This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Cisco First view 2017-07-05
Product Ultra Services Framework Last view 2017-07-05
Version 5.0.2 Type Application
Update *  
Edition *  
Language *  
Sofware Edition *  
Target Software *  
Target Hardware *  
Other *  
 
CPE Product cpe:2.3:a:cisco:ultra_services_framework

Activity : Overall

Related : CVE

  Date Alert Description
9.1 2017-07-05 CVE-2017-6711

A vulnerability in the Ultra Automation Service (UAS) of the Cisco Ultra Services Framework could allow an unauthenticated, remote attacker to gain unauthorized access to a targeted device. The vulnerability is due to an insecure default configuration of the Apache ZooKeeper service used by the affected software. An attacker could exploit this vulnerability by accessing the affected device through the orchestrator network. An exploit could allow the attacker to gain access to ZooKeeper data nodes (znodes) and influence the behavior of the system's high-availability feature. This vulnerability affects all releases of Cisco Ultra Services Framework UAS prior to Releases 5.0.3 and 5.1. Cisco Bug IDs: CSCvd29395.

9.8 2017-07-05 CVE-2017-6709

A vulnerability in the AutoVNF tool for the Cisco Ultra Services Framework could allow an unauthenticated, remote attacker to access administrative credentials for Cisco Elastic Services Controller (ESC) and Cisco OpenStack deployments in an affected system. The vulnerability exists because the affected software logs administrative credentials in clear text for Cisco ESC and Cisco OpenStack deployment purposes. An attacker could exploit this vulnerability by accessing the AutoVNF URL for the location where the log files are stored and subsequently accessing the administrative credentials that are stored in clear text in those log files. This vulnerability affects all releases of the Cisco Ultra Services Framework prior to Releases 5.0.3 and 5.1. Cisco Bug IDs: CSCvc76659.

9.8 2017-07-05 CVE-2017-6708

A vulnerability in the symbolic link (symlink) creation functionality of the AutoVNF tool for the Cisco Ultra Services Framework could allow an unauthenticated, remote attacker to read sensitive files or execute malicious code on an affected system. The vulnerability is due to the absence of validation checks for the input that is used to create symbolic links. This vulnerability affects all releases of the Cisco Ultra Services Framework prior to Releases 5.0.3 and 5.1. Cisco Bug IDs: CSCvc76654.

CWE : Common Weakness Enumeration

%idName
25% (1) CWE-532 Information Leak Through Log Files
25% (1) CWE-522 Insufficiently Protected Credentials
25% (1) CWE-287 Improper Authentication
25% (1) CWE-200 Information Exposure

Snort® IPS/IDS

Date Description
2017-08-23 Cisco Ultra Services Framework AutoVNF directory traversal attempt
RuleID : 44063 - Type : SERVER-WEBAPP - Revision : 1
2017-07-06 Cisco Ultra Services Framework unauthenticated ZAB connect request detected
RuleID : 43452 - Type : POLICY-OTHER - Revision : 1
2017-07-06 log file access detected
RuleID : 43449 - Type : POLICY-OTHER - Revision : 1