SQL Injection Flaw Fixed in Cisco’s PLM

Friday, November 30, 2018 @ 06:11 PM gHale

There was a vulnerability in the web framework code of Cisco Prime License Manager (PLM) that could allow an attacker to execute arbitrary SQL queries.

The remotely exploitable vulnerability, which Cisco patched, is from a lack of proper validation of user-supplied input in SQL queries. When that occurs an attacker could send crafted HTTP POST requests containing malicious SQL statements to affected applications, triggering the vulnerability.

RELATED STORIES
Cisco Working on Fix for Security Appliance
Cisco Fixes Local WebEx Hole
Cisco Issues Patches to Fix Multiple Holes
Cisco Patches 3 Critical Vulnerabilities

“A successful exploit could allow the attacker to modify and delete arbitrary data in the PLM database or gain shell access with the privileges of the postgres user,” Cisco said in an advisory.

The vulnerability was found in PLM releases 11.0.1 and later, and impacts standalone and co-resident deployments (where PLM is installed as part of the Unified Communications Manager and Unity Connection).

There are no workarounds to address the vulnerability, but software updates that resolve the issue have been already released, Cisco said. Specifically, Cisco Prime License Manager release patch ciscocm.CSCvk30822_v1.0.k3.cop.sgn addresses the bug.

“The same COP file can be used with standalone deployments of Cisco Prime License Manager as well as with co-resident deployments as part of Cisco Unified Communications Manager and Cisco Unity Connection and with all affected versions,” Cisco said in a post.

The patch can be installed on Prime License Manager, Unified Communications Manager and Unity Connection 11.5(1) only. Earlier releases need to be upgraded to 11.5(1) before installing the patch.



Leave a Reply

You must be logged in to post a comment.