[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Cisco Security Advisory: Cisco Secure Desktop Cache Cleaner Command Execution Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Cisco Security Advisory: Cisco Secure Desktop Cache Cleaner Command Execution Vulnerability
From: Cisco Systems Product Security Incident Response Team <psirt@xxxxxxxxx>
Date: Wed, 15 Apr 2015 18:03:40 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Cisco Security Advisory: Cisco Secure Desktop Cache Cleaner Command Execution 
Vulnerability

Advisory ID: cisco-sa-20150415-csd

Revision 1.0

For Public Release 2015 April 15 16:00  UTC (GMT) 

+----------------------------------------------------------------------

Summary
=======
A vulnerability in a Cisco-signed Java Archive (JAR) executable Cache Cleaner 
component of Cisco Secure Desktop could allow an unauthenticated, remote 
attacker to execute arbitrary commands on the client host where the affected 
.jar file is executed. Command execution would occur with the privileges of the 
user.

The Cache Cleaner feature has been deprecated since November 2012.

There is no fixed software for this vulnerability. Cisco Secure Desktop 
packages that includes the affected .jar files have been removed and are not 
anymore available for download.

Because Cisco does not control all existing Cisco Secure Desktop packages 
customers are advised to ensure to ensure that their Java blacklists controls 
have been updated to avoid potential exploitation. Refer to the "Workarounds" 
section of this advisory for additional information on how to mitigate this 
vulnerability.

Customers using Cisco Secure Desktop should migrate to Cisco Host Scan 
standalone package.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150415-csd



-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJVLoBCAAoJEIpI1I6i1Mx3jqoP/3YokxHktgbCs1FMmWGpsAQy
QYUf80APQYeDDmkPNVoYgD7dgYWrohukrVtfjrM1hJ5DYFWV6LZiWSJYQy/RZbRz
2FWPJc2NoAXZZVUwk/QUFg5rBsaBJ8UW8E1+TkLjiG6fDTgq4KABfUzVBAoj7/R2
iiTuagamL5xuVEJouY+HbrKHBIxOn4FpFVOoWE/Ah1nvGOQe2U/R3Ws9wMvCCoFA
+jkSWMjody88RUxykHqkQSz7jjIKCPMQEN6zuMCD6lnbzF39HTMLNdyNf40bnDcJ
C8FakUnT0ULBiwCqdRiNoxs6g6yaaA+y9yPynTXQEOAuxu1vSQoiVvZZ+U6Rzr+7
ot3tO0CmlweY0joL9bqTLvPvf7uM2IHqrwhqmhii7NPq1BXmrKeYQSF2EJghhe3t
0+ACNmEdL/xmP71sNOKSeZnSVJU6yTfENx08LeP5vTqqOqUwSO/oK72OAfuY5CmY
X6dDP2C4AolnecYuO12r4ig69qKsopuAQxV12eq6qENu/RkTF7Sk3ToF2fOfupEJ
t6l2V1IzSVmKbix1rqBTzmnEMTe0Rg0YY1sZAN0otDZUZe61cn3iL+vKX1/ScvaU
ISE6scZ7d/F9bfcrruw1Q38UvmqrZ8ojp5hJ0EL7nixlIdN3dTmsqfK6LrT9sX4/
Iim9WdrACjZ91xLsKO0X
=E1eG
-----END PGP SIGNATURE-----

Prev by Date: Cisco Security Advisory: Cisco IOS XR Software BVI Routed Packet Denial of Service Vulnerability
Next by Date: [SECURITY] [DSA 3227-1] movabletype-opensource security update
Previous by thread: Cisco Security Advisory: Cisco IOS XR Software BVI Routed Packet Denial of Service Vulnerability
Next by thread: [SECURITY] [DSA 3227-1] movabletype-opensource security update
Index(es):
- Date
- Thread