Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products

2014-07-0916:00:00

tools.cisco.com

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

EPSS

0.065

Percentile

93.8%

JSON

Multiple Cisco products include an implementation of the Apache Struts 2 component that is affected by a remote command execution vulnerability identified by Apache with Common Vulnerabilities and Exposures ID CVE-2010-1870.

The vulnerability is due to insufficient sanitization on user-supplied input in the XWorks component of the affected software. The component uses the ParameterInterceptors directive to parse the Object-Graph Navigation Language (OGNL) expressions that are implemented via a whitelist feature. An attacker could exploit this vulnerability by sending crafted requests that contain OGNL expressions to an affected system. An exploit could allow the attacker to execute arbitrary code on the targeted system.

Cisco has released software updates that address this vulnerability for all the affected products except Cisco Business Edition 3000 Series. Customers using Cisco Business Edition 3000 Series should contact their Cisco representative for available options.

Cisco has released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available. This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140709-struts2 [“https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140709-struts2”]

Affected configurations

Vulners

Node

ciscounified_contact_center_expressMatchany

ciscoidentity_services_engine_softwareMatchany

ciscobusiness_edition_3000_softwareMatchany

ciscomedia_experience_engineMatchany

ciscounified_contact_center_expressMatchany

ciscoidentity_services_engine_softwareMatchany

ciscobusiness_edition_5000Match3000_software

ciscocisco_mxeMatch3500_\(media_experience_engine\)

VendorProductVersionCPE
ciscounified_contact_center_expressanycpe:2.3:a:cisco:unified_contact_center_express:any:*:*:*:*:*:*:*
ciscoidentity_services_engine_softwareanycpe:2.3:a:cisco:identity_services_engine_software:any:*:*:*:*:*:*:*
ciscobusiness_edition_3000_softwareanycpe:2.3:a:cisco:business_edition_3000_software:any:*:*:*:*:*:*:*
ciscomedia_experience_engineanycpe:2.3:a:cisco:media_experience_engine:any:*:*:*:*:*:*:*
ciscobusiness_edition_50003000_softwarecpe:2.3:h:cisco:business_edition_5000:3000_software:*:*:*:*:*:*:*
ciscocisco_mxe3500_(media_experience_engine)cpe:2.3:a:cisco:cisco_mxe:3500_\(media_experience_engine\):*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cisco	unified_contact_center_express	any	cpe:2.3:a:cisco:unified_contact_center_express:any:::::::*
cisco	identity_services_engine_software	any	cpe:2.3:a:cisco:identity_services_engine_software:any:::::::*
cisco	business_edition_3000_software	any	cpe:2.3:a:cisco:business_edition_3000_software:any:::::::*
cisco	media_experience_engine	any	cpe:2.3:a:cisco:media_experience_engine:any:::::::*
cisco	business_edition_5000	3000_software	cpe:2.3:h:cisco:business_edition_5000:3000_software:::::::*
cisco	cisco_mxe	3500_(media_experience_engine)	cpe:2.3:a:cisco:cisco_mxe:3500_\(media_experience_engine\):::::::*