |             |         |                  |
    +---------+--------------------+-------------+---------+------------------+
    |         | Updated            |             |         |                  |
    | 1.12    | information about  | Vulnerable  | Interim | 2018-November-26 |
    |         | fixed release      | Products    |         |                  |
    |         | availability.      |             |         |                  |
    +---------+--------------------+-------------+---------+------------------+
    |         | Updated            |             |         |                  |
    |         | information about  | Vulnerable  |         |                  |
    |         | Cisco Webex        | Products,   |         |                  |
    | 1.11    | Centers exposure.  | Products    | Interim | 2018-November-22 |
    |         | Updated            | Confirmed   |         |                  |
    |         | information about  | Not         |         |                  |
    |         | fixed release      | Vulnerable  |         |                  |
    |         | availability.      |             |         |                  |
    +---------+--------------------+-------------+---------+------------------+
    |         | Updated the list   |             |         |                  |
    |         | of vulnerable      |             |         |                  |
    | 1.10    | products. Updated  | Vulnerable  | Interim | 2018-November-21 |
    |         | information about  | Products    |         |                  |
    |         | fixed release      |             |         |                  |
    |         | availability.      |             |         |                  |
    +---------+--------------------+-------------+---------+------------------+
    |         | Updated the lists  |             |         |                  |
    |         | of products under  | Affected    |         |                  |
    |         | investigation,     | Products,   |         |                  |
    |         | vulnerable         | Vulnerable  |         |                  |
    |         | products, and      | Products,   |         |                  |
    | 1.9     | products confirmed | Products    | Interim | 2018-November-20 |
    |         | not vulnerable.    | Confirmed   |         |                  |
    |         | Updated            | Not         |         |                  |
    |         | information about  | Vulnerable  |         |                  |
    |         | fixed release      |             |         |                  |
    |         | availability.      |             |         |                  |
    +---------+--------------------+-------------+---------+------------------+
    |         | Updated the lists  |             |         |                  |
    |         | of products under  | Affected    |         |                  |
    |         | investigation,     | Products,   |         |                  |
    |         | vulnerable         | Vulnerable  |         |                  |
    |         | products, and      | Products,   |         |                  |
    | 1.8     | products confirmed | Products    | Interim | 2018-November-19 |
    |         | not vulnerable.    | Confirmed   |         |                  |
    |         | Updated            | Not         |         |                  |
    |         | information about  | Vulnerable  |         |                  |
    |         | fixed release      |             |         |                  |
    |         | availability.      |             |         |                  |
    +---------+--------------------+-------------+---------+------------------+
    |         | Updated the lists  | Affected    |         |                  |
    |         | of products under  | Products,   |         |                  |
    |         | investigation,     | Vulnerable  |         |                  |
    | 1.7     | vulnerable         | Products,   | Interim | 2018-November-16 |
    |         | products, and      | Products    |         |                  |
    |         | products confirmed | Confirmed   |         |                  |
    |         | not vulnerable.    | Not         |         |                  |
    |         |                    | Vulnerable  |         |                  |
    +---------+--------------------+-------------+---------+------------------+
    |         | Updated the lists  |             |         |                  |
    |         | of products under  | Affected    |         |                  |
    |         | investigation,     | Products,   |         |                  |
    |         | vulnerable         | Vulnerable  |         |                  |
    |         | products, and      | Products,   |         |                  |
    | 1.6     | products confirmed | Products    | Interim | 2018-November-15 |
    |         | not vulnerable.    | Confirmed   |         |                  |
    |         | Updated            | Not         |         |                  |
    |         | information about  | Vulnerable  |         |                  |
    |         | fixed release      |             |         |                  |
    |         | availability.      |             |         |                  |
    +---------+--------------------+-------------+---------+------------------+
    |         | Updated the lists  |             |         |                  |
    |         | of products under  | Affected    |         |                  |
    |         | investigation,     | Products,   |         |                  |
