Network Security, Vulnerability Management

Patch round-up: Cisco repairs RCE bug; notable fixes from VMware, Google, Adobe


Cisco Systems on Wednesday fixed a critical remote code execution vulnerability in its Unified Contact Center Express solution -- one of a flurry of patches and bug disclosures announced this week by tech giants such as Microsoft, Apple and Google.

Found in Unified CCX's Java Remote Management Interface, the critical Cisco flaw -- with a CVSS base score of 9.8 -- is caused by insecure deserialization of user-supplied content. Unauthenticated, remote hackers could exploit it using a malicious serialized Java object in order to execute arbitrary code as the root user, Cisco warns in an advisory.

Cisco also fixed four other bugs -- a denial of service vulnerability of high importance in the DHCP server of the Prime Network Registrar, and three flaws deemed to be of medium importance.

Other vulnerabilities and patches announced this week:

VMware issued a patch for its VMware Cloud Director to amend an important code injection vulnerability (CVE-2020-3956, CVSS base score of 8.8). "An authenticated actor may be able to send malicious traffic to VMware Cloud Director which may lead to arbitrary remote code execution. This vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface and API access," explains a company security advisory.

Google announced Chrome browser version 83.0.4103.61 for Windows, Max and Linux. This latest iteration addresses 38 bugs, five of which are rated high, including a use-after-free in reader mode that earned a $20,000 bug bounty.

Adobe Systems unveiled security updates for three important information disclosure bugs in Premiere Pro (CVE-2020-9616), Audition (CVE-2020-9618) and Premiere Rush (CVE-2020-9617).

Microsoft fixed an elevation of privilege vulnerability in its Chromium-based Edge browser (CVE-2020-1195) and released a security advisory that recommends a workaround and a mitigation for an unpatched "vulnerability involving packet amplification" affecting Windows DNS servers.

Apple announced a single fix in its integrated development environment Xcode 11.5, available for macOS Catalina 10.15.2 and later. The repair eliminates a issue (CVE-2020-11008) in a crafted git URL that could have caused credential information to be provided for the wrong host.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.