=====================================================================

                           CERT-Renater

               Note d'Information No. 2013/VULN480
_____________________________________________________________________

DATE                : 24/10/2013

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S):  Cisco software running Apache Struts 2,
                            Cisco Business Edition 3000,
                            Cisco Identity Services Engine,
                            Cisco Media Experience Engine 3500 Series,
                            Cisco Unified SIP Proxy.

======================================================================
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-struts2
______________________________________________________________________

Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products

Advisory ID: cisco-sa-20131023-struts2

Revision 1.0

For Public Release 2013 October 23 16:00  UTC (GMT)
======================================================================

Summary
- -------

Multiple Cisco products include an implementation of Apache Struts 2
component that is affected by a remote command execution vulnerability.

The vulnerability is due to insufficient sanitization of user-supplied
input. An attacker could exploit this vulnerability by sending crafted
requests consisting of Object-Graph Navigation Language (OGNL)
expressions to an affected system. An exploit could allow the attacker
to execute arbitrary code on the targeted system.

Cisco has released free software updates that address this
vulnerability for all the affected products except Cisco Business
Edition 3000. Cisco Business Edition 3000 should contact their Cisco
representative for available options.

Workarounds that mitigate this vulnerability are not available. This
advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-struts2

=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================