Cisco Patches Data Center Holes
Tuesday, September 8, 2015 @ 05:09 PM gHale
Cisco released a patch for a remotely exploitable vulnerability affecting its UCS Director and Integrated Management Controller (IMC) Supervisor.
Cisco UCS Director is a unified infrastructure management solution, and Cisco IMC Supervisor is a centralized management solution for C-series and E-series servers.
They have a vulnerability that allows a remote, unauthenticated attacker to overwrite arbitrary files by sending specially crafted HTTP requests to the affected system. This can result in system instability or a denial-of-service (DoS) condition.
The vulnerability, found in JavaServer Pages (JSP) input validation routines, comes from improper input sanitization on certain JSP pages, Cisco said in an advisory.
Cisco IMC Supervisor running software versions prior to 18.104.22.168, and Cisco UCS Director running software versions prior to 22.214.171.124 end up affected by the vulnerability.
The security hole has a CVSS score of 7.8, which puts it in the high severity category.
Cisco said the flaw ended up discovered by its own security team, and there is no evidence it is undergoing active exploitation.
The company said users should apply the software updates released by Cisco to prevent potential incidents. There is no workaround available, the company said.