Cisco closes Web Conferencing and Data Center holes
Networking specialist Cisco has published two new security advisories detailing vulnerabilities in its Web Conferencing and Data Center products. According to the company, previous versions of the Cisco Prime Data Center Network Manager (DCNM) contained a remote code execution flaw that could have been exploited by a unauthenticated attacker to remotely execute arbitrary commands on a vulnerable system running the network management application.
The problem in the Cisco Prime DCNM application was caused a bug in the JBoss Application Server Remote Method Invocation (RMI) services, allowing arbitrary commands to be sent in the context of the System user on Windows or as the root user under Linux. The security hole is confirmed to have affect devices running version 6.1(1a), however other versions may also be vulnerable; upgrading to release 6.1(1) for Windows and Linux fixes the problem.
Cisco has also released updates for its Unified MeetingPlace Web Conferencing products to address SQL injection and buffer overrun vulnerabilities. The company says that these could, for example, be used by an unauthenticated, remote attacker to cripple the conferencing system by causing a denial-of-service (DoS), or even to create, delete or alter some information in the software's database. All versions up to and including 7.0 as well as 7.1, 8.0 and 8.5 are affected. Users are advised to upgrade to 7.1MR1 Patch 1, 8.0MR1 Patch 1 or 8.5MR3 to close these holes.
- Multiple Vulnerabilities in Cisco Unified MeetingPlace Web Conferencing, security advisory from Cisco.
- Cisco Prime Data Center Network Manager Remote Command Execution Vulnerability, security advisory from Cisco.