ESB-2018.3513.9 - UPDATE [Cisco] Cisco products: Multiple vulnerabilities 2018-11-21

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2018.3513.9
      Apache Struts Commons FileUpload Library Remote Code Execution
           Vulnerability Affecting Cisco Products: November 2018
                             21 November 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco products
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Modify Arbitrary Files          -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-1000031  

Reference:         ESB-2018.1307
                   ESB-2018.0372
                   ESB-2017.3099

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-struts-commons-fileupload

Revision History:  November 21 2018: Updated the lists of products under 
                                     investigation, vulnerable products, and 
                                     products confirmed not vulnerable. Updated 
                                     information about fixed release 
                                     availability.
                   November 20 2018: Updated the lists of products under 
                                     investigation, vulnerable products, and 
                                     products confirmed not vulnerable. Updated 
                                     information about fixed release 
                                     availability.
                   November 19 2018: Updated the lists of products under 
                                     investigation, vulnerable products, and 
                                     products confirmed not vulnerable.
                   November 16 2018: Updated the lists of products under 
                                     investigation, vulnerable products, and 
                                     products confirmed not vulnerable. Updated 
                                     information about fixed release 
                                     availability.
                   November 15 2018: Updated the lists of products under 
                                     investigation, vulnerable products, and 
                                     products confirmed not vulnerable. Updated 
                                     information about fixed release 
                                     availability.
                   November 14 2018: Updated the lists of products under 
                                     investigation, vulnerable products, and 
                                     products confirmed not vulnerable. Updated 
                                     information about fixed release 
                                     availability. Indicated that the Cisco TAC 
                                     is a resource for the Webex environment.
                   November 13 2018: Updated the lists of products under 
                                     investigation, vulnerable products, and 
                                     products confirmed not vulnerable. Updated 
                                     information about fixed release 
                                     availability.
                   November 12 2018: Updated the lists of products under 
                                     investigation, vulnerable products, and 
                                     products confirmed not vulnerable. Updated 
                                     information about fixed release 
                                     availability.
                   November  8 2018: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Apache Struts Commons FileUpload Library Remote Code Execution Vulnerability
Affecting Cisco Products: November 2018

Priority:         Critical
Advisory ID:      cisco-sa-20181107-struts-commons-fileupload
First Published:  2018 November 7 00:00 GMT
Last Updated:     2018 November 20 18:56 GMT
Version 1.9:      Interim
Workarounds:      No workarounds available
Apache Struts Commons FileUpload Library Remote Code Execution Vulnerability
Affecting Cisco Products: November 2018

CVE-2016-1000031
CWE-502

Summary

  o On November 5, 2018, the Apache Struts Team released a security
    announcement urging an upgrade of the Commons FileUpload library to version
    1.3.3 on systems using Struts 2.3.36 or earlier releases. Systems using
    earlier versions of this library may be exposed to attacks that could allow
    execution of arbitrary code or modifications of files on the system. The
    issue is caused by a previously reported vulnerability of the Apache
    Commons FileUpload library, assigned to CVE-2016-1000031.

    The vulnerability is due to insufficient validation of user-supplied input
    by the affected software. An attacker could exploit this vulnerability by
    submitting crafted data to an affected system. A successful exploit could
    allow the attacker to execute arbitrary code or manipulate files on the
    targeted system.

    This advisory will be updated as additional information becomes available.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20181107-struts-commons-fileupload

Affected Products

  o Cisco is investigating its product line to determine which products and
    services may be affected by this vulnerability.

    The Vulnerable Products section of this advisory will include Cisco bug IDs
    for each affected product or service. The bugs are accessible through the
    Cisco Bug Search Tool and contain additional platform-specific information,
    including workarounds (if available) and fixed software releases.

    Any product or service not listed in the "Products Under Investigation" or
    "Vulnerable Products" section of this advisory is to be considered not
    vulnerable. Because this is an ongoing investigation, be aware that
    products and services that are currently considered not vulnerable may
    subsequently be considered vulnerable as additional information becomes
    available.

    Products Under Investigation

    The following products are under active investigation to determine whether
    they are affected by the vulnerability that is described in this advisory.

    Cisco Cloud Hosted Services
      - Cisco Network Performance Analysis

    Vulnerable Products

    The following table lists Cisco products and services that are affected by
    the vulnerability that is described in this advisory. The software
    availability dates in the Fixed Release Availability column are estimates,
    and actual software availability may differ from the dates provided in the
    following table.

                     Product                  Cisco Bug      Fixed Release
                                                  ID          Availability
                          Collaboration and Social Media
                                                         Patch file available
    Cisco SocialMiner                         CSCvn22343 for 11.5/11.6 in Dec
                                                         2018
                                                         12.0.1 (Jan 2019)
    Cisco Webex Meetings Server               CSCvn18895 3.0MR2 Security Patch
                                                         2 (Dec 2018)
                       Endpoint Clients and Client Software
    Cisco Webex Management - SuperAdmin       CSCvn18901
    Control Panel
                       Network and Content Security Devices
                                                         2.2 Patch 12 (Nov
    Cisco Identity Services Engine (ISE)      CSCvn17524 2018)
                                                         2.4 Patch 5 (Nov 2018)
                                                         2.5 (Dec 2018)
    Cisco Secure Access Control System (ACS)  CSCvn18934 No fix planned
                        Network Management and Provisioning
    Cisco Prime Collaboration Provisioning    CSCvn18919 12.6 (Nov 2018)
    Cisco Prime Infrastructure                CSCvn18917 3.5 (Dec 2018)
    Cisco Prime License Manager               CSCvn18924 10.5.2 (Dec 2018)
                                                         11.5.1 (Dec 2018)
    Cisco Prime Network Registrar IP Address  CSCvn18913 No fix planned
    Manager (IPAM)
    Cisco Prime Network                       CSCvn18910 5.2 (May 2019)
    Cisco Prime Service Catalog               CSCvn22307 12.1 v7 Patch (Dec
                                                         2018)
              Routing and Switching - Enterprise and Service Provider
    Cisco IOx Fog Director                    CSCvn19758 1.8 (Feb 2019)
    Cisco IoT Field Network Director
    (formerly Cisco Connected Grid Network    CSCvn20600 4.3.2 (Dec 2018)
    Management System)
                     Voice and Unified Communications Devices
    Cisco Emergency Responder                 CSCvn18956 12.5.1 (Dec 2018)
    Cisco Enterprise Chat and Email           CSCvn18957
                                                         Patch file available
    Cisco Finesse                             CSCvn22344 for 11.6 in Dec 2018
                                                         12.0.1 (Jan 2019)
    Cisco Hosted Collaboration Mediation      CSCvn18961 11.5(4) (Available)
    Fulfillment
    Cisco Hosted Collaboration Solution for   CSCvn18962 12.0.1 (Jan 2019)
    Contact Center
    Cisco MediaSense                          CSCvn22346 No fix planned
    Cisco Unified Communications Manager IM & CSCvn18959 12.5.1 (Dec 2018)
    Presence Service (formerly CUPS)
    Cisco Unified Communications Manager      CSCvn18952 12.5.1 (Dec 2018)
    Cisco Unified Contact Center Enterprise   CSCvn18888 12.0.1 (Jan 2019)
                                                         Patch file available
    Cisco Unified Contact Center Express      CSCvn18955 for 11.5/11.6 in Dec
                                                         2018
                                                         12.0.1 (Jan 2019)
    Cisco Unified E-Mail Interaction Manager  CSCvn18958 No fix planned
                                                         Patch file available
    Cisco Unified Intelligence Center         CSCvn18887 for 11.5/11.6 in Dec
                                                         2018
                                                         12.0.1 (Jan 2019)
    Cisco Unified Intelligent Contact         CSCvn18888 12.0.1 (Jan 2019)
    Management Enterprise
    Cisco Unified Web Interaction Manager     CSCvn18958 No fix planned
    Cisco Unity Connection                    CSCvn18954 12.5.1 (Dec 2018)
                                                         Patch file available
    Cisco Virtualized Voice Browser           CSCvn18963 for 11.5/11.6 in Dec
                                                         2018
                                                         12.0.1 (Jan 2019)
              Video, Streaming, TelePresence, and Transcoding Devices
    Cisco Video Distribution Suite for        CSCvn18928
    Internet Streaming (VDS-IS)
                                     Wireless
    Cisco Mobility Services Engine            CSCvn22305
    Cisco Universal Small Cell RAN Management CSCvn18939 No fix planned
    System (USC RMS)
                            Cisco Cloud Hosted Services
    Cisco Prime Network Change and            CSCvn19865 3.6.1 (Dec 2018)
    Configuration Management                             3.7 (Mar 2019)
    Cisco Smart Net Total Care - Contracts    CSCvn18884 4.3.6 (Dec 2018)
    Information System Process Controller
    Cisco Webex Event Center                  CSCvn24113
    Cisco Webex Meetings                      CSCvn18908


