Cisco has emitted 33 security bug fixes in its latest crop of software updates, five of those deemed critical.
Those five critical vulnerabilities include two remote code execution bugs (CVE-2020-3323, CVE-2020-3321) – with no workarounds for either other than patching – and one each of authentication bypass (CVE-2020-3144), privilege escalation (CVE-2020-3140), and default credential (CVE-2020-3330) flaws. Affected devices include multiple RV-series routers, the RV110W series VPN Firewall, and the Cisco Prime License Manager.
These flaws are rather annoying as they render the equipment incapable of doing its primary job: keeping unauthorized people off the device or network.
On top of the five critical bugs, Cisco posted fixes for 11 CVE-listed vulnerabilities deemed to be high security risks. Of those, seven were for issues in Cisco SD-WAN including:
- CVE-2020-3180: static credentials,
- CVE-2020-3351: denial of service,
- CVE-2020-3385: denial of service,
- CVE-2020-3387: remote code execution,
- CVE-2020-3381: directory traversal,
- CVE-2020-3369: denial of service, and
- CVE-2020-3388: command injection.
The remaining 15 patches clean up issues deemed "medium" security vulnerabilities in things like WebEx, SD-WAN, and datacenter network manager.
Admins are advised to test and install the patches as soon as possible. Switchzilla did not mention if any of the bugs were being actively targeted in the wild.
You will be forgiven if you forgot to check for the Cisco updates this week. Switchzilla's patches got buried beneath a flood of fixes from Microsoft, Adobe, VMware, SAP, and Google.
Oracle mega-patch lands
Oh, and don't forget Oracle (sorry, did you think you were done patching?) The enterprise IT giant also emitted a crop of fixes, 443 of them, to be exact.
We will spare you the details on these hundreds of bug fixes, but needless to say they cover most of Oracle's main products, and include two flaws in SD-WAN Aware and Edge (CVE-2020-14701 and CVE-2020-14606) deemed to be 10.0 CVSS security risks. ®