Summary

• A vulnerability in Apache Struts could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.
  
  The vulnerability exists because the affected software insufficiently validates user-supplied input, allowing the use of results with no namespace value and the use of url tags with no value or action. In cases where upper actions or configurations also have no namespace or a wildcard namespace, an attacker could exploit this vulnerability by sending a request that submits malicious input to the affected application for processing. If successful, the attacker could execute arbitrary code in the security context of the affected application on the targeted system.

  The following Snort rules can be used to detect possible exploitation of this vulnerability: Snort SID 29639, 39190, 39191, and 47634

  This advisory is available at the following link:
  https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180823-apache-struts

Affected Products

• The Vulnerable Products section includes Cisco bug IDs for each affected product or service. The bugs are accessible through the Cisco Bug Search Tool and contain additional platform-specific information, including workarounds (if available) and fixed software releases.

  Any product or service not listed in the Vulnerable Products section of this advisory is to be considered not vulnerable.

  Vulnerable Products

  Vulnerable products marked with an asterisk (*) contain an affected Struts library, but due to how the library is used within the product, these products are not vulnerable to any of the exploitation vectors known to Cisco at the time of publication.

  The following table lists Cisco products that are affected by the vulnerability that is described in this advisory:

  Product	Cisco Bug ID	Fixed Release Availability
  Collaboration and Social Media
  Cisco SocialMiner *	CSCvk78903	Patch available 11-Sept-2018
  Endpoint Clients and Client Software
  Cisco Prime Service Catalog *	CSCvm13989
  Network and Content Security Devices
  Cisco Identity Services Engine (ISE)	CSCvm14030	Patch file available 31-Aug-2018
  Voice and Unified Communications Devices
  Cisco Emergency Responder *	CSCvm14044	1151es (21-Sep-2018) Standalone COP (21-Sep-2018)
  Cisco Finesse *	CSCvk78905	Patch file available 7-Sept-2018.
  Cisco Hosted Collaboration Solution for Contact Center *	CSCvm14052	Patch file available 12-Sep-2018
  Cisco MediaSense *	CSCvk78906	Patch file available 12-Sep-2018
  Cisco Unified Communications Manager *	CSCvm14042	1151es and 1201es (14-Sep-2018) Standalone COP (20-Sep-2018)
  Cisco Unified Communications Manager IM & Presence Service (formerly CUPS) *	CSCvm14049	1151es and 1201es (21-Sep-2018) Standalone COP (20-Sep-2018)
  Cisco Unified Contact Center Enterprise *	CSCvm13986	Patch file available 12-Sept-2018
  Cisco Unified Contact Center Enterprise - Live Data server *	CSCvk78902	Patch file available 7-Sept-2018
  Cisco Unified Contact Center Express *	CSCvm21744	Patch file available 12-Sep-2018
  Cisco Unified Intelligence Center *	CSCvm13984	Patch file available 12-Sep-2018
  Cisco Unified Intelligent Contact Management Enterprise *	CSCvm13986	Patch file available 12-Sept-2018
  Cisco Unified SIP Proxy Software *	CSCvm13980	918es (28-Sep-2018)
  Cisco Unified Survivable Remote Site Telephony Manager *	CSCvm13979	Patch file available 12-Sep-2018
  Cisco Unity Connection *	CSCvm14043	1151es and 1201su (18-Sep-2018) Standalone COP (21-Sep-2018)
  Cisco Virtualized Voice Browser *	CSCvm14056	Patch file available 12-Sep-2018
  Video, Streaming, TelePresence, and Transcoding Devices
  Cisco Video Distribution Suite for Internet Streaming (VDS-IS) *	CSCvm14027	2.3.35 (15-Sept-2018)
  Cisco Cloud Hosted Services
  Cisco Network Performance Analysis	CSCvm14040

  
  

  Products Confirmed Not Vulnerable

  Only products and services listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.

