Cisco Unified MeetingPlace Web Conferencing is affected by two vulnerabilities: Cisco Unified MeetingPlace Web Conferencing SQL Injection Vulnerability Cisco Unified MeetingPlace Web Conferencing Buffer Overrun Vulnerability Exploitation of the Cisco Unified MeetingPlace Web Conferencing SQL Injection Vulnerability may allow an unauthenticated, remote attacker to send Structured Query Language (SQL) commands to manipulate the MeetingPlace database stores information about server configuration, meetings, and users. These commands may be used to create, delete, or alter some of the information in the Cisco Unified MeetingPlace Web Conferencing database. Exploitation of the Cisco Unified MeetingPlace Web Conferencing Buffer Overrun Vulnerability may allow an unauthenticated, remote attacker to create a buffer overrun condition that may cause the Web Conferencing server to become unresponsive. Cisco has released software updates that address these vulnerabilities. There are no workarounds that mitigate these vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121031-mp
Version | Affected |
---|---|
Prior to 7.0 | No |
7.0 | Yes |
7.1 | Yes |
8.0 | Yes |
8.5 | Yes |
Version | Affected |
---|---|
Prior to 7.0 | Yes |
7.0 | Yes |
7.1 | Yes |
8.0 | Yes |
8.5 | Yes |
Cisco has released software updates that address these vulnerabilities.
The following table contains the first fixed releases of software:
Cisco Unified MeetingPlace Web Conferencing SQL Injection Vulnerability
Vulnerability |
Major Release | First Fix In |
---|---|---|
Cisco Unified MeetingPlace Web Conferencing SQL Injection Vulnerability - CSCtx08939 |
7.0 | 7.1MR1 |
7.1 | 7.1MR1 | |
8.0 | 8.0MR1 Patch 1 |
|
8.5 | 8.5MR3 |
Cisco Unified MeetingPlace Web Conferencing Buffer Overrun Vulnerability
Vulnerability |
Major Release | First Fix In |
---|---|---|
Cisco Unified MeetingPlace Web Conferencing Buffer Overrun Vulnerability - CSCua66341 |
7.0 | 7.1MR1 Patch 1 |
7.1 | 7.1MR1 Patch 1 |
|
8.0 | 8.0MR1 Patch 1 | |
8.5 | 8.5MR3 |
The following table lists all recommended releases. These recommended releases contain the fixes for all vulnerabilities in this advisory. Cisco recommends upgrading to a release that is equal to or later than these recommended releases.
Major Release |
Recommended Release |
7.0 | Migrate to 7.1MR1 Patch 1 |
7.1 | 7.1MR1 Patch 1 |
8.0 |
8.0MR1 Patch 1 |
8.5 | 8.5MR3 |
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
Cisco Unified MeetingPlace Web Conferencing SQL Injection Vulnerability was reported to Cisco by Daniel Mende from ERNW GmbH.
Cisco Unified MeetingPlace Web Conferencing Buffer Overrun Vulnerability was found during internal tests.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Revision 1.1 | 2012-November-27 | Updated the "Vulnerable Products" section to indicate that versions prior to 7.0 are not affected by the SQL injection vulnerability. |
Revision 1.0 | 2012-October-31 | Initial public release. |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.