    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect the following
    products and services:

    Network Application, Service, and Acceleration
      - Cisco Data Center Network Manager

    Network and Content Security Devices
      - Cisco Firepower Management Center
      - Cisco Stealthwatch Endpoint Concentrator
      - Cisco Stealthwatch FlowCollector NetFlow
      - Cisco Stealthwatch FlowCollector sFlow
      - Cisco Stealthwatch FlowSensor
      - Cisco Stealthwatch Management Console (SMC)
      - Cisco Stealthwatch UDP Director

    Network Management and Provisioning
      - Cisco Prime Access Registrar
      - Cisco Prime Central for Service Providers
      - Cisco Prime Collaboration Assurance
      - Cisco Prime Collaboration Deployment
      - Cisco Prime LAN Management Solution
      - Cisco Prime Provisioning
      - Cisco Security Manager

    Routing and Switching - Enterprise and Service Provider
      - Cisco Broadband Access Center for Telco and Wireless

    Unified Computing
      - Cisco HyperFlex System

    Voice and Unified Communications Devices
      - Cisco Unified Customer Voice Portal
      - Cisco Unified SIP Proxy Software
      - Cisco Unified Survivable Remote Site Telephony Manager
      - Cisco Unity Express

    Video, Streaming, TelePresence, and Transcoding Devices
      - Cisco StadiumVision Director
      - Cisco TelePresence Management Suite

    Cisco Cloud Hosted Services
      - Cisco Business Video Services Automation Software
      - Cisco Cloud Web Security
      - Cisco Common Services Platform Collector
      - Cisco Network Device Security Assessment Service
      - Cisco Smart Net Total Care - On-Premises
      - Cisco Smart Net Total Care
      - Cisco Unified Service Delivery Platform
      - Cisco Webex Meeting Center
      - Cisco Webex Network-Based Recording (NBR) Management

Workarounds

  o Any workarounds for a specific Cisco product or service will be documented
    in product-specific or service-specific Cisco bugs, which are identified in
    the Vulnerable Products section of this advisory.

Fixed Software

  o For information about fixed software releases, consult the Cisco bugs
    identified in the Vulnerable Products section of this advisory. Questions
    concerning the Webex environment may be directed to the Cisco Technical
    Assistance Center (TAC).

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page, to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    TAC or their contracted maintenance providers.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any malicious use of the vulnerability that is described in this advisory.

Source

  o On November 5th, 2018, the Apache Software Foundation released a security
    announcement at the following link: Immediately upgrade commons-fileupload
    to version 1.3.3 when running Struts 2.3.36 or prior

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Related to This Advisory

  o Apache Struts commons-fileupload Library DiskFileItem File Manipulation
    Arbitrary Code Execution Vulnerability

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20181107-struts-commons-fileupload

