4-Year-Old Vulnerability Patched

Tuesday, July 15, 2014 @ 01:07 PM gHale


A security issue first reported in July 2010 as a vulnerability in Apache Struts 2 which would allow an attacker to execute arbitrary code on an affected system just underwent patching by Cisco.

The problem occurred because of improper sanitization of the input in the XWorks component in Apache Struts 2. An attacker could use malcrafted Object-Graph Navigation Language (OGNL) expression to compromise a vulnerable system.

RELATED STORIES
Cisco Clears Up XSS Vulnerability
New Exploit Kit Delivering Ransomware
Cisco Fixes WebEx Vulnerabilities
SCADA Hack Uncovered

As noted in the original report on the issue, identified as CVE-2010-1870, the OGNL expression evaluation relies on a whitelist that does not restrict modification of server-side context objects and circumvent the available “#” protection mechanism in the ParameterInterceptors directive.

The list of Cisco products affected by the security issue comprises Cisco Business Edition 3000 Series, Cisco Identity Services Engine (ISE), Cisco Media Experience Engine (MXE) 3500 Series, and Cisco Unified Contact Center Enterprise (Cisco Unified CCE).

The company said there are free updates mitigating the problem, except for the Cisco Business Edition 3000 Series. Customers who use this product should “contact their Cisco representative for available options.”

Where possible, updating to the latest version of the product is the only solution , as Cisco provided no workarounds for mitigating the risks caused by this vulnerability.



Leave a Reply

You must be logged in to post a comment.