<< Previous Next >>
customers
Cisco Adaptive Security Appliance Software Version 8.0(2)
Device Manager Version 6.0(1)
[...]
Customers who use the Cisco Adaptive Security Device Manager (ASDM)
to manage their devices can find their software version displayed in
a table in the login window or in the upper left corner of the ASDM
window.
Erroneous SIP Processing Vulnerabilities
The IP router alert option may or may not be present in packets
attempting to exploit the vulnerability described in this document.
This vulnerability is documented in Cisco bug ID CSCte14603 (
registered customers only) . This vulnerability has been assigned
Common Vulnerabilities and Exposures (CVE) ID CVE-2010-2830.
Vulnerability Scoring Details
=============================
process to fail, which could result in the disruption of voice
services. All SIP ports (TCP ports 5060 and 5061 and UDP ports 5060
and 5061) are affected.
The first SIP DoS vulnerability is documented in Cisco Bug ID
CSCta31358 ( registered customers only) and has been assigned the CVE
identifier CVE-2010-2835. This vulnerability is fixed in Cisco
Unified Communications Manager versions 6.1(5), 7.0(2a)su3, 7.1(3b)
su2, 7.1(5) and 8.0(1). The corresponding IOS defect is CSCta20040.
The second SIP DoS vulnerability is documented in Cisco Bug ID
SCCP Inspection Denial of Service Vulnerability.
Because Cisco PIX 500 Series Security Appliances reached the end
of software maintenance releases milestone on July 28, 2009,
no further software releases will be available. Cisco PIX 500
Series Security Appliance customers are encouraged to migrate
to Cisco ASA 5500 Series Adaptive Security Appliances or to
implement any applicable workarounds that are listed in the
Workarounds section of this advisory. Fixed software is available
for Cisco ASA 5500 Series Adaptive Security Appliances only.
For more information, refer to the End of Life announcement at
device on TCP port 8080 or 8443.
An attacker must perform a three-way TCP handshake and establish a
valid session to exploit this vulnerability.
* Cisco TelePresence Manager: CSCtc59562 ( registered customers
only) has been assigned the Common Vulnerabilities and Exposures
(CVE) identifier CVE-2011-0380.
Java RMI Command Injection
+-------------------------
* Cisco Unified Communications Manager 6.x
* Cisco Unified Communications Manager 7.x
* Cisco Unified Communications Manager 8.x
Note: Cisco Unified Communications Manager version 5.1 reached end of
software maintenance on February 13, 2010. Customers who are using
Cisco Unified Communications Manager 5.x versions should contact your
Cisco support team for assistance in upgrading to a supported version
of Cisco Unified Communications Manager.
Products Confirmed Not Vulnerable
properly removed when the session ends. Multiple connections may
consume all available space in the /tmp filesystem and cause the
system to crash, leading to a denial of service condition.
This vulnerability is documented in Cisco Bug ID CSCtd64417 (
registered customers only) and has been assigned Common
Vulnerabilities and Exposures (CVE) ID CVE-2011-0949.
Vulnerability Scoring Details
+----------------------------
versions.
Cisco has released free updated software for most supported releases.
A security patch file is also available for all supported versions
that will remediate this issue. The patch may be applied to active
systems without requiring a reload. Customers are advised to apply a
fixed version or upgrade to a fixed train. Customers who need to stay
on a version for which updated software is not currently available or
who can not immediately apply the update are advised to apply the
patch.
default implicit deny at the end of the ACL. IPv4, IPv6 and MAC ACLs
are affected. QoS classification and route-map ACLs are not affected
by this vulnerability.
This vulnerability is documented in Cisco bug IDs CSCto09813 (
registered customers only) and CSCtr61490 ( registered customers
only) ; and has been assigned CVE ID CVE-2011-2581.
Vulnerability Scoring Details
+----------------------------
* Cisco UCCX version 7.0(x)
* Cisco UCCX version 8.0(x)
* Cisco UCCX version 8.5(x)
Note: Cisco UCCX versions prior to 6.0(x) reached end of software
maintenance. Customers running versions prior to 6.0(x) should
contact their Cisco support team for assistance in upgrading to a
supported version of Cisco UCCX.
The following Cisco Unified IP Interactive Voice Response versions
are vulnerable:
architectural change was made to help harden the devices by allowing
administrators to disable the root account. The intended result of
this change is to separate the super account into two accounts, root
and admin, while subsequently disabling the root account by default.
It was found that in many cases, customers upgrading from a previous
release of TE software to TE 4.1.0 are likely to experience an error
condition in which the root account is not properly disabled. This
creates a situation in which the root account is accessible via SSH
with a default password. It was subsequently discovered that the
command implemented to allow an administrator to enable or disable the
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps organizations determine the urgency and priority
of a response.