Revision History

  o 
    +---------+-----------------------+--------------+---------+------------------+
    | Version |      Description      |   Section    | Status  |       Date       |
    +---------+-----------------------+--------------+---------+------------------+
    |         | Updated the lists of  |              |         |                  |
    |         | products under        | Affected     |         |                  |
    |         | investigation,        | Products,    |         |                  |
    |         | vulnerable products,  | Vulnerable   |         |                  |
    | 1.9     | and products          | Products,    | Interim | 2018-November-20 |
    |         | confirmed not         | Products     |         |                  |
    |         | vulnerable. Updated   | Confirmed    |         |                  |
    |         | information about     | Not          |         |                  |
    |         | fixed release         | Vulnerable   |         |                  |
    |         | availability.         |              |         |                  |
    +---------+-----------------------+--------------+---------+------------------+
    |         | Updated the lists of  |              |         |                  |
    |         | products under        | Affected     |         |                  |
    |         | investigation,        | Products,    |         |                  |
    |         | vulnerable products,  | Vulnerable   |         |                  |
    | 1.8     | and products          | Products,    | Interim | 2018-November-19 |
    |         | confirmed not         | Products     |         |                  |
    |         | vulnerable. Updated   | Confirmed    |         |                  |
    |         | information about     | Not          |         |                  |
    |         | fixed release         | Vulnerable   |         |                  |
    |         | availability.         |              |         |                  |
    +---------+-----------------------+--------------+---------+------------------+
    |         | Updated the lists of  | Affected     |         |                  |
    |         | products under        | Products,    |         |                  |
    |         | investigation,        | Vulnerable   |         |                  |
    | 1.7     | vulnerable products,  | Products,    | Interim | 2018-November-16 |
    |         | and products          | Products     |         |                  |
    |         | confirmed not         | Confirmed    |         |                  |
    |         | vulnerable.           | Not          |         |                  |
    |         |                       | Vulnerable   |         |                  |
    +---------+-----------------------+--------------+---------+------------------+
    |         | Updated the lists of  |              |         |                  |
    |         | products under        | Affected     |         |                  |
    |         | investigation,        | Products,    |         |                  |
    |         | vulnerable products,  | Vulnerable   |         |                  |
    | 1.6     | and products          | Products,    | Interim | 2018-November-15 |
    |         | confirmed not         | Products     |         |                  |
    |         | vulnerable. Updated   | Confirmed    |         |                  |
    |         | information about     | Not          |         |                  |
    |         | fixed release         | Vulnerable   |         |                  |
    |         | availability.         |              |         |                  |
    +---------+-----------------------+--------------+---------+------------------+
    |         | Updated the lists of  |              |         |                  |
    |         | products under        | Affected     |         |                  |
    |         | investigation,        | Products,    |         |                  |
    |         | vulnerable products,  | Vulnerable   |         |                  |
    | 1.5     | and products          | Products,    | Interim | 2018-November-14 |
    |         | confirmed not         | Products     |         |                  |
    |         | vulnerable. Updated   | Confirmed    |         |                  |
    |         | information about     | Not          |         |                  |
    |         | fixed release         | Vulnerable   |         |                  |
    |         | availability.         |              |         |                  |
    +---------+-----------------------+--------------+---------+------------------+
    |         | Updated the lists of  |              |         |                  |
    |         | products under        |              |         |                  |
    |         | investigation,        | Affected     |         |                  |
    |         | vulnerable products,  | Products,    |         |                  |
    |         | and products          | Vulnerable   |         |                  |
    |         | confirmed not         | Products,    |         |                  |
    | 1.4     | vulnerable. Updated   | Products     | Interim | 2018-November-13 |
    |         | information about     | Confirmed    |         |                  |
    |         | fixed release         | Not          |         |                  |
    |         | availability.         | Vulnerable,  |         |                  |
    |         | Indicated that the    | Fixed        |         |                  |
    |         | Cisco TAC is a        | Software     |         |                  |
    |         | resource for the      |              |         |                  |
    |         | Webex environment.    |              |         |                  |
    +---------+-----------------------+--------------+---------+------------------+
    |         | Updated the lists of  |              |         |                  |
    |         | products under        | Affected     |         |                  |
    |         | investigation,        | Products,    |         |                  |
    |         | vulnerable products,  | Vulnerable   |         |                  |
    | 1.3     | and products          | Products,    | Interim | 2018-November-12 |
    |         | confirmed not         | Products     |         |                  |
    |         | vulnerable. Updated   | Confirmed    |         |                  |
    |         | information about     | Not          |         |                  |
    |         | fixed release         | Vulnerable   |         |                  |
    |         | availability.         |              |         |                  |
    +---------+-----------------------+--------------+---------+------------------+
    |         | Updated the lists of  |              |         |                  |
    |         | products under        | Affected     |         |                  |
    |         | investigation,        | Products,    |         |                  |
    |         | vulnerable products,  | Vulnerable   |         |                  |
    | 1.2     | and products          | Products,    | Interim | 2018-November-09 |
    |         | confirmed not         | Products     |         |                  |
    |         | vulnerable. Updated   | Confirmed    |         |                  |
    |         | information about     | Not          |         |                  |
    |         | fixed release         | Vulnerable   |         |                  |
    |         | availability.         |              |         |                  |
    +---------+-----------------------+--------------+---------+------------------+
    |         | Updated the lists of  | Affected     |         |                  |
    |         | products under        | Products,    |         |                  |
    |         | investigation,        | Vulnerable   |         |                  |
    | 1.1     | vulnerable products,  | Products,    | Interim | 2018-November-08 |
    |         | and products          | Products     |         |                  |
    |         | confirmed not         | Confirmed    |         |                  |
    |         | vulnerable.           | Not          |         |                  |
    |         |                       | Vulnerable   |         |                  |
    +---------+-----------------------+--------------+---------+------------------+
    | 1.0     | Initial public        | --           | Interim | 2018-November-07 |
    |         | release.              |              |         |                  |
    +---------+-----------------------+--------------+---------+------------------+

