Four products affected, company delivers free update for three of them

Jul 14, 2014 13:40 GMT  ·  By

A vulnerability in Apache Struts 2 that would allow a potential attacker to execute arbitrary code on an affected system has been patched by Cisco at the end of last week; the security issue was initially reported in July 2010.

The problem occurred because of improper sanitization of the input in the XWorks component in Apache Struts 2. A malcrafted Object-Graph Navigation Language (OGNL) expression could be used by an attacker to compromise a vulnerable system.

As noted in the original report on the issue, identified as CVE-2010-1870, the OGNL expression evaluation relies on a whitelist that does not restrict modification of server-side context objects and circumvent the available “#” protection mechanism in the ParameterInterceptors directive.

The list of Cisco products affected by the security issue comprises Cisco Business Edition 3000 Series, Cisco Identity Services Engine (ISE), Cisco Media Experience Engine (MXE) 3500 Series, and Cisco Unified Contact Center Enterprise (Cisco Unified CCE).

The company informs that there are free updates mitigating the problem for all of the above products, except Cisco Business Edition 3000 Series. Customers who use this product are advised to “contact their Cisco representative for available options.”

Where possible, updating to the latest version of the product is the only solution, as Cisco provides no workarounds for mitigating the risks caused by this vulnerability.