Cisco bitten by Java deserialisation bug, working on patch

Huge number of vulnerable products

Panic button

November's high-profile Java deserialisation bug has bitten Cisco, with the company announcing vulnerabilities across the board in its huge product line.

The problem is so pervasive that it reaches into the most trivial activities of the sysadmin, such as serial number assessment services.

The original advisory made by FoxGlove Security focussed on the Apache Commons Collections (ACCs), but a few days ago, SourceClear warned that it appeared in a lot more libraries than originally believed.

Cisco agrees: in its advisory, it notes that “Any application or application framework could be vulnerable if it uses the ACC library and deserializes arbitrary, user-supplied Java serialized data”.

Under investigation are products in its collaboration software, endpoint client software, network acceleration, network content and security, network management and provisioning, switching and routing (including various versions of IOS), unified computing, unified communications, video, telepresence and wireless products.

Cisco's cloud services are also getting the hard eye to see if the ACC bug affects them.

We've included below Cisco's table of products so far confirmed vulnerable.

The Borg says it is now working on software updates. ®

Vulnerable products so far

Product Defect
Cable Modems  
Digital Life RMS 1.8.1.1 for Cisco Broadband Access Center Telco Wireless 3.8.1 CSCux34660
Collaboration and Social Media  
Cisco SocialMiner CSCux34833
Cisco WebEx Meetings Server versions 1.x CSCux34612
Cisco WebEx Meetings Server versions 2.x CSCux34612
Network Application, Service, and Acceleration  
Cisco Visual Quality Experience Server CSCux34725
Cisco Visual Quality Experience Tools Server CSCux34725
Network and Content Security Devices  
Cisco Secure Access Control Server (ACS) CSCux34781
Network Management and Provisioning  
Cisco Configuration Professional CSCux35040
Cisco Digital Media Manager CSCux34692
Cisco Insight Reporter CSCux34694
Cisco Prime Collaboration Provisioning CSCux34669
Cisco Prime Home CSCux34668
Cisco Prime Performance Manager CSCux34953
Cisco Prime Provisioning for SPs CSCux34664
Cisco Prime Provisioning CSCux35084
Cisco Prime Service Catalog Virtual Appliance CSCux34715
Cisco Security Manager CSCux34671
Data Center Analytics Framework (DCAF) CSCux34575
Routing and Switching – Enterprise and Service Provider  
Cisco Broadband Access Center Telco Wireless CSCux34645
Voice and Unified Communications Devices  
Cisco Computer Telephony Integration Object Server (CTIOS) CSCux34589
Cisco IP Interoperability and Collaboration System (IPICS) CSCux34720
Cisco Management Heartbeat Server CSCux35009
Cisco MediaSense CSCux34874
Cisco Unified Contact Center Enterprise CSCux34589
Cisco Unified Intelligent Contact Management Enterprise CSCux34589
Cisco Unified SIP Proxy CSCux34567
Video, Streaming, TelePresence, and Transcoding Devices  
Cisco Media Experience Engines (MXE) CSCux34968
Cisco Show and Share CSCux34708
Cisco TelePresence Exchange System (CTX) CSCux34690
Cisco Videoscape Conductor CSCux34792
Cisco Hosted Services  
Business Video Services Automation Software (BV) CSCux34572
Cisco Cloud Email Security CSCux34593
Cisco Registered Envelope Service (CRES) CSCux34591
Communication/Collaboration Sizing Tool, Virtual Machine Placement Tool, Cisco Unified Communications Upgrade Readiness Assessment CSCux34881
DCAF UCS Collector CSCux34924
Network Change and Configuration Management CSCux34580
Partner Supporting Service (PSS) 1.x CSCux34739
SI component of Partner Supporting Service CSCux34738
Serial Number Assessment Service (SNAS) CSCux34991
Smart Net Total Care (SNTC) CSCux34987

Biting the hand that feeds IT © 1998–2017