On November 5, 2018, the Apache Struts Team released a security announcement urging an upgrade of the Commons FileUpload library to version 1.3.3 on systems using Struts 2.3.36 or earlier releases. Systems using earlier versions of this library may be exposed to attacks that could allow execution of arbitrary code or modifications of files on the system. The issue is caused by a previously reported vulnerability of the Apache Commons FileUpload library, assigned to CVE-2016-1000031. The vulnerability is due to insufficient validation of user-supplied input by the affected software. An attacker could exploit this vulnerability by submitting crafted data to an affected system. A successful exploit could allow the attacker to execute arbitrary code or manipulate files on the targeted system. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-struts-commons-fileupload
On November 5, 2018, the Apache Struts Team released a security announcement urging an upgrade of the Commons FileUpload library to version 1.3.3 on systems using Struts 2.3.36 or earlier releases. Systems using earlier versions of this library may be exposed to attacks that could allow execution of arbitrary code or modifications of files on the system. The issue is caused by a previously reported vulnerability of the Apache Commons FileUpload library, assigned to CVE-2016-1000031.
The vulnerability is due to insufficient validation of user-supplied input by the affected software. An attacker could exploit this vulnerability by submitting crafted data to an affected system. A successful exploit could allow the attacker to execute arbitrary code or manipulate files on the targeted system.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-struts-commons-fileupload
Cisco investigated its product line to determine which products and services may be affected by this vulnerability.
The Vulnerable Products section of this advisory includes Cisco bug IDs for each affected product or service. The bugs are accessible through the Cisco Bug Search Tool and contain additional platform-specific information, including workarounds (if available) and fixed software releases.
Any product or service not listed in the “Vulnerable Products” section of this advisory is to be considered not vulnerable.
The following table lists Cisco products and services that are affected by the vulnerability that is described in this advisory. The software availability dates in the Fixed Release Availability column are estimates, and actual software availability may differ from the dates provided in the following table.
| Product | Cisco Bug ID | Fixed Release Availability |
|---|---|---|
| Collaboration and Social Media | ||
| Cisco SocialMiner | CSCvn22343 | Patch file available for 11.5/11.6 by Dec 2018 12.0.1 (Jan 2019) |
| Cisco Webex Meetings Server | CSCvn18895 | 2.8MR3 Security Patch 1 (Dec 2018) 3.0MR2 Security Patch 2 (Dec 2018) |
| Endpoint Clients and Client Software | ||
| Cisco Webex Management - SuperAdmin Control Panel | CSCvn18901 | T33.7.2 (Dec 2018) |
| Network and Content Security Devices | ||
| Cisco Identity Services Engine (ISE) | CSCvn17524 | Hot patch available for 2.1 Patch 7/2.3 Patch 5 2.2 Patch 12 (Nov 2018) 2.3 Patch 6 (Feb 2019) 2.4 Patch 5 (Nov 2018) 2.5 (Dec 2018) |
| Cisco Secure Access Control System (ACS) | CSCvn18934 | No fix planned 1 |
| Network Management and Provisioning | ||
| Cisco Evolved Programmable Network Manager | CSCvn44132 | 2.2.1.2 (Dec 2018) |
| Cisco Prime Collaboration Provisioning | CSCvn18919 | 12.6 (Nov 2018) |
| Cisco Prime Infrastructure | CSCvn18917 | 3.3.1 Update 04 (Feb 2019) 3.4.1 Update 03 (Mar 2019) 3.5 (Dec 2018) |
| Cisco Prime License Manager | CSCvn18924 | Patch file available for 10.5.2/11.5.1 by Dec 2018 |
| Cisco Prime Network Registrar IP Address Manager (IPAM) | CSCvn18913 | No fix planned |
| Cisco Prime Network | CSCvn18910 | Patch file available for 5.1 by Dec 2018 5.2 (May 2019) |
| Cisco Prime Service Catalog | CSCvn22307 | 12.1 v7 Patch (Dec 2018) |
| Routing and Switching - Enterprise and Service Provider | ||
