==================================================================== CERT-Renater Note d'Information No. 2016/VULN048 _____________________________________________________________________ DATE : 04/02/2016 HARDWARE PLATFORM(S): Cisco . OPERATING SYSTEM(S): Cisco Application Policy Infrastructure Controller software. ====================================================================== http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160203-apic _____________________________________________________________________ Cisco Security Advisory: Cisco Application Policy Infrastructure Controller Access Control Vulnerability Advisory ID: cisco-sa-20160203-apic Revision: 1.0 For Public Release 2016 February 03 16:00 UTC (GMT) +--------------------------------------------------------------------- Summary ======= A vulnerability in the role-based access control (RBAC) of the Cisco Application Policy Infrastructure Controller (APIC) could allow an authenticated remote user to make configuration changes outside of their configured access privileges. The vulnerability is due to eligibility logic in the RBAC processing code. An authenticated user could exploit this vulnerability by sending specially crafted representational state transfer (REST) requests to the APIC. An exploit could allow the authenticated user to make configuration changes to the APIC beyond the configured privilege for their role. Cisco has released software updates that address this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160203-apic ========================================================== Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================