Legal Disclaimer

  o THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND
    OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR
    FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT
    OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES
    THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. CISCO EXPECTS TO
    UPDATE THIS DOCUMENT AS NEW INFORMATION BECOMES AVAILABLE.

    A standalone copy or paraphrase of the text of this document that omits the
    distribution URL is an uncontrolled copy and may lack important information
    or contain factual errors. The information in this document is intended for
    end users of Cisco products.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW/Tzm2aOgq3Tt24GAQjRmA/+Lr2hQohhlrljNPjHe5zuxGUzFCU3FMY0
7Tgq9u7OBH9ofdnnQzcTCL60ot/Dr3Iv3Gza6iK9fEYEJbG/rBcNJipnUm1SLYCo
gPwY7o+v3SvNgkZIzh2hR9WmP9gv75k8t062xHoI/jsrQp+Xkv09H2RwwhR9RRcH
slQDUCbHZzSycPdx+lgDQYp6EjcW51oqVmOGJPJqR8kagmuGkBUm1yihGqdf4lRW
sOaV07q+EYk/AbGqJ5M/+LRA8H49aQmxTBYYjC0JjAWlIOUATmG/9FdavMg9IQor
GLulQZFeqwYdHN9If8qay+cxV+isDD6KYmZdAT3ZvKQ4CC/YfTVKM9dumiVg8Oso
2jMsjTSlhuyWRGzdwGpXzIFY4alLm/k53mNSXd/U3iT3PowFHXhrioJS7abPROqX
ZybKOpzu1CxulTuhRlgKy1dVsygp/Ct1E8hibHuAqANusoPk16+jAnPqFy3/QxQs
SuM8vnkLFmwgulcXuMbYccqFtUN4WyNdiAtYPr2pZuVMcdvtehocKzPlbdBUp5gP
DzKGzJNPtg0Ehe0CWt4G4VXqKKzgxg3bXa7CTFHA86TpBs3/G1BsulE1OtuzLC4A
pWuM20KpjIOMm+K6aV6qkj54FU+YVjHhSJ6vgugDe2mJ1LTOu6aDX19ns1sHs/zD
hmPsgeEGmwQ=
=SI+/
-----END PGP SIGNATURE-----

« Back to bulletins