Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability Affecting Cisco Products

Summary

• On March 6, 2017, Apache disclosed a vulnerability in the Jakarta Multipart parser used in Apache Struts2 that could allow an attacker to execute commands remotely on a targeted system by using a crafted Content-Type, Content-Disposition, or Content-Length value.
  

  This vulnerability has been assigned CVE-ID CVE-2017-5638.
  
  This advisory is available at the following link:
  https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170310-struts2

Affected Products

• Cisco is investigating its product line to determine which products may be affected by this vulnerability and the impact on each affected product. Please refer to the Vulnerable Products and Products Confirmed Not Vulnerable sections of this advisory for information about whether a product is affected.
  
  The Vulnerable Products section includes Cisco bug IDs for each affected product. The bugs are accessible through the Cisco Bug Search Tool and contain additional platform-specific information, including workarounds (if available) and fixed software releases.
  

  Vulnerable Products

  The following table lists Cisco products that are affected by the vulnerability described in this advisory.
  
  Detailed information regarding specific fixed software versions will be documented in the Cisco bugs listed in the Vulnerable Products table in this section of the advisory. The bugs are accessible through the Cisco Bug Search Tool. When planning a software upgrade, be sure to review the bugs directly because they will have the most current and up-to-date information.
  
  
  

  Product	Cisco Bug ID	Fixed Release Availability
  Collaboration and Social Media
  Cisco SocialMiner	CSCvd63318	11.5 SU1 (7-April-2017)
  Network and Content Security Devices
  Cisco Identity Services Engine (ISE)	CSCvd49829	Patch available (24-March-2017)
  Network Management and Provisioning
  Cisco Prime License Manager	CSCvd51283	11.5(1)SU1a (Available Now)
  Cisco Unified Intelligence Center	CSCvd56191	11.5(1) ES03 (30-March-2017)
  Voice and Unified Communications Devices
  Cisco Emergency Responder	CSCvd51442	Patch for 11.5 (19-April-2017)
  Cisco Finesse	CSCvd63325	11.5 ES2 (7-April-2017)
  Cisco Hosted Collaboration Mediation Fulfillment	CSCvd51443	HCM-F 11.5.1 SU1 (7-April-2017)
  Cisco Hosted Collaboration Solution for Contact Center	CSCvd56593	10.5(3) Patch available 11.0(2) (22-March-2017) 11.5(1) (22-March-2017) 10.0(2) (24-March-2017)
  Cisco MediaSense	CSCvd63328	11.5 (7-April-2017)
  Cisco Packaged Contact Center Enterprise	CSCvd51212
  Cisco Unified Communications Manager IM & Presence Service (formerly CUPS)	CSCvd49842	Patch available (23-March-2017)
  Cisco Unified Communications Manager Session Management Edition	CSCvd49840	Patch available (31-March-2017)
  Cisco Unified Communications Manager	CSCvd49840	Patch available (31-March-2017)
  Cisco Unified Contact Center Enterprise - Live Data server	CSCvd63365	10.5(3) (Available) 11.0 (2) (7-April-2017) 11.5(1) (7-April-2017) 10.0(2) (Available)
  Cisco Unified Contact Center Enterprise	CSCvd51210	10.5(3) (Available) 11.0 (2) (22-March-2017) 11.5(1) (22-March-2017 10.0(2) (24-March-2017)
  Cisco Unified Contact Center Express	CSCvd63322	11.5 SU1 (7-April-2017)
  Cisco Unified Intelligent Contact Management Enterprise	CSCvd51210	10.5(3) (Available) 11.0 (2) (22-March-2017) 11.5(1) (22-March-2017 10.0(2) (24-Mar-2017)
  Cisco Unified SIP Proxy Software	CSCvd49788	10.1 (June 2017)
  Cisco Unity Connection	CSCvd49841	12.0 (27-Mar-2017) 11.5 (10-Apr-2017) 11.0 (10-Apr-2017)
  Cisco Virtualized Voice Browser	CSCvd63333	11.5 SU1 (7-April-2017)
  Cisco Hosted Services
  Cisco Prime Service Catalog Appliance and Virtual Appliance	CSCvd49817	PSC 12.0 Patch 1 (14-Mar-2017)

