42款思科產品或受Apache Struts2遠端代碼執行漏洞(S2
E安全9月12日訊 Apache Struts 9月7日發佈安全公告,披露Apache Struts 2存在中危遠端代碼執行漏洞(S2-053),編號為CVE-2017-12611,當在Freemarker標籤中使用運算式常量或強制運算式時使用請求值可能會導致遠端代碼執行漏洞(見下面的示例)。
在這兩種情況下,值屬性都使用可寫屬性,都會受到Freemarker的運算式的影響。
受影響版本
Struts 2.0.1 - Struts 2.3.33, Struts 2.5 - Struts 2.5.10
思科受影響產品清單
與許多廠商一樣,思科很久以前就在Web介面上使用了開源Apache Struts。Switchzilla 9月9日宣佈42款思科產品或受該漏洞影響。
思科目正在調查協作和網路管理產品、身份服務引擎(Identity Services Engine),
Cisco Unified MeetingPlace
Cisco WebEx Meetings Server
Cisco Data Center Network Manager
Cisco Identity Services Engine (ISE)
Cisco Digital Media Manager
Cisco MXE 3500 Series Media Experience Engines
Cisco Prime Central for Service Providers
Cisco Prime Collaboration Provisioning
Cisco Prime Home
Cisco Prime LAN Management Solution - Solaris
Cisco Prime License Manager
Cisco Prime Network Registrar IP Address Manager (IPAM)
Cisco Prime Network
Cisco Unified Intelligence Center
Cisco Emergency Responder
Cisco Enterprise Chat and Email
Cisco Hosted Collaboration Mediation Fulfillment
Cisco Hosted Collaboration Solution for Contact Center
Cisco Unified Communications Manager IM & Presence Service (formerly CUPS)
Cisco Unified Communications Manager
Cisco Unified Contact Center Enterprise
Cisco Unified E-Mail Interaction Manager
Cisco Unified Intelligent Contact Management Enterprise
Cisco Unified SIP Proxy Software
Cisco Unified Survivable Remote Site Telephony Manager
Cisco Unified Web Interaction Manager
Cisco Unity Connection
Cisco Virtualized Voice Browser
Cisco Enterprise Content Delivery System (ECDS)
Cisco Video Distribution Suite for Internet Streaming (VDS-IS)
Cisco Business Video Services Automation Software
Cisco Cloud Web Security
Cisco Deployment Automation Tool
Cisco Network Device Security Assessment Service
Cisco Network Performance Analysis
Cisco Partner Support Service 1.x
Cisco Prime Service Catalog
Cisco Services Provisioning Platform
Cisco Smart Net Total Care
Cisco Tidal Performance Analyzer
Cisco Unified Service Delivery Platform
Cisco WebEx Network-Based Recording (NBR) Management
思科在公告中指出,一旦調查有進展,思科會發佈更新資訊,披露受影響的產品。
由於遠端攻擊者可利用該漏洞執行代碼,鑒於此,思科在公告中將這個漏洞標記為“Critical”。
注:本文由E安全編譯報導,轉載請注明原文地址
https://www.easyaq.com/news/529271046.shtml
相關閱讀:
▼點擊“閱讀原文” 查看更多精彩內容