On September 7, 2017, the Apache Software Foundation released a security bulletin that disclosed a vulnerability in the Freemarker tag functionality of the Apache Struts 2 package. The vulnerability could allow an unauthenticated, remote attacker to execute arbitrary code on an affected system. The Apache Software Foundation classifies the vulnerability as a Medium Severity vulnerability. For more information about this vulnerability, refer to the Details section of this advisory. Multiple Cisco products incorporate a version of the Apache Struts 2 package that is affected by this vulnerability. The following Snort rules can be used to detect possible exploitation of this vulnerability: Snort SIDs 44327 through 44330. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170909-struts2-rce
For information about whether a product is affected by this vulnerability, refer to the Vulnerable Products and Products Confirmed Not Vulnerable sections of this advisory. The Vulnerable Products section includes Cisco bug IDs for each affected product. The bugs are accessible through the Cisco Bug Search Tool and contain additional platform-specific information, including any available workarounds and fixed software releases.
Note: Only Cisco products that include Struts are listed in the "Vulnerable Products" or "Products Confirmed Not Vulnerable" sections. If a Cisco product is not listed, then it does not include Struts and is therefore not affected.
Cisco documents detailed information about fixed software releases in the Cisco bugs listed in this table. The bugs are accessible through the Cisco Bug Search Tool. When planning a software upgrade, customers should review the bugs directly because the bugs will have the most current and up-to-date information.
The following table lists Cisco products that are affected by the vulnerability described in this advisory.
Product | Cisco Bug ID | Fixed Release Availability |
---|---|---|
Network Management and Provisioning | ||
Cisco Digital Media Manager | CSCvf89977 | No fix expected (EoSWM) (19-Aug-2016) |
Cisco MXE 3500 Series Media Experience Engines | CSCvf89979 | No fix expected (EoSWM) (2-Jan-2017) |
Video, Streaming, TelePresence, and Transcoding Devices | ||
Cisco Video Distribution Suite for Internet Streaming (VDS-IS) | CSCvf89984 | Fix pending |
Cisco Hosted Services | ||
Cisco Network Performance Analysis | CSCvf89992 | Product updated with Struts 2.3.34 (12-Sept-2017) |
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of this vulnerability against Cisco products.
Public exploits are available for this vulnerability.
On September 7, 2017, the Apache Software Foundation publicly disclosed this vulnerability in the following security bulletin: S2-053
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Version | Description | Section | Status | Date |
---|---|---|---|---|
1.11 | Updated the list of Products Confirmed Not Vulnerable to add Cisco Umbrella. | Products Confirmed Not Vulnerable | Final | 2017-October-23 |
1.10 | Updated the Vulnerable Products table with information about fixes. Updated Summary, Affected Products, Vulnerable Products, and Fixed Software to "Final status" language. | Summary, Affected Products, Vulnerable Products, Fixed Software | Final | 2017-October-03 |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.