====================================================================

                              CERT-Renater

                 Note d'Information No. 2017/VULN189
_____________________________________________________________________

DATE                : 21/06/2017

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Cisco Prime Infrastructure and
                      Evolved Programmable Network Manager.

=====================================================================
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-piepnm1
____________________________________________________________________

Cisco Security Advisory: Cisco Prime Infrastructure and Evolved
Programmable Network Manager XML Injection Vulnerability

Advisory ID: cisco-sa-20170621-piepnm1

Revision: 1.0

For Public Release: 2017 June 21 16:00 GMT

Last Updated: 2017 June 21 16:00 GMT

CVE ID(s): CVE-2017-6662

CVSS Score v(3): 8.8 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

+---------------------------------------------------------------------

Summary
=======
A vulnerability in the web-based user interface of Cisco Prime
Infrastructure (PI) and Evolved Programmable Network Manager (EPNM)
could allow an authenticated, remote attacker read and write access to
information stored in the affected system as well as perform remote code
execution. The attacker must have valid user credentials.

The vulnerability is due to improper handling of XML External Entity
(XXE) entries when parsing an XML file. An attacker could exploit this
vulnerability by convincing the administrator of an affected system to
import a crafted XML file with malicious entries which could allow the
attacker to read and write files and execute remote code within the
application.

Cisco has released software updates that address this vulnerability.
There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-piepnm1
["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-piepnm1"]


==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================