A vulnerability in the Java deserialization used by the Apache Commons Collections (ACC) library could allow an unauthenticated, remote attacker to execute arbitrary code. The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerability by submitting crafted input to an application on a targeted system that uses the ACC library. After the vulnerable library on the affected system deserializes the content, the attacker could execute arbitrary code on the system, which could be used to conduct further attacks. On November 6, 2015, Foxglove Security Group published information about a remote code execution vulnerability that affects multiple releases of the ACC library. The report contains detailed proof-of-concept code for a number of applications, including WebSphere Application Server, JBoss, Jenkins, OpenNMS, and WebLogic. This is a remotely exploitable vulnerability that allows an attacker to inject any malicious code or execute any commands that exist on the server. A wide range of potential impacts includes allowing the attacker to obtain sensitive information. Object serialization is a technique that many programming languages use to convert an object into a sequence of bits for transfer purposes. Deserialization is a technique that reassembles those bits back to an object. This vulnerability occurs in Java object serialization for network transport and object deserialization on the receiving side. Many applications accept serialized objects from the network without performing input validation checks before deserializing it. Crafted serialized objects can therefore lead to execution of arbitrary attacker code. Although the problem itself is in the serialization and deserialization functionality of the Java programming language, the ACC library is known to be affected by this vulnerability. Any application or application framework could be vulnerable if it uses the ACC library and deserializes arbitrary, user-supplied Java serialized data. Additional details about the vulnerability are available at the following links: Official Vulnerability Note from CERT Foxglove Security Apache Commons Statement Oracle Security Alert Cisco will release software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization
Product | Defect | Fixed releases availability |
---|---|---|
Cable Modems | ||
Cisco WebEx Meetings Server versions 1.x | CSCux17638 | |
Cisco WebEx Meetings Server versions 2.x | CSCux17638 | |
Digital Life RMS 1.8.1.1 Cisco Broadband Access Center Telco Wireless 3.8.1 | CSCux34660 | |
Collaboration and Social Media | ||
Cisco SocialMiner | CSCux34833 | |
Cisco WebEx Meetings | CSCux21425 | |
Network Application, Service, and Acceleration | ||
Cisco InTracer | CSCux35041 | |
Cisco Network Admission Control (NAC) | CSCux35101 | |
Cisco Visual Quality Experience Server | CSCux34725 | |
Cisco Visual Quality Experience Tools Server | CSCux34725 | |
Network and Content Security Devices | ||
Cisco ASA CX and Cisco Prime Security Manager | CSCux34742 | |
Cisco Clean Access Manager | CSCux34981 | |
Cisco Identity Services Engine (ISE) | CSCux35116 | |
Cisco NAC Appliance (Clean Access Server) | CSCux34982 | |
Cisco NAC Server | CSCux34983 | |
Cisco Secure Access Control System (ACS) | CSCux34781 | |
Network Management and Provisioning | ||
Cisco Access Registrar Appliance | CSCux34652 | |
Cisco Cloupia Unified Infrastructure Controller | CSCux35070 | |
Cisco Configuration Professional | CSCux35040 | |
Cisco Digital Media Manager | CSCux34692 | |
Cisco Insight Reporter | CSCux34694 | |
Cisco Prime Access Registrar Appliance | CSCux34652 | |
Cisco Prime Access Registrar | CSCux34955 | |
Cisco Prime Central for SPs | CSCux34667 | |
Cisco Prime Collaboration Provisioning | CSCux34669 | |
Cisco Prime Home | CSCux34666 | |
Cisco Prime Infrastructure | CSCux34665 | |
Cisco Prime LAN Management Solution (LMS - Solaris) | CSCux34647 | |
Cisco Prime License Manager | CSCux34705 | |
Cisco Prime Network Services Controller | CSCux34672 | |
Cisco Prime Optical for SPs | CSCux34656 | |
Cisco Prime Performance Manager | CSCux34953 | |
Cisco Prime Provisioning for SPs | CSCux34664 | |
Cisco Prime Provisioning | CSCux35084 | |
Cisco Prime Security Manager | CSCux35106 | |
Cisco Prime Service Catalog Virtual Appliance | CSCux34715 | |
