=====================================================================

                           CERT-Renater

               Note d'Information No. 2014/VULN147
_____________________________________________________________________

DATE                : 10/07/2014

HARDWARE PLATFORM(S): Cisco Business Edition 3000 Series,
                      Cisco Identity Services Engine (ISE),
                      Cisco Media Experience Engine (MXE) 3500 Series,
           Cisco Unified Contact Center Enterprise (Cisco Unified CCE).


OPERATING SYSTEM(S): Cisco software running Apache Struts 2.

======================================================================
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140709-struts2
______________________________________________________________________

Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products

Advisory ID: cisco-sa-20140709-struts2

Revision 1.0

For Public Release 2014 July 9 16:00  UTC (GMT)

+---------------------------------------------------------------------

Summary
=======

Multiple Cisco products include an implementation of the Apache Struts
2 component that is affected by a remote command execution
vulnerability identified by Apache with Common Vulnerabilities and
Exposures ID CVE-2010-1870.

The vulnerability is due to insufficient sanitization on user-supplied
input in the XWorks component of the affected software. The component
uses the ParameterInterceptors directive to parse the Object-Graph
Navigation Language (OGNL) expressions that are implemented via a
whitelist feature. An attacker could exploit this vulnerability by
sending crafted requests that contain OGNL expressions to an affected
system. An exploit could allow the attacker to execute arbitrary code
on the targeted system.

Cisco has released free software updates that address this
vulnerability for all the affected products except Cisco Business
Edition 3000 Series. Customers using Cisco Business Edition 3000 Series
should contact their Cisco representative for available options.

Cisco has released free software updates that address this
vulnerability. Workarounds that mitigate this vulnerability are not
available. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140709-struts2


=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================