    |         | vulnerable         | Vulnerable  |         |                  |
    |         | products, and      | Products,   |         |                  |
    | 1.5     | products confirmed | Products    | Interim | 2018-November-14 |
    |         | not vulnerable.    | Confirmed   |         |                  |
    |         | Updated            | Not         |         |                  |
    |         | information about  | Vulnerable  |         |                  |
    |         | fixed release      |             |         |                  |
    |         | availability.      |             |         |                  |
    +---------+--------------------+-------------+---------+------------------+
    |         | Updated the lists  |             |         |                  |
    |         | of products under  |             |         |                  |
    |         | investigation,     | Affected    |         |                  |
    |         | vulnerable         | Products,   |         |                  |
    |         | products, and      | Vulnerable  |         |                  |
    |         | products confirmed | Products,   |         |                  |
    |         | not vulnerable.    | Products    |         |                  |
    | 1.4     | Updated            | Confirmed   | Interim | 2018-November-13 |
    |         | information about  | Not         |         |                  |
    |         | fixed release      | Vulnerable, |         |                  |
    |         | availability.      | Fixed       |         |                  |
    |         | Indicated that the | Software    |         |                  |
    |         | Cisco TAC is a     |             |         |                  |
    |         | resource for the   |             |         |                  |
    |         | Webex environment. |             |         |                  |
    +---------+--------------------+-------------+---------+------------------+
    |         | Updated the lists  |             |         |                  |
    |         | of products under  | Affected    |         |                  |
    |         | investigation,     | Products,   |         |                  |
    |         | vulnerable         | Vulnerable  |         |                  |
    |         | products, and      | Products,   |         |                  |
    | 1.3     | products confirmed | Products    | Interim | 2018-November-12 |
    |         | not vulnerable.    | Confirmed   |         |                  |
    |         | Updated            | Not         |         |                  |
    |         | information about  | Vulnerable  |         |                  |
    |         | fixed release      |             |         |                  |
    |         | availability.      |             |         |                  |
    +---------+--------------------+-------------+---------+------------------+
    |         | Updated the lists  |             |         |                  |
    |         | of products under  | Affected    |         |                  |
    |         | investigation,     | Products,   |         |                  |
    |         | vulnerable         | Vulnerable  |         |                  |
    |         | products, and      | Products,   |         |                  |
    | 1.2     | products confirmed | Products    | Interim | 2018-November-09 |
    |         | not vulnerable.    | Confirmed   |         |                  |
    |         | Updated            | Not         |         |                  |
    |         | information about  | Vulnerable  |         |                  |
    |         | fixed release      |             |         |                  |
    |         | availability.      |             |         |                  |
    +---------+--------------------+-------------+---------+------------------+
    |         | Updated the lists  | Affected    |         |                  |
    |         | of products under  | Products,   |         |                  |
    |         | investigation,     | Vulnerable  |         |                  |
    | 1.1     | vulnerable         | Products,   | Interim | 2018-November-08 |
    |         | products, and      | Products    |         |                  |
    |         | products confirmed | Confirmed   |         |                  |
    |         | not vulnerable.    | Not         |         |                  |
    |         |                    | Vulnerable  |         |                  |
    +---------+--------------------+-------------+---------+------------------+
    | 1.0     | Initial public     | -           | Interim | 2018-November-07 |
    |         | release.           |             |         |                  |
    +---------+--------------------+-------------+---------+------------------+

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXGC7xWaOgq3Tt24GAQjjew//XU9aeAIkJO53NzYIXOIJZCl6cG1kqJmm
FaWmmC9xtGr8jSc+1MG4ssgDAl+gK5aX0KJPooVhb6f1Nga34j0VmA0tiwpM4VIq
p3bFT1KJ3KaRnXtvDxwYARd+Yi5kCo0pORn4zTzLzDoJ6G2mAuLgDdi6uctkSlbK
5Xmp7jXQHUVNJXtJyDoX7GdQ9YFYTbf5tth8J16cM8tVN0fgddqnKoqq9zFff4jq
L8Cns/DDabY78C8QN6m70c50FqhvaHfm9HJtpnYm+sYHD0YYTh0gjDD0QHIX9rkD
cF/3KqJo2+cygLeCxO5oHEemlaWA+ln1W+0VDuWywdMta0TIohFRQBGQiM6YMN0I
HhygaInfySZpyScPGKjMUyxEQibSKFuamjOOZ5JuKpK71M6UiQSlBZfGSTyh8/rJ
nZqBbDQ60toGYeXmxLEAhIYWo1ypmA1hXdTNASMlTcz9hl3/wIIJewTdgm+fu+JX
D4Ohl6L76kE5YinL4IQuYfM4JIaVvf8lD1HGAMqTpo6CKLXm9AUz/zgvUpfEnUVP
ws/lVlBg8ornGHnAZ4IoMVA2O/sVraejqSaRA40Pjmc0EqMMhl4NV/mnoFcuC/AU
/o3mHXQ82qH85zr5N+FielGhLPxNxtgzLOolreSjWO+f0jzzeRVwQuf63n3C7Bsy
RUEljUBhPTA=
=ISBO
-----END PGP SIGNATURE-----

« Back to bulletins