Cisco Security Manager | CSCux34671 | |
Cisco Unified Intelligent Center | CSCux35044 | |
Local Collector Appliance (LCA) | CSCux34812 | |
Unified Communications Deployment Tools | CSCux34584 | |
Routing and Switching - Enterprise and Service Provider | ||
Cisco Broadband Access Center Telco Wireless | CSCux34645 | |
Unified Computing | ||
Cisco UCS Director | CSCux34942 | |
Voice and Unified Communications Devices | ||
Cisco Computer Telephony Integration Object Server (CTIOS) | CSCux34589 | A fix will be available May 6 2016 |
Cisco Emergency Responder | CSCux34852 | |
Cisco Hosted Collaboration Mediation Fulfillment | CSCux34859 | |
Cisco IM and Presence Service (CUPS) | CSCux34855 | |
Cisco IP Interoperability and Collaboration System (IPICS) | CSCux34720 | |
Cisco Management Heartbeat Server | CSCux35009 | |
Cisco MediaSense | CSCux34874 | 11.0 10.5 (March 2016) 11.5 (June 2016) |
Cisco MeetingPlace | CSCux35147 | |
Cisco USC8088 | CSCux35125 | |
Cisco Unified Attendant Console Advanced | CSCux34827 | |
Cisco Unified Attendant Console Business Edition | CSCux34827 | |
Cisco Unified Attendant Console Department Edition | CSCux34827 | |
Cisco Unified Attendant Console Enterprise Edition | CSCux34827 | |
Cisco Unified Attendant Console Premium Edition | CSCux34827 | |
Cisco Unified Communications Domain Manager | CSCux35022 | |
Cisco Unified Communications Manager (UCM) | CSCux34835 | |
Cisco Unified Communications Manager Session Management Edition (SME) | CSCux34835 | |
Cisco Unified Contact Center Enterprise | CSCux34589 | A fix will be available May 6 2016 |
Cisco Unified Contact Center Express | CSCux34844 | |
Cisco Unified E-Mail Interaction Manager | CSCux34853 | |
Cisco Unified Intelligent Contact Management Enterprise | CSCux34589 | A fix will be available May 6 2016 |
Cisco Unified Sip Proxy | CSCux34567 | |
Cisco Unified Web Interaction Manager | CSCux34853 | |
Cisco Unity Connection (UC) | CSCux35135 | |
Cisco Voice Portal (CVP) | CSCux35046 | |
Video, Streaming, TelePresence, and Transcoding Devices | ||
Cisco Digital Transport Adapter Control System (DTACS) | CSCux34796 | |
Cisco Media Experience Engines (MXE) | CSCux34968 | |
Cisco Show and Share | CSCux34708 | |
Cisco TelePresence Exchange System (CTX) | CSCux34690 | |
Cisco VDS Service Broker | CSCux34804 | |
Cisco Video Distribution Suite for Internet Streaming (VDS-IS/CDS-IS) | CSCux34724 | |
Cisco Videoscape Conductor | CSCux34792 | |
Cisco Videoscape Control Suite | CSCux34974 | |
Explorer Controller (EC) system | CSCux34795 | |
Wireless | ||
Cisco Mobility Services Engine (MSE) | CSCux35085 | |
Cisco Hosted Services | ||
Business Video Services Automation Software (BV) | CSCux34572 | |
Cisco Cloud Email Security | CSCux34593 | |
Cisco Cloud Services | CSCux34688 | |
Cisco Cloud Web Security | CSCux35002 | |
Cisco Cloud and Systems Management | CSCux34926 | |
Cisco Proactive Network Operations Center | CSCux34582 | |
Cisco Registered Envelope Service (CRES) | CSCux34591 | |
Cisco Services Provisioning Platform (SPP) | CSCux34885 | 3.2.2 (Jan 2016) |
Cisco Smart Care | CSCux34985 | |
Cisco Unified Services Delivery Platform (CUSDP) | CSCux34779 | |
Communication/Collaboration Sizing Tool, Virtue Machine Placement Tool, Cisco Unified Communications Upgrade Readiness Assessment | CSCux34881 | |
DCAF UCS Collector | CSCux34924 | |
Data Center Analytics Framework (DCAF) | CSCux34575 | |
Life Cycle Management Agent Manager (LCM) | CSCux34927 | |
Network Change and Configuration Management | CSCux34580 | |
Partner Supporting Service (PSS) 1.x | CSCux34739 | |
SI component of Partner Supporting Service | CSCux34738 | |
Serial Number Assessment Service (SNAS) | CSCux34991 | |
Services Analytic Platform | CSCux35043 | |
Smart Net Total Care (SNTC) | CSCux34987 | |
Smart Net Total Care | CSCux34730 |
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Version | Description | Section | Status | Date |
---|---|---|---|---|
1.10 | Updated the affected products. | Affected Products | Interim | 2016-February-25 |
1.9 | Updated the affected products. | Affected Products | Interim | 2016-February-02 |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. CISCO EXPECTS TO UPDATE THIS DOCUMENT AS NEW INFORMATION BECOMES AVAILABLE.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.