It’s a bad week for all things network security as Cisco spewed out 20 Security Advisories and Alerts – two critical and three high-impact – that customers should be aware of and implement patches where they can.
Cisco, like other big enterprise vendors, regularly issues security warnings but 20 in one day is an unusual amount for the networking giant. Others like Microsoft and Oracle issue tons of security bulletins monthly mostly without much fanfare – for example Microsoft for March, released 18 security bulletins split into nine critical and nine important security updates.
According to Cisco however there is a reason for the uptick:
“To better help our customers plan for managing their network updates in response to published advisories, we have begun to also include "medium" severity advisories as part of the more structured disclosure process. In the past, medium vulnerabilities were published as soon as the necessary information was available, but not according to a pre-determined timeline. The higher number today is due to this change in process, though not indicative of an overall increase in disclosures,” Cisco told Network World. Until recently Cisco generally disclosed Cisco Security Advisories for vulnerabilities with a severity rating of "high" or "critical." Indeed, in this week’s list, 15 of the 20 were considered “medium.”
This week the two critical warnings were concerning the Apache Struts vulnerability, which was disclosed last week, and an exposure with Cisco’s Mobility Express 1800 Series Access Points.
Cisco's security team last week called the weakness in Apache Struts “critical” and this week published a list of vulnerable products here as it learns of them. Among them, Cisco Unified Communications Manager IM & Presence Service; Cisco Unified Communications Manager Session Management Edition; and Cisco Unified Communications Manager – all have patches available to address the problem, Cisco said.
Last week Apache disclosed a vulnerability in the Jakarta multipart parser used in Apache Struts2 that could let an attacker execute commands remotely on the targeted system using what’s known as a crafted Content-Type header value.
Cisco wrote in its warning: “The vulnerability is due to improper handling of the Content-Type header value when performing a file upload based on the Jakarta multipart parser of the affected software. An attacker could exploit this vulnerability by persuading a targeted user to upload a malicious file. Once the Jakarta multipart parser of the affected application uploads the file, the attacker could have the ability to execute arbitrary code. Any workarounds, when available, will be documented in the Cisco bugs, which are accessible through the Cisco Bug Search Tool. Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license.”
The other critical warning came for Cisco Mobility Express. In that wireless LAN product, the vulnerability is due to improper implementation of authentication for accessing certain web pages using the GUI interface. “An attacker could exploit this vulnerability by sending a crafted HTTP request to the web interface of the affected system. A successful exploit could allow the attacker to bypass authentication and perform unauthorized configuration changes or issue control commands to the affected device. This vulnerability affects Cisco Mobility Express 1800 Series Access Points running a software version prior to 22.214.171.124,” Cisco wrote in the advisory.