| Cisco IOx Fog Director | CSCvn19758 | 1.7.1 (Jan 2019) 1.8 (Feb 2019) |
| Cisco IoT Field Network Director (formerly Cisco Connected Grid Network Management System) | CSCvn20600 | 4.3.2 (Dec 2018) |
| Voice and Unified Communications Devices | ||
| Cisco Emergency Responder | CSCvn18956 | Patch file available for 11.5.1/12.0.1 by Dec 2018 12.5.1 (Jan 2019) |
| Cisco Enterprise Chat and Email | CSCvn18957 | 11.6 ES6 (Jan 2019) 12.0.1 (Jan 2019) |
| Cisco Finesse | CSCvn22344 | Patch file available for 11.6 by Dec 2018 12.0.1 (Jan 2019) |
| Cisco Hosted Collaboration Mediation Fulfillment | CSCvn18961 | 11.5(4) (Available) |
| Cisco Hosted Collaboration Solution for Contact Center | CSCvn18962 | 12.0.1 (Jan 2019) |
| Cisco MediaSense | CSCvn22346 | No fix planned |
| Cisco Unified Communications Manager IM & Presence Service (formerly CUPS) | CSCvn18959 | Patch file available for 10.5.2/11.5.1/12.0.1 by Dec 2018 12.5.1 (Jan 2019) |
| Cisco Unified Communications Manager | CSCvn18952 | Patch file available for 10.5.2/11.5.1/12.0.1 by Dec 2018 12.5.1 (Jan 2019) |
| Cisco Unified Contact Center Enterprise | CSCvn18888 | 12.0.1 (Jan 2019) |
| Cisco Unified Contact Center Express | CSCvn18955 | Patch file available for 11.5/11.6 by Dec 2018 12.0.1 (Jan 2019) |
| Cisco Unified E-Mail Interaction Manager | CSCvn18958 | No fix planned |
| Cisco Unified Intelligence Center | CSCvn18887 | Patch file available for 11.5/11.6 by Dec 2018 12.0.1 (Jan 2019) |
| Cisco Unified Intelligent Contact Management Enterprise | CSCvn18888 | 12.0.1 (Jan 2019) |
| Cisco Unified Web Interaction Manager | CSCvn18958 | No fix planned |
| Cisco Unity Connection | CSCvn18954 | Patch file available for 10.5.2/11.5.1/12.0.1 by Dec 2018 12.5.1 (Jan 2019) |
| Cisco Virtualized Voice Browser | CSCvn18963 | Patch file available for 11.5/11.6 by Dec 2018 12.0.1 (Jan 2019) |
| Video, Streaming, TelePresence, and Transcoding Devices | ||
| Cisco Video Distribution Suite for Internet Streaming (VDS-IS) | CSCvn18928 | Patch file available by Dec 2018 |
| Wireless | ||
| Cisco Mobility Services Engine | CSCvn22305 | Patch file available by Dec 2018 |
| Cisco Universal Small Cell RAN Management System (USC RMS) | CSCvn18939 | No fix planned |
| Cisco Cloud Hosted Services | ||
| Cisco Prime Network Change and Configuration Management | CSCvn19865 | 3.6.1 (Dec 2018) 3.7 (Mar 2019) |
| Cisco Smart Connected Spaces | CSCvn22310 | Patch file available by Dec 2018 |
| Cisco Smart Net Total Care - Contracts Information System Process Controller | CSCvn18884 | 4.3.6 (Dec 2018) |
| Cisco Webex Centers - Meeting Center, Training Center, Event Center, Support Center |
CSCvn24113 | T33.7.2 (Dec 2018) T32.20.2 (Dec 2018) |
| Cisco Webex Meetings | CSCvn18908 | Cisco will update affected systems in Dec 2018 |
Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following products and services:
Network Application, Service, and AccelerationAny workarounds for a specific Cisco product or service will be documented in product-specific or service-specific Cisco bugs, which are identified in the Vulnerable Products section of this advisory.
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any malicious use of the vulnerability that is described in this advisory.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
| Version | Description | Section | Status | Date |
|---|---|---|---|---|
| 1.17 | Updated information about fixed release availability for Cisco Prime Infrastructure. The fix was not integrated in release 3.4.1 Update 02 but will be integrated in 3.4.1 Update 03. Corrected a typo referencing January 2018 instead of January 2019 as availability time for some fixed releases. | Vulnerable Products | Final | 2019-February-07 |
| 1.16 | Updated information about fixed release availability for Cisco Prime Infrastructure. The fix was not integrated in release 3.3.1 Update 03 but will be integrated in 3.3.1 Update 04. | Vulnerable Products | Final | 2019-January-11 |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.
Vulmon