Cisco has released a critical security announcement (link below) urging an upgrade of the Commons FileUpload library to version 1.3.3 on systems using Struts 2.3.36 or earlier releases. Systems using earlier versions of this library may be exposed to attacks that could allow execution of arbitrary code or modifications of files on the system. The issue is caused by a previously reported vulnerability of the Apache Commons FileUpload library, assigned to CVE-2016-1000031 and assigned a CVSS Score of 9.8.
What is the vulnerability?
The vulnerability is due to insufficient validation of user-supplied input by the affected software. An attacker could exploit this vulnerability by submitting crafted data to an affected system. A successful exploit could allow the attacker to execute arbitrary code or manipulate files on the targeted system.
Vulnerable Products
The devices affected are primarily Cisco Prime devices and Unified Communication Devices.
All vulnerable products are available to view on the below link.
How do I Remediate?
Cisco have advised an upgrade of the Commons FileUpload library to version 1.3.3 on systems using Struts 2.3.36 or earlier releases.
How Can Ward Help?
For Managed Service customers, the Ward Support team will be reviewing individual environments and making recommendations on appropriate patching for all supported devices.
For all other customers, if you would like additional information or would like support in assessing and protecting your environment, please contact support@ward.ie or your account manager, as appropriate.
Further reading: