Cisco’s security team today called the weakness in Apache Struts “critical” and is evaluating many its products to assess the impact.
The company said it will publish a list of vulnerable products here as it learns of them.
Earlier this week Apache revealed a vulnerability in the Jakarta multipart parser used in Apache Struts2 that could let an attacker execute commands remotely on the targeted system using what’s known as acrafted Content-Type header value.
-More on Network World: Cisco’s Jasper deal – one year, 18 million new IoT devices later, challenges remain+
Cisco wrote in its warning: “The vulnerability is due to improper handling of the Content-Type header value when performing a file upload based on the Jakarta multipart parser of the affected software. An attacker could exploit this vulnerability by persuading a targeted user to upload a malicious file. Once the Jakarta multipart parser of the affected application uploads the file, the attacker could have the ability to execute arbitrary code. Any workarounds, when available, will be documented in the Cisco bugs, which are accessible through the Cisco Bug Search Tool. Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license.”
On Thursday, the IDG News Service wrote that on Monday Apache Struts developers fixed a high-impact vulnerability in the framework’s Jakarta Multipart parser. Hours later, an exploit for the flaw appeared on Chinese-language websites and this was almost immediately followed by real-world attacks, according to researchers from Cisco.
The vulnerability is very easy to exploit and allows attackers to execute system commands with the privileges of the user running the web server process. If the web server is configured to run as root, the system is completely compromised, but executing code as a lower-privileged user is also a serious security threat, IDG wrote.
What’s even worse is that the Java web application doesn’t even need to implement file upload functionality via the Jakarta Multipart parser in order to be vulnerable. According to researchers from Qualys, the simple presence on the web server of this component, which is part of the Apache Struts framework by default, is enough to allow exploitation, IDG wrote.
Cisco said it was evaluating wide variety of products, including the Cisco Aironet 2700 Series Access Points; Mobility Services Engine, Wireless LAN Controller and UCS 6200 Series Fabric Interconnects.
Other products being evaluated include:
- Cisco ASR 5000 Series
- Cisco Application Policy Infrastructure Controller (APIC)
- Cisco Broadband Access Center for Telco and Wireless
- Cisco IOS XR Software
- Cisco MDS 9000 Series Multilayer Switches
- Cisco Nexus 1000V InterCloud
- Cisco Nexus 1000V Series Switches
- Cisco Nexus 1000V Switch for VMware vSphere
- Cisco Nexus 3000 Series Switches
- Cisco Nexus 5000 Series Switches
- Cisco Nexus 6000 Series Switches
- Cisco Nexus 7000 Series Switches
- Cisco Nexus 9000 Series Fabric Switches
Check out these other hot stories: