Cisco bitten by Java deserialisation bug, working on patch

Huge number of vulnerable products


November's high-profile Java deserialisation bug has bitten Cisco, with the company announcing vulnerabilities across the board in its huge product line.

The problem is so pervasive that it reaches into the most trivial activities of the sysadmin, such as serial number assessment services.

The original advisory made by FoxGlove Security focussed on the Apache Commons Collections (ACCs), but a few days ago, SourceClear warned that it appeared in a lot more libraries than originally believed.

Cisco agrees: in its advisory, it notes that “Any application or application framework could be vulnerable if it uses the ACC library and deserializes arbitrary, user-supplied Java serialized data”.

Under investigation are products in its collaboration software, endpoint client software, network acceleration, network content and security, network management and provisioning, switching and routing (including various versions of IOS), unified computing, unified communications, video, telepresence and wireless products.

Cisco's cloud services are also getting the hard eye to see if the ACC bug affects them.

We've included below Cisco's table of products so far confirmed vulnerable.

The Borg says it is now working on software updates. ®

Vulnerable products so far

Product Defect
Cable Modems  
Digital Life RMS 1.8.1.1 for Cisco Broadband Access Center Telco Wireless 3.8.1 CSCux34660
Collaboration and Social Media  
Cisco SocialMiner CSCux34833
Cisco WebEx Meetings Server versions 1.x CSCux34612
Cisco WebEx Meetings Server versions 2.x CSCux34612
Network Application, Service, and Acceleration  
Cisco Visual Quality Experience Server CSCux34725
Cisco Visual Quality Experience Tools Server CSCux34725
Network and Content Security Devices  
Cisco Secure Access Control Server (ACS) CSCux34781
Network Management and Provisioning  
Cisco Configuration Professional CSCux35040
Cisco Digital Media Manager CSCux34692
Cisco Insight Reporter CSCux34694
Cisco Prime Collaboration Provisioning CSCux34669
Cisco Prime Home CSCux34668
Cisco Prime Performance Manager CSCux34953
Cisco Prime Provisioning for SPs CSCux34664
Cisco Prime Provisioning CSCux35084
Cisco Prime Service Catalog Virtual Appliance CSCux34715
Cisco Security Manager CSCux34671
Data Center Analytics Framework (DCAF) CSCux34575
Routing and Switching – Enterprise and Service Provider  
Cisco Broadband Access Center Telco Wireless CSCux34645
Voice and Unified Communications Devices  
Cisco Computer Telephony Integration Object Server (CTIOS) CSCux34589
Cisco IP Interoperability and Collaboration System (IPICS) CSCux34720
Cisco Management Heartbeat Server CSCux35009
Cisco MediaSense CSCux34874
Cisco Unified Contact Center Enterprise CSCux34589
Cisco Unified Intelligent Contact Management Enterprise CSCux34589
Cisco Unified SIP Proxy CSCux34567
Video, Streaming, TelePresence, and Transcoding Devices  
Cisco Media Experience Engines (MXE) CSCux34968
Cisco Show and Share CSCux34708
Cisco TelePresence Exchange System (CTX) CSCux34690
Cisco Videoscape Conductor CSCux34792
Cisco Hosted Services  
Business Video Services Automation Software (BV) CSCux34572
Cisco Cloud Email Security CSCux34593
Cisco Registered Envelope Service (CRES) CSCux34591
Communication/Collaboration Sizing Tool, Virtual Machine Placement Tool, Cisco Unified Communications Upgrade Readiness Assessment CSCux34881
DCAF UCS Collector CSCux34924
Network Change and Configuration Management CSCux34580
Partner Supporting Service (PSS) 1.x CSCux34739
SI component of Partner Supporting Service CSCux34738
Serial Number Assessment Service (SNAS) CSCux34991
Smart Net Total Care (SNTC) CSCux34987

Broader topics


Other stories you might like

  • Venezuelan cardiologist charged with designing and selling ransomware
    If his surgery was as bad as his opsec, this chap has caused a lot of trouble

    The US Attorney’s Office has charged a 55-year-old cardiologist with creating and selling ransomware and profiting from revenue-share agreements with criminals who deployed his product.

    A complaint [PDF] filed on May 16th in the US District Court, Eastern District of New York, alleges that Moises Luis Zagala Gonzalez – aka “Nosophoros,” “Aesculapius” and “Nebuchadnezzar” – created a ransomware builder known as “Thanos”, and ransomware named “Jigsaw v. 2”.

    The self-taught coder and qualified cardiologist advertised the ransomware in dark corners of the web, then licensed it ransomware to crooks for either $500 or $800 a month. He also ran an affiliate network that offered the chance to run Thanos to build custom ransomware, in return for a share of profits.

    Continue reading
  • China reveals its top five sources of online fraud
    'Brushing' tops the list, as quantity of forbidden content continue to rise

    China’s Ministry of Public Security has revealed the five most prevalent types of fraud perpetrated online or by phone.

    The e-commerce scam known as “brushing” topped the list and accounted for around a third of all internet fraud activity in China. Brushing sees victims lured into making payment for goods that may not be delivered, or are only delivered after buyers are asked to perform several other online tasks that may include downloading dodgy apps and/or establishing e-commerce profiles. Victims can find themselves being asked to pay more than the original price for goods, or denied promised rebates.

    Brushing has also seen e-commerce providers send victims small items they never ordered, using profiles victims did not create or control. Dodgy vendors use that tactic to then write themselves glowing product reviews that increase their visibility on marketplace platforms.

    Continue reading
  • Oracle really does owe HPE $3b after Supreme Court snub
    Appeal petition as doomed as the Itanic chips at the heart of decade-long drama

    The US Supreme Court on Monday declined to hear Oracle's appeal to overturn a ruling ordering the IT giant to pay $3 billion in damages for violating a decades-old contract agreement.

    In June 2011, back when HPE had not yet split from HP, the biz sued Oracle for refusing to add Itanium support to its database software. HP alleged Big Red had violated a contract agreement by not doing so, though Oracle claimed it explicitly refused requests to support Intel's Itanium processors at the time.

    A lengthy legal battle ensued. Oracle was ordered to cough up $3 billion in damages in a jury trial, and appealed the decision all the way to the highest judges in America. Now, the Supreme Court has declined its petition.

    Continue reading

Biting the hand that feeds IT © 1998–2022