This article is more than 1 year old
Cisco bitten by Java deserialisation bug, working on patch
Huge number of vulnerable products
November's high-profile Java deserialisation bug has bitten Cisco, with the company announcing vulnerabilities across the board in its huge product line.
The problem is so pervasive that it reaches into the most trivial activities of the sysadmin, such as serial number assessment services.
The original advisory made by FoxGlove Security focussed on the Apache Commons Collections (ACCs), but a few days ago, SourceClear warned that it appeared in a lot more libraries than originally believed.
Cisco agrees: in its advisory, it notes that “Any application or application framework could be vulnerable if it uses the ACC library and deserializes arbitrary, user-supplied Java serialized data”.
Under investigation are products in its collaboration software, endpoint client software, network acceleration, network content and security, network management and provisioning, switching and routing (including various versions of IOS), unified computing, unified communications, video, telepresence and wireless products.
Cisco's cloud services are also getting the hard eye to see if the ACC bug affects them.
We've included below Cisco's table of products so far confirmed vulnerable.
The Borg says it is now working on software updates. ®
Vulnerable products so far
| Product | Defect |
|---|---|
| Cable Modems | |
| Digital Life RMS 1.8.1.1 for Cisco Broadband Access Center Telco Wireless 3.8.1 | CSCux34660 |
| Collaboration and Social Media | |
| Cisco SocialMiner | CSCux34833 |
| Cisco WebEx Meetings Server versions 1.x | CSCux34612 |
| Cisco WebEx Meetings Server versions 2.x | CSCux34612 |
| Network Application, Service, and Acceleration | |
| Cisco Visual Quality Experience Server | CSCux34725 |
| Cisco Visual Quality Experience Tools Server | CSCux34725 |
| Network and Content Security Devices | |
| Cisco Secure Access Control Server (ACS) | CSCux34781 |
| Network Management and Provisioning | |
| Cisco Configuration Professional | CSCux35040 |
| Cisco Digital Media Manager | CSCux34692 |
| Cisco Insight Reporter | CSCux34694 |
| Cisco Prime Collaboration Provisioning | CSCux34669 |
| Cisco Prime Home | CSCux34668 |
| Cisco Prime Performance Manager | CSCux34953 |
| Cisco Prime Provisioning for SPs | CSCux34664 |
| Cisco Prime Provisioning | CSCux35084 |
| Cisco Prime Service Catalog Virtual Appliance | CSCux34715 |
| Cisco Security Manager | CSCux34671 |
| Data Center Analytics Framework (DCAF) | CSCux34575 |
| Routing and Switching – Enterprise and Service Provider | |
| Cisco Broadband Access Center Telco Wireless | CSCux34645 |
| Voice and Unified Communications Devices | |
| Cisco Computer Telephony Integration Object Server (CTIOS) | CSCux34589 |
| Cisco IP Interoperability and Collaboration System (IPICS) | CSCux34720 |
| Cisco Management Heartbeat Server | CSCux35009 |
| Cisco MediaSense | CSCux34874 |
| Cisco Unified Contact Center Enterprise | CSCux34589 |
| Cisco Unified Intelligent Contact Management Enterprise | CSCux34589 |
| Cisco Unified SIP Proxy | CSCux34567 |
| Video, Streaming, TelePresence, and Transcoding Devices | |
| Cisco Media Experience Engines (MXE) | CSCux34968 |
| Cisco Show and Share | CSCux34708 |
| Cisco TelePresence Exchange System (CTX) | CSCux34690 |
| Cisco Videoscape Conductor | CSCux34792 |
| Cisco Hosted Services | |
| Business Video Services Automation Software (BV) | CSCux34572 |
| Cisco Cloud Email Security | CSCux34593 |
| Cisco Registered Envelope Service (CRES) | CSCux34591 |
| Communication/Collaboration Sizing Tool, Virtual Machine Placement Tool, Cisco Unified Communications Upgrade Readiness Assessment | CSCux34881 |
| DCAF UCS Collector | CSCux34924 |
| Network Change and Configuration Management | CSCux34580 |
| Partner Supporting Service (PSS) 1.x | CSCux34739 |
| SI component of Partner Supporting Service | CSCux34738 |
| Serial Number Assessment Service (SNAS) | CSCux34991 |
| Smart Net Total Care (SNTC) | CSCux34987 |
Biting the hand that feeds IT