  
  
  

  Products Confirmed Not Vulnerable

  Collaboration and Social Media
  

  • Cisco Unified MeetingPlace
  • Cisco WebEx Meetings Client - On-Premises
  • Cisco WebEx Meetings Server

  
  Endpoint Clients and Client Software
  

  • Cisco Agent for OpenFlow
  • Cisco AnyConnect Secure Mobility Client for Android
  • Cisco AnyConnect Secure Mobility Client for Linux
  • Cisco AnyConnect Secure Mobility Client for Mac OS X
  • Cisco AnyConnect Secure Mobility Client for Windows
  • Cisco AnyConnect Secure Mobility Client for iOS
  • Cisco Jabber Client Framework (JCF) Components
  • Cisco Jabber Guest
  • Cisco Jabber Software Development Kit
  • Cisco Jabber for Android
  • Cisco Jabber for Mac
  • Cisco Jabber for Windows
  • Cisco NAC Agent for Windows
  • Cisco NAC Agent
  • Cisco WebEx Meetings for Android
  • Cisco WebEx Meetings for Windows Phone 8

  
  Network Application, Service, and Acceleration
  

  • Cisco Network Device Security Assessment Service
  • Cisco Visual Quality Experience Server
  • Cisco Visual Quality Experience Tools Server
  • Cisco Wide Area Application Services (WAAS)

  
  Network and Content Security Devices
  

  • Cisco Adaptive Security Appliance (ASA)
  • Cisco Content Security Appliance Update Servers
  • Cisco Content Security Management Appliance (SMA)
  • Cisco Email Security Appliance (ESA)
  • Cisco FX-OS Software
  • Cisco FireSIGHT System Software
  • Cisco Secure Access Control System (ACS)
  • Cisco Web Security Appliance (WSA)
  • Lancope Stealthwatch Endpoint Concentrator
  • Lancope Stealthwatch FlowCollector NetFlow
  • Lancope Stealthwatch FlowCollector sFlow
  • Lancope Stealthwatch FlowSensor
  • Lancope Stealthwatch SMC
  • Lancope Stealthwatch UDP Director

  
  Network Management and Provisioning
  

  • Cisco Application Networking Manager
  • Cisco Application Policy Infrastructure Controller (APIC)
  • Cisco Cloupia Unified Infrastructure Controller
  • Cisco Configuration Professional
  • Cisco DCNM
  • Cisco Digital Media Manager
  • Cisco MATE Collector
  • Cisco MATE Design
  • Cisco MATE Live
  • Cisco Management Appliance
  • Cisco Meeting Server
  • Cisco Multicast Manager
  • Cisco NetFlow Generation Appliance
  • Cisco Network Analysis Module
  • Cisco Packet Tracer
  • Cisco Policy Suite
  • Cisco Prime Access Registrar
  • Cisco Prime Central Fault Manager
  • Cisco Prime Central
  • Cisco Prime Collaboration Assurance
  • Cisco Prime Collaboration Deployment
  • Cisco Prime Collaboration Provisioning
  • Cisco Prime Data Center Network Manager
  • Cisco Prime Home
  • Cisco Prime IP Express
  • Cisco Prime Infrastructure
  • Cisco Prime LAN Management Solution - Solaris
  • Cisco Prime Network Change and Configuration Management
  • Cisco Prime Network Registrar IP Address Manager (IPAM)
  • Cisco Prime Network Registrar
  • Cisco Prime Network Services Controller
  • Cisco Prime Network
  • Cisco Prime Optical for Service Providers
  • Cisco Prime Performance Manager
  • Cisco Prime Service Catalog
  • Cisco Security Manager
  • Cisco Smart Net Total Care - Local Collector appliance
  • Cisco Tidal Performance Analyzer
  • Cisco UCS Central Software
  • Smart Connected Home

  
  Routing and Switching - Enterprise and Service Provider
  

  • Cisco ASR 5000 Series
  • Cisco Broadband Access Center for Telco and Wireless
  • Cisco Connected Grid Routers
  • Cisco IOS XR Software
  • Cisco IOS and Cisco IOS XE Software
  • Cisco MDS 9000 Series Multilayer Switches
  • Cisco Nexus 1000V InterCloud
  • Cisco Nexus 1000V Series Switches
  • Cisco Nexus 1000V Switch for VMware vSphere
  • Cisco Nexus 3000 Series Switches
  • Cisco Nexus 4000 Series Blade Switches
  • Cisco Nexus 5000 Series Switches
  • Cisco Nexus 6000 Series Switches
  • Cisco Nexus 7000 Series Switches
  • Cisco Nexus 9000 Series Fabric Switches - ACI mode
  • Cisco Nexus 9000 Series Switches - Standalone, NX-OS mode
  • Cisco ONS 15454 Series Multiservice Provisioning Platforms
  • Cisco Service Control Operating System
  • Cisco Universal Small Cell 5000 Series Cisco Universal Small Cell 7000 Series
  • Cisco Universal Small Cell Iuh

  
  Routing and Switching - Small Business
  

  • Cisco 220 Series Smart Plus (Sx220) Switches
  • Cisco 500 Series Stackable (Sx500) Managed Switches
  • Cisco Small Business 300 Series (Sx300) Managed Switches

  
  Unified Computing
  

  • Cisco Common Services Platform Collector
  • Cisco UCS 6200 Series Fabric Interconnects
  • Cisco UCS 6200 Series and 6300 Series Fabric Interconnects
  • Cisco UCS B-Series Blade Servers
  • Cisco UCS Director
  • Cisco UCS Manager
  • Cisco UCS Standalone C-Series Rack Server - Integrated Management Controller
  • Cisco Virtual Security Gateway for Microsoft Hyper-V
  • Cisco Virtual Security Gateway

  
  Voice and Unified Communications Devices
  

  • Cisco ATA 190 Series Analog Terminal Adaptors
  • Cisco Agent Desktop for Cisco Unified Contact Center Express
  • Cisco Agent Desktop
  • Cisco DX Series IP Phones
  • Cisco Enterprise Chat and Email
  • Cisco IP Interoperability and Collaboration System (IPICS)
  • Cisco Jabber for iPhone and iPad
  • Cisco Paging Server (InformaCast)
  • Cisco Paging Server
  • Cisco SPA112 2-Port Phone Adapter
  • Cisco SPA122 Analog Telephone Adapter (ATA) with Router
  • Cisco SPA232D Multi-Line DECT Analog Telephone Adapter (ATA)
  • Cisco SPA51x IP Phones
  • Cisco SPA525G 5-Line IP Phone
  • Cisco Small Business SPA300 Series IP Phones
  • Cisco Small Business SPA500 Series IP Phones
  • Cisco UC Integration for Microsoft Lync
  • Cisco Unified Attendant Console Advanced
  • Cisco Unified Attendant Console Business Edition
  • Cisco Unified Attendant Console Department Edition
  • Cisco Unified Attendant Console Enterprise Edition
  • Cisco Unified Attendant Console Premium Edition
  • Cisco Unified Attendant Console Standard
  • Cisco Unified Communications Domain Manager
  • Cisco Unified Contact Center Domain Manager
  • Cisco Unified Contact Center Management Portal
  • Cisco Unified Customer Voice Portal
  • Cisco Unified E-Mail Interaction Manager
  • Cisco Unified IP 6945 Phone
  • Cisco Unified IP 7937 Phone
  • Cisco Unified IP 8831 Conference Phone for Third-Party Call Control
  • Cisco Unified Message Gateway
  • Cisco Unified Survivable Remote Site Telephony Manager
  • Cisco Unified Web Interaction Manager
  • Cisco Unified Workforce Optimization - Quality Management Solution
  • Cisco Unified Workforce Optimization
  • Cisco Unity Express
  • Cisco Virtualization Experience Media Edition

  
  Video, Streaming, TelePresence, and Transcoding Devices
  

  • Cisco 4300 Series Digital Media Players
  • Cisco 4400 Series Digital Media Players
  • Cisco Cloud Object Storage
  • Cisco DCM Series D990x Digital Content Manager
  • Cisco Edge 300 Digital Media Player
  • Cisco Edge 340 Digital Media Player
  • Cisco Enterprise Content Delivery System (ECDS)
  • Cisco Expressway Series
  • Cisco MXE 3500
  • Cisco TelePresence Conductor
  • Cisco TelePresence Content Server
  • Cisco TelePresence ISDN Gateway 3241
  • Cisco TelePresence ISDN Gateway MSE 8321
  • Cisco TelePresence ISDN Link
  • Cisco TelePresence MCU 4200 Series, 4500 Series, 5300 Series, MSE 8420, and MSE 8510
  • Cisco TelePresence MX Series
  • Cisco TelePresence Profile Series
  • Cisco TelePresence SX Series
  • Cisco TelePresence Serial Gateway Series
  • Cisco TelePresence Server 7010 and MSE 8710
  • Cisco TelePresence Server on Multiparty Media 310 and 320
  • Cisco TelePresence Server on Multiparty Media 820
  • Cisco TelePresence Server on Virtual Machine
  • Cisco TelePresence Supervisor MSE 8050
  • Cisco TelePresence System 1000
  • Cisco TelePresence System 1100
  • Cisco TelePresence System 1300
  • Cisco TelePresence System 3000 Series
  • Cisco TelePresence System 500-32
  • Cisco TelePresence System 500-37
  • Cisco TelePresence System EX Series
  • Cisco TelePresence System TX1310
  • Cisco TelePresence TX9000 Series
  • Cisco TelePresence Video Communication Server (VCS)
  • Cisco Telepresence Integrator C Series
  • Cisco VDS-IS
  • Cisco Video Surveillance 3000 Series IP Cameras
  • Cisco Video Surveillance 4000 Series High-Definition IP Cameras
  • Cisco Video Surveillance 4300E and 4500E High-Definition IP Cameras
  • Cisco Video Surveillance 6000 Series IP Cameras
  • Cisco Video Surveillance 7000 Series IP Cameras
  • Cisco Video Surveillance Media Server
  • Cisco Video Surveillance PTZ IP Cameras
  • Cisco Videoscape AnyRes Live
  • Cisco Videoscape Voyager Vantage
  • Tandberg Codian ISDN Gateway 3210, 3220, and 3240
  • Tandberg Codian MSE 8320

  
  Wireless
  

  • Cisco Aironet 1040 Series Access Points
  • Cisco Aironet 1130 AG Series Access Points
  • Cisco Aironet 1140 Series Access Points
  • Cisco Aironet 1200 Series Access Points
  • Cisco Aironet 1530 Series Access Points
  • Cisco Aironet 1550 Series Access Points
  • Cisco Aironet 1560 Series Access Points
  • Cisco Aironet 1570 Series Access Points
  • Cisco Aironet 1600 Series Access Points
  • Cisco Aironet 1700 Series Access Points
  • Cisco Aironet 1810 Series OfficeExtend Access Points
  • Cisco Aironet 1810w Series Access Points
  • Cisco Aironet 1815 Series Access Points
  • Cisco Aironet 1830 Series Access Points
  • Cisco Aironet 1850 Series Access Points
  • Cisco Aironet 2600 Series Access Points
  • Cisco Aironet 2700 Series Access Points
  • Cisco Aironet 2800 Series Access Points
  • Cisco Aironet 3500 Series Access Points
  • Cisco Aironet 3600 Series Access Points
  • Cisco Aironet 3700 Series Access Points
  • Cisco Aironet 3800 Series Access Points
  • Cisco Aironet 700 Series Access Points
  • Cisco Aironet 700W Series Access Points
  • Cisco Industrial Wireless 3700 Series Access Points
  • Cisco Mobility Services Engine
  • Cisco Wireless LAN Controller

  
  Cisco Hosted Services
  

  • Cisco Business Video Services Automation Software
  • Cisco Cloud Web Security
  • Cisco Cloud and Systems Management
  • Cisco Data Center Analytics Framework
  • Cisco Deployment Automation Tool
  • Cisco Network Health Framework
  • Cisco Network Performance Analysis
  • Cisco ONE Portal
  • Cisco Partner Support Service 1.x
  • Cisco Proactive Network Operations Center
  • Cisco Registered Envelope Service
  • Cisco Services Provisioning Platform
  • Cisco Smart Care
  • Cisco Smart Net Total Care - Contracts Information System Process Controller
  • Cisco Smart Net Total Care - Smart Interactions
  • Cisco Smart Net Total Care
  • Cisco Unified Service Delivery Platform
  • Cisco Universal Small Cell CloudBase Factory Recovery Root Filesystem
  • Cisco WebEx Meeting Center
  • Cisco WebEx Messenger Service
  • Cisco WebEx Network Based Recording (NBR) Management
  • OpenDNS
  • SmartNet Total Care

  
  

Details

• A vulnerability in the Jakarta multipart parser of Apache Struts could allow an unauthenticated, remote attacker to execute arbitrary code on an affected system.
  
  The vulnerability is due to improper handling of the Content-Type header value when performing a file upload based on the Jakarta multipart parser of the affected software. An attacker could exploit this vulnerability by persuading a targeted user to upload a malicious file. Once the Jakarta multipart parser of the affected application uploads the file, the attacker could have the ability to execute arbitrary code.

Indicators of Compromise

• To help detect exploitation of this vulnerability, Cisco has released Cisco IPS Signature Sig-ID 7872-0 and Snort SIDs 41818, 41819, 41923, and 41922.

Workarounds

• Any workarounds, if available, are documented in the Cisco bugs, which are accessible through the Cisco Bug Search Tool.

Fixed Software

• When Cisco releases free software updates, customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:
  http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html

  Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.

  When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution.

  In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

  Customers Without Service Contracts

  Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC:
  http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html

  Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.

  Fixed Releases

  To determine the affected and fixed releases for each vulnerable product, refer to the Cisco bug identified for the product. These bugs will be listed in the table in the Vulnerable Products section of this advisory. Cisco bugs are accessible through the Cisco Bug Search Tool.

Exploitation and Public Announcements

• The Cisco Product Security Incident Response Team (PSIRT) is not aware of any malicious use of the vulnerability that is described in this advisory against Cisco products.
  
  Public exploits are available for this vulnerability.

Source

• This vulnerability was disclosed by Apache in the following advisories: https://cwiki.apache.org/confluence/display/WW/S2-045 and https://cwiki.apache.org/confluence/display/WW/S2-046

URL

• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170310-struts2

Revision History

• Version	Description	Section	Status	Date
  1.12	Updated product lists.	Vulnerable Products, Products Confirmed Not Vulnerable	Final	2017-May-05
  1.11	Updated product lists.	Vulnerable Products, Products Confirmed Not Vulnerable	Final	2017-April-19
  1.10	Updated product lists.	Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable	Final	2017-April-13
  1.9	Updated product lists.	Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable	Final	2017-March-28
  1.8	Updated the product lists and summary and source information.	Summary, Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable, Source	Interim	2017-March-23
  1.7	Updated the product lists and Snort SID information.	Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable, Indicators of Compromise	Interim	2017-March-21
  1.6	Updated product lists.	Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable	Interim	2017-March-17
  1.5	Updated product lists.	Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable	Interim	2017-March-15
  1.4	Updated product lists.	Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable	Interim	2017-March-14
  1.3	Updated product lists.	Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable	Interim	2017-March-13
  1.2	Updated product lists.	Affected Products, Products Confirmed Not Vulnerable	Interim	2017-March-13
  1.1	Updated product lists.	Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable	Interim	2017-March-11
  1.0	Initial public release.	-	Interim	2017-March-10

  Show Complete History...