-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2013-0087 Title: Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products [1] Version history: 04.11.2013 Initial publication Summary ======= Multiple Cisco products include an implementation of Apache Struts 2 component that is affected by a remote command execution vulnerability. CVE numbers: CVE-2013-2251 [1] Vulnerable systems ================== Cisco Business Edition 3000 Cisco Identity Services Engine (ISE) Cisco Media Experience Engine (MXE) 3500 Series Cisco Unified SIP Proxy (CUSP) Original Details ================ Multiple Cisco products include an implementation of Apache Struts 2 component that is affected by a remote command execution vulnerability. The vulnerability is due to insufficient sanitization of user-supplied input. An attacker could exploit this vulnerability by sending crafted requests consisting of Object-Graph Navigation Language (OGNL) expressions to an affected system. An exploit could allow the attacker to execute arbitrary code on the targeted system. Cisco has released free software updates that address this vulnerability for all the affected products except Cisco Business Edition 3000. Cisco Business Edition 3000 should contact their Cisco representative for available options. What can you do? ================ There is a patch. [1] What to tell your users? ======================== N/A More information ================ [1] http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-struts2 Best regards, CERT-EU (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJSd9kDAAoJEPpzpNLI8SVoC4kQAJ8tIN11YxXvn9zdKnza7x3B hWvGoZZ3lKAspvCHTqw1mn9tNEMXCEmgYTsZYNtAqoeldKYPtu9w0HEFIzoHcOUp 4wCi1ZQB8xf1UdGpMxdSlB+gXK3NuG3ajbjUiqmI5OScIdSd/Q/4uT9YGIthA1WT gm7MsPqNft5fshPJULzqu388VW2ONlg4lziyGlpot+blQhsLAgYfXSvSeBLP3DS5 3qWSYu3SC4IqqMObPEdzXcEXBCAZia7JCJCCxs1azmaOS53m0S5FatVJG65yc6iC zWhlUyuXmXeDKson3lqSPgl33sIByRl2JzGm13XKAIpZshwvHiO0BOtrII4UZ+b4 lngdsiYgWefbSpahqOxvpdim17lHV9tQk2t3PqrgCudVNnwdS59RCJZhwn3pDm5D JTg9pPuelEF5zkfh5gUQn80c2Y+HHEu0k5pBVdzqh0NpxNDjPig51UHMzNN7eTyt hSFh/wbCM/CY+PpUalpDdbMVjuLhRrnvnZxGH8S6wysivrqyV3AxVdHACROvCo7j WFymnmNkx8nzcYt2c2fJFb0YpWn0/oxhkwHBIMPXOHFoZz5ur9WVz+3sMXPp5Azf FjCJKGr+7fqErzRdOqzBcgXwe31M1wMuXTBpi+yIj7xHjdjZq7XzK6qAtB4vKssD anwcA+EV2Ifo47wgiABD =M2z2 -----END PGP SIGNATURE-----