Executive Summary

Summary
Title Cisco Secure Access Control System Java Deserialization Vulnerability
Informations
Name cisco-sa-20180307-acs2 First vendor Publication 2018-03-07
Vendor Cisco Last vendor Modification 2018-03-07
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

A vulnerability in Java deserialization used by Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device. The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerability by sending a crafted serialized Java object. An exploit could allow the attacker to execute arbitrary commands on the device with root privileges. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180307-acs2 ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180307-acs2"]

BEGIN PGP SIGNATURE

iQJ5BAEBAgBjBQJaoA/qXBxDaXNjbyBQcm9kdWN0IFNlY3VyaXR5IEluY2lkZW50 IFJlc3BvbnNlIFRlYW0gKENpc2NvIFBTSVJUIGtleSAyMDE4LTIwMTkpIDxwc2ly dEBjaXNjby5jb20+AAoJEJa12PPJBfczRl8QAJC9YSTm9VYdIvSoC3RaGQ0JhIhQ Sc4NvDu4N9a1OgwJ305uOOA1gAfEgydOU2fKktdb5E8kTiEf5x0zcupmnz2LaRVB 0YoWu2Kg9AtqNLifJLTjsn4oB7gTtRMG/6d3+J3Z6HKuwl6Dg/6nrtK6xM2CiKI +6Rk+Eg/E+Vva3rfF18ObfjFof2O1iYgMZ8AFlMN5e1YAc9HvyTp8UlW8W0BQDBGT PmdczYgET1vc4fY0iq1t0udLXEUT3SQqA0oge2W7509yDIWPgzqTD83ecNfIpE/0 yLyyCYd1c6oYqRK7cyE93kEK3LNSWJrZ/Jc1ozomPgvKE8pzOpRM55KbV0meh4Jz ePMP6CWZ4UohwUWihc2k3eIUSfrhsxwI1BNh/WvIrW+lnCcvNlhSxlSWtYWYiTWJ 4y6p/1oVIQ8uUW0qntH7YgnrTTeyXYiWuQAWtSiukyoM3XkgUjH4aJHYXDsJ8y// G4lwzyzjCE1KZBxcVmOw3IPCwzPQoUKdsbp89YUFMeTTvwEg/vXfJj3pO+cCxQR0 NZ9JiuZtVBSsofITHmcax4Yw4/eXvnVKFCiQEhURdp3NmtBvQgXXxsPKQxzx1ezj qvtwJlnf9lOyGX6PGV/AviNY6AJlE9aQ4KqPS9RYk3RrSqoqWvxQ1cZMPhOBp475 2Q84tP5awiWpMPrX =9JGN END PGP SIGNATURE

_______________________________________________ cust-security-announce mailing list cust-security-announce@cisco.com To unsubscribe, send the command "unsubscribe" in the subject of your message to cust-security-announce-leave@cisco.com

Original Source

Url : http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco (...)

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-502 Deserialization of Untrusted Data

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1

Snort® IPS/IDS

Date Description
2020-12-05 Cisco ACS unsafe Java object deserialization attempt
RuleID : 45870 - Revision : 1 - Type : SERVER-WEBAPP

Nessus® Vulnerability Scanner

Date Description
2018-03-16 Name : The remote host is missing a vendor-supplied security patch.
File : cisco-sa-20180307-acs2.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
Date Informations
2020-12-05 21:23:46
  • Multiple Updates
2018-03-29 17:21:19
  • Multiple Updates
2018-03-08 12:07:06
  • Multiple Updates
2018-03-07 21:19:52
  • First insertion