(Cisco Issues Fix for Cisco Identity Services Engine) Struts Input Validation Flaw Lets Remote Users Modify Server-Side Context Objects
SecurityTracker Alert ID: 1030545|
SecurityTracker URL: http://securitytracker.com/id/1030545
(Links to External Site)
Date: Jul 9 2014
Modification of user information|
Fix Available: Yes Vendor Confirmed: Yes |
A vulnerability was reported in Struts. A remote user can modify server-side context objects. Cisco Identity Services Engine is affected.|
A remote user can bypass the '#'-usage protection built into the ParametersInterceptor function to manipulate server-side context objects.
Meder Kydyraliev, Google Security Team, reported this vulnerability.
A remote user can modify server-side context objects.|
Cisco has issued a fix for Cisco Identity Services Engine (18.104.22.1683-6, 22.214.171.1245-4, 126.96.36.1998-6, 188.8.131.52-9, 184.108.40.206-4, 220.127.116.11-4, and 18.104.22.1689).|
The Cisco advisory is available at:
Vendor URL: struts.apache.org/2.2.1/docs/s2-005.html (Links to External Site)
Access control error, Input validation error|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Subject: Cisco Security Advisory: Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products|
-----BEGIN PGP SIGNED MESSAGE-----
Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products
Advisory ID: cisco-sa-20140709-struts2
For Public Release 2014 July 9 16:00 UTC (GMT)
Multiple Cisco products include an implementation of the Apache Struts 2 component that is affected by a remote command execution vulnerability identified by Apache with Common Vulnerabilities and Exposures ID CVE-2010-1870.
The vulnerability is due to insufficient sanitization on user-supplied input in the XWorks component of the affected software. The component uses the ParameterInterceptors directive to parse the Object-Graph Navigation Language (OGNL) expressions that are implemented via a whitelist feature. An attacker could exploit this vulnerability by sending crafted requests that contain OGNL expressions to an affected system. An exploit could allow the attacker to execute arbitrary code on the targeted system.
Cisco has released free software updates that address this vulnerability for all the affected products except Cisco Business Edition 3000 Series. Customers using Cisco Business Edition 3000 Series should contact their Cisco representative for available options.
Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available. This advisory is available at the following link:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
-----END PGP SIGNATURE-----
cust-security-announce mailing list
To unsubscribe, send the command "unsubscribe" in the subject of your message to email@example.com