42款思科產品或受Apache Struts2遠程代碼執行漏洞(S2-053)影響
E安全9月12日訊 Apache Struts 9月7日發布安全公告,披露Apache Struts 2存在中危遠程代碼執行漏洞(S2-053),編號為CVE-2017-12611,當在Freemarker標籤中使用表達式常量或強製表達式時使用請求值可能會導致遠程代碼執行漏洞(見下面的示例)。
在這兩種情況下,值屬性都使用可寫屬性,都會受到Freemarker的表達式的影響。
受影響版本
Struts 2.0.1 - Struts 2.3.33, Struts 2.5 - Struts 2.5.10
思科受影響產品列表
與許多廠商一樣,思科很久以前就在Web介面上使用了開源Apache Struts。Switchzilla 9月9日宣布42款思科產品或受該漏洞影響。
思科目正在調查協作和網路管理產品、身份服務引擎(Identity Services Engine),一批思科Prime軟體、語音和通信、視頻和思科網真、以及託管服務等產品。調查的產品包括:
Cisco Unified MeetingPlace
Cisco WebEx Meetings Server
Cisco Data Center Network Manager
Cisco Identity Services Engine (ISE)
Cisco Digital Media Manager
Cisco MXE 3500 Series Media Experience Engines
Cisco Prime Central for Service Providers
Cisco Prime Collaboration Provisioning
Cisco Prime Home
Cisco Prime LAN Management Solution - Solaris
Cisco Prime License Manager
Cisco Prime Network Registrar IP Address Manager (IPAM)
Cisco Prime Network
Cisco Unified Intelligence Center
Cisco Emergency Responder
Cisco Enterprise Chat and Email
Cisco Hosted Collaboration Mediation Fulfillment
Cisco Hosted Collaboration Solution for Contact Center
Cisco Unified Communications Manager IM & Presence Service (formerly CUPS)
Cisco Unified Communications Manager
Cisco Unified Contact Center Enterprise
Cisco Unified E-Mail Interaction Manager
Cisco Unified Intelligent Contact Management Enterprise
Cisco Unified SIP Proxy Software
Cisco Unified Survivable Remote Site Telephony Manager
Cisco Unified Web Interaction Manager
Cisco Unity Connection
Cisco Virtualized Voice Browser
Cisco Enterprise Content Delivery System (ECDS)
Cisco Video Distribution Suite for Internet Streaming (VDS-IS)
Cisco Business Video Services Automation Software
Cisco Cloud Web Security
Cisco Deployment Automation Tool
Cisco Network Device Security Assessment Service
Cisco Network Performance Analysis
Cisco Partner Support Service 1.x
Cisco Prime Service Catalog
Cisco Services Provisioning Platform
Cisco Smart Net Total Care
Cisco Tidal Performance Analyzer
Cisco Unified Service Delivery Platform
Cisco WebEx Network-Based Recording (NBR) Management
思科在公告中指出,一旦調查有進展,思科會發布更新信息,披露受影響的產品。
由於遠程攻擊者可利用該漏洞執行代碼,鑒於此,思科在公告中將這個漏洞標記為「Critical」。
註:本文由E安全編譯報道,轉載請註明原文地址
https://www.easyaq.com/news/529271046.shtml
相關閱讀:
▼點擊「閱讀原文」 查看更多精彩內容
※全球打響網路戰的可能性:股市和"GPS"或將首當其衝
※Apache Struts漏洞導致1.43億美國公民信息被泄
※全國《網路安全法》知識競賽總決賽成功舉辦
※墨西哥退稅網站MoneyBack泄露400GB客戶敏感數據
※俄羅斯已開辦首個VR和AR碩士課程,培養頂級「黑客」
TAG:E安全 |