華文網

42款思科產品或受Apache Struts2遠端代碼執行漏洞(S2

E安全9月12日訊 Apache Struts 9月7日發佈安全公告,披露Apache Struts 2存在中危遠端代碼執行漏洞(S2-053),編號為CVE-2017-12611,當在Freemarker標籤中使用運算式常量或強制運算式時使用請求值可能會導致遠端代碼執行漏洞(見下面的示例)。

在這兩種情況下,值屬性都使用可寫屬性,都會受到Freemarker的運算式的影響。

受影響版本

Struts 2.0.1 - Struts 2.3.33, Struts 2.5 - Struts 2.5.10

思科受影響產品清單

與許多廠商一樣,思科很久以前就在Web介面上使用了開源Apache Struts。Switchzilla 9月9日宣佈42款思科產品或受該漏洞影響。

思科目正在調查協作和網路管理產品、身份服務引擎(Identity Services Engine),

一批思科Prime軟體、語音和通信、視頻和思科網真、以及託管服務等產品。調查的產品包括:

Cisco Unified MeetingPlace

Cisco WebEx Meetings Server

Cisco Data Center Network Manager

Cisco Identity Services Engine (ISE)

Cisco Digital Media Manager

Cisco MXE 3500 Series Media Experience Engines

Cisco Prime Central for Service Providers

Cisco Prime Collaboration Provisioning

Cisco Prime Home

Cisco Prime LAN Management Solution - Solaris

Cisco Prime License Manager

Cisco Prime Network Registrar IP Address Manager (IPAM)

Cisco Prime Network

Cisco Unified Intelligence Center

Cisco Emergency Responder

Cisco Enterprise Chat and Email

Cisco Hosted Collaboration Mediation Fulfillment

Cisco Hosted Collaboration Solution for Contact Center

Cisco Unified Communications Manager IM & Presence Service (formerly CUPS)

Cisco Unified Communications Manager

Cisco Unified Contact Center Enterprise

Cisco Unified E-Mail Interaction Manager

Cisco Unified Intelligent Contact Management Enterprise

Cisco Unified SIP Proxy Software

Cisco Unified Survivable Remote Site Telephony Manager

Cisco Unified Web Interaction Manager

Cisco Unity Connection

Cisco Virtualized Voice Browser

Cisco Enterprise Content Delivery System (ECDS)

Cisco Video Distribution Suite for Internet Streaming (VDS-IS)

Cisco Business Video Services Automation Software

Cisco Cloud Web Security

Cisco Deployment Automation Tool

Cisco Network Device Security Assessment Service

Cisco Network Performance Analysis

Cisco Partner Support Service 1.x

Cisco Prime Service Catalog

Cisco Services Provisioning Platform

Cisco Smart Net Total Care

Cisco Tidal Performance Analyzer

Cisco Unified Service Delivery Platform

Cisco WebEx Network-Based Recording (NBR) Management

思科在公告中指出,一旦調查有進展,思科會發佈更新資訊,披露受影響的產品。

由於遠端攻擊者可利用該漏洞執行代碼,鑒於此,思科在公告中將這個漏洞標記為“Critical”。

注:本文由E安全編譯報導,轉載請注明原文地址

https://www.easyaq.com/news/529271046.shtml

相關閱讀:

▼點擊“閱讀原文” 查看更多精彩內容