Cisco Systems has issued a pair of advisories warning users that several of its products have been affected by vulnerabilities recently discovered in the Apache Struts 2 open-source web application framework.
There are currently no software updates that address these issues, Cisco has stated.
The most serious of the bugs is a critical remote code execution vulnerability stemming from an unsafe deserialisation process. The vulnerability, designated CVE-2017-9805, allows attackers to seize control of any server running REST applications built with Struts.
Cisco confirmed in one advisory that CVE-2017-9805 has impacted the following products: MXE 3500 Series Media Experience Engines, Unified Contact Center Enterprise, Unified Intelligence Contact Management Enterprise, and Network Performance Analysis. As of 12 September, 2 p.m., Cisco was still investigating 14 other solutions to determine if they are also affected.
In the other advisory, Cisco stated that at least four of its products contain a remote code execution vulnerability (CVE-2017-12611) found in the Freemarker tag functionality of the Apache Struts package. Products already confirmed vulnerable are Cisco's Digital Media Manager, Hosted Collaboration Solution for Contact Center, Unified Contact Center Enterprise, and Unified Intelligence Contact Management Enterprise. As of Sept. 12, 2 p.m., Cisco is still investigating 26 other solutions to determine if they are affected.
Cisco also said that some products were affected by two less serious Apache Struts bugs – a denial of service vulnerability in the REST plug-in (CVE-2017-9793) and a resource exhaustion DoS vulnerability in the URLValidator (CVE-2017-9804).
Apache Struts has been at the centre of a firestorm after it was revealed that the enormous Equifax data breach that compromised the sensitive data of roughly 143 million US consumers was likely made possible through attackers exploiting a Struts vulnerability.