14 DAY TRIAL // Cisco just patched a critical SQL injection vulnerability residing in the web framework code of the Cisco Prime License Manager (PLM) designed to help administrators to manage user licenses on an enterprise-wide scale.
Potential remote attackers could execute arbitrary SQL queries on vulnerable machines after successfully exploiting the CVE-2018-15441 security issue.
According to Cisco's advisory detailing this SQL injection security bug in the Cisco Prime License Manager solution, the issue resides in the "lack of proper validation of user-supplied input in SQL queries."
Cisco also says that "An attacker could exploit this vulnerability by sending crafted HTTP POST requests that contain malicious SQL statements to an affected application."
Furthermore, adversaries that manage to use an exploit to compromise a vulnerable target can also delete or modify any data within Prime License Manager's database, as well as obtain shell access with the system privileges of the postgres user account.
There are no known workarounds to mitigate this vulnerability at the moment, but Cisco has already released software updates which address the vulnerability.
This vulnerability impacts only PLM 11.0.1 or later installations
The CVE-2018-15441 security issue impacts Cisco Prime License Manager 11.0.1 and later, with both coresident and standalone deployments being affected.
In coresident configurations, the Cisco Prime License Manager solution is installed as part of the Cisco Unified Communications Manager and Cisco Unity Connection suites.
Moreover, because Cisco PLM is not included within versions 12.0 or later of Cisco Unity Connection and Cisco Unified Communications Manager, these versions of the two suites are not impacted by this SQL injection vulnerability.
"The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory" also says the advisory.