Cisco Systems on Wednesday fixed a critical remote code execution vulnerability in its Unified Contact Center Express solution -- one of a flurry of patches and bug disclosures announced this week by tech giants such as Microsoft, Apple and Google.
Found in Unified CCX's Java Remote Management Interface, the critical Cisco flaw -- with a CVSS base score of 9.8 -- is caused by insecure deserialization of user-supplied content. Unauthenticated, remote hackers could exploit it using a malicious serialized Java object in order to execute arbitrary code as the root user, Cisco warns in an advisory.
Cisco also fixed four other bugs -- a denial of service vulnerability of high importance in the DHCP server of the Prime Network Registrar, and three flaws deemed to be of medium importance.
Other vulnerabilities and patches announced this week:
VMware issued a patch for its VMware Cloud Director to amend an important code injection vulnerability (CVE-2020-3956, CVSS base score of 8.8). "An authenticated actor may be able to send malicious traffic to VMware Cloud Director which may lead to arbitrary remote code execution. This vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface and API access," explains a company security advisory.
Google announced Chrome browser version 83.0.4103.61 for Windows, Max and Linux. This latest iteration addresses 38 bugs, five of which are rated high, including a use-after-free in reader mode that earned a $20,000 bug bounty.
Microsoft fixed an elevation of privilege vulnerability in its Chromium-based Edge browser (CVE-2020-1195) and released a security advisory that recommends a workaround and a mitigation for an unpatched "vulnerability involving packet amplification" affecting Windows DNS servers.
Apple announced a single fix in its integrated development environment Xcode 11.5, available for macOS Catalina 10.15.2 and later. The repair eliminates a issue (CVE-2020-11008) in a crafted git URL that could have caused credential information to be provided for the wrong host.