Network Security, Vulnerability Management

Multiple Cisco products vulnerable to remote code execution due to Apache Struts bugs

Cisco Systems has issued a pair of advisories warning users that several of its products have been affected by vulnerabilities recently discovered in the Apache Struts 2 open-source web application framework.

There are currently no software updates that address these issues, Cisco has stated. 

The most serious of the bugs is a critical remote code execution vulnerability stemming from an unsafe deserialization process. The vulnerability, designated CVE-2017-9805, allows attackers to seize control of any server running REST applications built with Struts.

Cisco confirmed in one advisory that CVE-2017-9805 has impacted the following products: MXE 3500 Series Media Experience Engines, Unified Contact Center Enterprise, Unified Intelligence Contact Management Enterprise, and Network Performance Analysis. As of Sept. 12, 2 p.m., Cisco is still investigating 14 other solutions to determine if they are also affected.

In the other advisory, Cisco stated that at least four of its products contain a remote code execution vulnerability (CVE-2017-12611) found in the Freemarker tag functionality of the Apache Struts package. Products already confirmed vulnerable are Cisco's Digital Media Manager, Hosted Collaboration Solution for Contact Center, Unified Contact Center Enterprise, and Unified Intelligence Contact Management Enterprise. As of Sept. 12, 2 p.m., Cisco is still investigating 26 other solutions to determine if they are affected.

Cisco also said that some products were affected by two less serious Apache Struts bugs – a denial of service vulnerability in the REST plug-in (CVE-2017-9793) and a resource exhaustion DoS vulnerability in the URLValidator (CVE-2017-9804).

Apache Struts has been at the center of a firestorm after it was revealed that the enormous Equifax data breach that compromised the sensitive data of roughly 143 million U.S. consumers was likely made possible through attackers exploiting a Struts vulnerability.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.