Cisco patches up Apache Struts 2 exploit


by Amy-jo Crowley| 14 July 2014

However, there is no update for Cisco Business Edition 3000.

Cisco has urged developers to add software updates to multiple unified contact centre business products that include Apache Struts 2 software.

The networking firm issued a patch for the four-year-old vulnerability, which would have allowed a malicious hacker to bypass the '#'-usage protection built into the ParametersInterceptor.

"An attacker could exploit this vulnerability by sending crafted requests that contain OGNL expressions to an affected system. An exploit could allow the attacker to execute arbitrary code on the targeted system," Cisco said in a statement.

"This vulnerability has been confirmed to allow remote code execution with the privileges of the Administrator user for the Cisco Unified CCE. Exploitation on Cisco ISE, Cisco MXE 3500, and Cisco Business Edition 3000 Series is theoretically possible but could not be reproduced," it added.

Cisco has released free software updates that address this vulnerability for all affected products except Cisco Business Edition 3000 Series.

Users using Cisco Business Edition 3000 Series should contact their Cisco representative for available options, Cisco said

Source: Company Press Release

Post a comment

Comments may be moderated for spam, obscenities or defamation.
Privcy Policy

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.