Cisco Working to Fix Deserialization Woes

Friday, December 11, 2015 @ 05:12 PM gHale

Cisco is looking to fire up fixes for a Java deserialization vulnerability.

Cisco started looking into the issue after FoxGlove Security showed in November how Java deserialization vulnerabilities can end up exploited for remote code execution via the Apache Commons Collections library.

Java App Servers Vulnerable
Oracle Issues Security Patches
Patched Cisco Web VPNs Hit by Attack
Cisco Tool to Detect Router Attacks

Cisco launched an investigation to determine which of its products suffer from the Java deserialization vulnerability. The list so far includes the following product categories: Cable modems, collaboration and social media, routing and switching, network application, network and content security devices, network management and provisioning, voice and unified communications devices, video and telepresence devices, and hosted services.

Cisco said it will release software updates that patch the vulnerability (CVE-2015-4852), which the company has rated as “high” severity. There are no workarounds to mitigate the flaw.

The networking giant also said it released software updates to address a critical vulnerability in its Cisco Prime Collaboration Assurance (PCA) product.

The vulnerability, caused by an undocumented account with a default and static password (CVE-2015-6389), allows a remote, unauthenticated attacker to log in to the system via SSH with limited privileges. Once logged in, an attacker can access sensitive data, modify data, run internal executables, and make the system inaccessible or unstable.

Cisco also published advisories to detail several medium severity vulnerabilities affecting various products.