Cisco has provided a base and temporal score. Customers can also
compute environmental scores that help determine the impact of the
vulnerability in their own networks.
Cisco has provided additional information regarding CVSS at the
following link:
* Cisco Business Edition 3000
* Cisco Business Edition 5000
* Cisco Business Edition 6000
Note: Cisco Unified Communications Manager version 6.1 reached the End
of Software Maintenance on September 3, 2011. Customers using Cisco
Unified Communications Manager Software versions 6.x, should contact
their Cisco support team for assistance in upgrading to a supported
version of Cisco Unified Communications Manager.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps organizations determine the urgency and priority of
a response.
Cisco has provided a base and temporal score. Customers can also
compute environmental scores that help determine the impact of the
vulnerability in their own networks.
Cisco has provided additional information regarding CVSS at the
following link:
+------------------
The vulnerabilities described in this document affect the following products:
* Cisco UCCX versions 5.x, 6.x, and 7.x
* Cisco Customer Response Solution (CRS) versions 5.x, 6.x, and 7.x
* Cisco Unified IP Interactive Voice Response (Cisco Unified IP IVR) versions
5.x, 6.x, and 7.x
Products Confirmed Not Vulnerable
+--------------------------------
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
FWSM Firewall Version 3.2(2)10
[...]
Customers who use the Cisco Adaptive Security Device Manager (ASDM) to
manage their devices can find the version of the software displayed in
the table in the login window or in the upper left corner of the ASDM
window. The version notation is similar to the following example.
FWSM Version: 3.2(2)10
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
The peering session will flap until the sender stops sending the
invalid/corrupt prefix.
This vulnerability is documented in Cisco Bug ID CSCtb42995 (
registered customers only) and has been assigned Common
Vulnerabilities and Exposures (CVE) ID CVE-2009-2055.
Vulnerability Scoring Details
=============================
this Security Advisory is done in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of the
vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding CVSS
at:
Cisco PIX Security Appliance Software Version 8.0(4)
Device Manager Version 5.2(3)
<output truncated>
Customers who use Cisco ASDM to manage their devices can find the
software version displayed in the table in the login window or in the
upper left corner of the ASDM window.
Products Confirmed Not Vulnerable
+--------------------------------
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
libraries under the advisory to provide anonymous read-only access to
system health data. There is no risk of escalated authorization
privileges allowing a 3rd party to make any configuration changes to
the IronPort devices. IronPort S-Series and Encryption Appliances are
not affected by this advisory. This announcement has also been posted
on the IronPort Support Portal, available to IronPort customers:
https://supportportal.ironport.com/irppcnctr/srvcd?u=http://secure-support.soma.ironport.com/announcement&sid=900016
Products Confirmed Not Vulnerable
+--------------------------------
CiscoWorks Internetwork Performance Monitor (IPM) version 2.6 for Sun
Solaris and Microsoft Windows operating systems contains a
vulnerability that allows remote, unauthenticated users to execute
arbitrary commands. There are no workarounds for this vulnerability.
Cisco has made free software available to address this issue for
affected customers.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080313-ipm.shtml.
Affected Products
address-family vpnv4
router ospf 1 vrf VRFNAME
area 0 sham-link 192.168.1.1 192.168.100.1
Router#
For customers that run versions of IOS that support the section
modifier, an additional option is available to view the relevant
sections of the running configuration:
Router# show run | section ^router
router bgp 1
=======
Cisco Unified IP Phone models contain multiple overflow and denial of
service (DoS) vulnerabilities. There are workarounds for several of
these vulnerabilities. Cisco has made free software available to
address this issue for affected customers.
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20080213-phone.shtml
After upgrading to software version AVS 5.1.0, users will be prompted to
modify these credentials.
Cisco will make free upgrade software available to address this
vulnerability for affected customers. The software upgrade will
be applicable only for the AVS 3120, 3180, and 3180A systems. The
workaround identified in this document describes how to change the
passwords in current releases of software for the AVS 3110.
Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0029 has
Details
=======
Cisco Unified ICME, Unified ICMH, UCCE, UCCH and SUCCE are a suite of
strategic platforms that enable customers to provide intelligent
routing and call treatment with blending of multiple communication
channels.
A vulnerability exists in software version 7.1(5) for Cisco Unified
ICME, Unified ICMH, UCCE, UCCH and SUCCE editions that may enable any
allow an attacker to run JavaScript on computer systems connecting to
CallManager or Unified Communications Manager servers, and has the
potential to disclose information within the database.
Cisco has made free software available to address these vulnerabilities
for affected customers.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20070829-ccm.shtml.
Affected Products
CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
<<Previous Next>>
|
