SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Cisco Prime Service Catalog Vendors:   Cisco
Cisco Prime Service Catalog XML External Entity Parsing Flaw Lets Remote Authenticated Users Deny Service and Obtain Potentially Sensitive Information
SecurityTracker Alert ID:  1031658
SecurityTracker URL:  http://securitytracker.com/id/1031658
CVE Reference:   CVE-2015-0581   (Links to External Site)
Date:  Jan 28 2015
Impact:   Denial of service via network, Disclosure of authentication information, Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 10.1
Description:   A vulnerability was reported in Cisco Prime Service Catalog. A remote authenticated user can cause denial of service conditions. A remote authenticated user can obtain potentially sensitive information.

A remote authenticated user can supply a specially crafted HTTP request to the Prime Service Catalog Simple Object Access Protocol (SOAP) interface to trigger an XML parsing flaw and consume excessive resources on the target system or obtain potentially sensitive data (e.g., private keys, passwords) on the target system.

The vendor has assigned bug ID CSCup92880 to this vulnerability.

Impact:   A remote authenticated user can consume excessive resources on the target system.

A remote authenticated user can obtain potentially sensitive data (e.g., private keys, passwords) on the target system.

Solution:   The vendor has issued a fix (10.1). The vendor has issued patches for 9.4.1, 9.4.1R2, 10.0, and 10.0R2.

The vendor's advisory is available at:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150128-psc-xmlee

Vendor URL:  tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150128-psc-xmlee (Links to External Site)
Cause:   Access control error, Input validation error

Message History:   None.


 Source Message Contents

Subject:  Cisco Security Advisory: Cisco Prime Service Catalog XML External Entity Processing Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Cisco Security Advisory: Cisco Prime Service Catalog XML External Entity Processing Vulnerability

Advisory ID: cisco-sa-20150128-psc-xmlee

Revision 1.0

For Public Release 2015 January 28 16:00  UTC (GMT)

+---------------------------------------------------------------------

Summary
=======

A vulnerability in the configuration of the XML parser of Cisco Prime Service Catalog could allow an authenticated, remote attacker to access sensitive data stored on the host operating system or cause system resource consumption that could cause a denial of service condition.

Cisco has released free software updates that address this vulnerability.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150128-psc-xmlee
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJUyQx+AAoJEIpI1I6i1Mx3odMP/jz2w79smwN6h1FDcURnc0kW
1399pHnEFDOrzh2OcGMh++P77Efd8cBEwFctX4yhddMbK6qxQAudR2TqCUz7AS0X
/f4uRCn1nESPbMGyH89wC0QsEyy7vK+HWPr5g0DhUNYZz1lhzVSFiju0MpNhB9Rj
gJlEspPOhMpIvdgqa4t8Nw3D6TH/bSyPiSJs4k80G+LR6JP2XtbJ7jfoqhtheZUE
4Dk0jCRjoxsy2eIwN83GECFY+Efk5zLalCa6Np4WTCEqdaKYF8nCGTit+9NQTGqN
wG7IGmgoIcptSnr1AQ3p/b6fidWOeO+iys95VV/rrJyjjv3TntX5mi4PapIqK2jf
d3bZNipx3rz70GYhFKT4QjLrQExfqY4ZO/MbYcPAtbd9dZc9rmBFRaosV7gWw/9b
BhP/r4b1z0hr4JXqXJAiwkt/aIvLd78tvXG4j5WXVn8gTAFTypDcxGB6HBx91CTS
dVe8vwCEjn4DouKfU202pvy8zW2Zb+cIa6+OCW/j68GgdeYoiFX4wkq+8ZErfrg9
0zfAxxwiQ68EY6GOigrmX3iqB5hanSuOaO5crRGV/lGph7XZL+r7UVfXufyIXO29
l0ReYyq8xavf215w2f9QR3k8eaB8ACIjsnpgUc+VtVLGGR/wAnX3M9ASzjEI4QlZ
TP2rdOXiw+hRrKt6uAzn
=NTRk
-----END PGP SIGNATURE-----
_______________________________________________
cust-security-announce mailing list
cust-security-announce@cisco.com
To unsubscribe, send the command "unsubscribe" in the subject of your message to cust-security-announce-leave@cisco.com
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC