On September 5, 2017, the Apache Software Foundation released security bulletins that disclosed three vulnerabilities in the Apache Struts 2 package. Of these vulnerabilities, the Apache Software Foundation classifies one as Critical Severity, one as Medium Severity, and one as Low Severity. For more information about the vulnerabilities, refer to the Details section of this advisory. Multiple Cisco products incorporate a version of the Apache Struts 2 package that is affected by these vulnerabilities. The following Snort rule can be used to detect possible exploitation of this vulnerability: Snort SIDs 44315 and 44327 through 44330. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2
Product | Cisco Bug ID | Fixed Release Availability |
---|---|---|
Network Management and Provisioning | ||
Cisco Digital Media Manager | CSCvf86117 | No fix expected (EoSWM) (19-Aug-2016) |
Cisco MXE 3500 Series Media Experience Engines (*) | CSCvf86119 | No fix expected (EoSWM) (2-Jan-2017) |
Voice and Unified Communications Devices | ||
Cisco Hosted Collaboration Solution for Contact Center (*) | CSCvf86143 | |
Video, Streaming, TelePresence, and Transcoding Devices | ||
Cisco Video Distribution Suite for Internet Streaming (VDS-IS) (*) | CSCvf86124 | Product updated with Struts 2.3.34 (29-Sept-2017) |
Cisco Hosted Services | ||
Cisco Network Performance Analysis (*) | CSCvf86134 | Product updated with Struts 2.3.34 (12-Sept-2017) |
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Version | Description | Section | Status | Date |
---|---|---|---|---|
1.12 | Updated the list of Products Confirmed Not Vulnerable to add Cisco Umbrella. | Products Confirmed Not Vulnerable | Final | 2017-October-23 |
1.11 | Updated the Vulnerable Products table with information about fixes. Updated Summary, Affected Products, Vulnerable Products, and Fixed Software to "Final status" language. | Summary, Affected Products, Vulnerable Products, Fixed Software | Final | 2017-October-03 |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.