  Cisco has confirmed that this vulnerability does not affect the following products and services. All members of the product families in the following list are not considered to be affected by this vulnerability unless they are explicitly listed in the preceding Vulnerable Products section:

  Cable Modems
  

  • Cisco 3G Femtocell Wireless

  
  Network Application, Service, and Acceleration
  

  • Cisco Data Center Network Manager

  
  Network and Content Security Devices
  

  • Cisco Secure Access Control System (ACS)

  
  Network Management and Provisioning
  

  • Cisco MXE 3500 Series Media Experience Engines
  • Cisco Prime Access Registrar
  • Cisco Prime Central for Service Providers
  • Cisco Prime Collaboration Assurance
  • Cisco Prime Collaboration Provisioning
  • Cisco Prime Infrastructure
  • Cisco Prime LAN Management Solution - Solaris
  • Cisco Prime License Manager
  • Cisco Prime Network Registrar IP Address Manager (IPAM)
  • Cisco Prime Network
  • Cisco Prime Order Management
  • Cisco Prime Provisioning
  • Cisco Security Manager
  • Cisco Smart Net Total Care - Local Collector appliance

  
  Routing and Switching - Enterprise and Service Provider
  

  • Cisco Broadband Access Center for Telco and Wireless

  
  Voice and Unified Communications Devices
  

  • Cisco Enterprise Chat and Email
  • Cisco Hosted Collaboration Mediation Fulfillment
  • Cisco Unified Customer Voice Portal
  • Cisco Unified E-Mail Interaction Manager
  • Cisco Unified Web Interaction Manager
  • Cisco Unity Express

  
  Video, Streaming, TelePresence, and Transcoding Devices
  

  • Cisco Enterprise Content Delivery System (ECDS)
  • Cisco Expressway Series
  • Cisco TelePresence Video Communication Server (VCS)

  
  Cisco Cloud Hosted Services
  

  • Cisco Business Video Services Automation Software
  • Cisco Cloud Web Security
  • Cisco Deployment Automation Tool
  • Cisco Network Device Security Assessment Service
  • Cisco Services Provisioning Platform
  • Cisco Smart Net Total Care - Contracts Information System Process Controller
  • Cisco Smart Net Total Care
  • Cisco Unified Service Delivery Platform
  • Cisco Webex Meeting Center - Windows
  • Cisco Webex Meeting Center
  • Cisco Webex Network-Based Recording (NBR) Management
  • Cisco Webex Teams (formerly Cisco Spark)
  • Cloud and Managed Services Program (CMSP)

Workarounds

• Any workarounds for a specific Cisco product or service will be documented in product-specific or service-specific Cisco bugs, which are identified in the Vulnerable Products section of this advisory.

Fixed Software

• For information about fixed software releases, consult the Cisco bugs identified in the Vulnerable Products section of this advisory. Questions concerning the Cisco Webex environment can be directed to the Cisco Technical Assistance Center (TAC).

  When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution.

  In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco TAC or their contracted maintenance providers.

Exploitation and Public Announcements

• The Cisco Product Security Incident Response Team (PSIRT) is aware of attempted exploitation of this vulnerability.

Source

• On August 22, 2018, the Apache Software Foundation publicly disclosed this vulnerability in a security bulletin at the following link: https://cwiki.apache.org/confluence/display/WW/S2-057

URL

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180823-apache-struts

Revision History

• Version	Description	Section	Status	Date
  1.12	Updated the software availability information for vulnerable products.	Affected Products	Final	2018-September-17
  1.11	Updated the software availability information for vulnerable products.	Affected Products	Final	2018-September-13
  1.10	Updated the list of vulnerable products; in the previous version the asterisk was inadvertently omitted.	Affected Products	Final	2018-September-10
  1.9	Updated the software availability information for vulnerable products.	Affected Products	Final	2018-September-06
  1.8	Updated the lists of vulnerable products and products confirmed not vulnerable. Removed references to ongoing investigation.	Summary, Affected Products	Final	2018-September-05
  1.7	Updated the lists of products under investigation, vulnerable products, and products confirmed not vulnerable.	Affected Products	Interim	2018-September-04
  1.6	Updated the lists of products under investigation, vulnerable products, and products confirmed not vulnerable.	Affected Products	Interim	2018-August-31
  1.5	Updated the lists of products under investigation, vulnerable products, and products confirmed not vulnerable.	Affected Products	Interim	2018-August-30
  1.4	Updated the lists of products under investigation, vulnerable products, and products confirmed not vulnerable, updated the awareness of exploitation attempts.	Affected Products, Exploitation and Public Announcements	Interim	2018-August-29
  1.3	Updated the lists of products under investigation, vulnerable products, and products confirmed not vulnerable.	Summary and Affected Products	Interim	2018-August-28
  1.2	Updated the lists of products under investigation, vulnerable products, and products confirmed not vulnerable.	Summary and Affected Products	Interim	2018-August-28
  1.1	Added Snort SIDs. Updated the lists of products under investigation, vulnerable products, and products confirmed not vulnerable.	Summary and Affected Products	Interim	2018-August-24
  1.0	Initial public release.	-	Interim	2018-August-23

  Show Less