[Full-disclosure] Cisco Security Advisory: Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products

[Cisco Systems Product Security Incident Response Team <psirt@xxxxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products

Advisory ID: cisco-sa-20131023-struts2

Revision 1.0

For Public Release 2013 October 23 16:00  UTC (GMT)
======================================================================

Summary
- -------

Multiple Cisco products include an implementation of Apache Struts 2 component 
that is affected by a remote command execution vulnerability. 

The vulnerability is due to insufficient sanitization of user-supplied input. 
An attacker could exploit this vulnerability by sending crafted requests 
consisting of Object-Graph Navigation Language (OGNL) expressions to an 
affected system. An exploit could allow the attacker to execute arbitrary code 
on the targeted system. 

Cisco has released free software updates that address this vulnerability for 
all the affected products except Cisco Business Edition 3000. Cisco Business 
Edition 3000 should contact their Cisco representative for available options.

Workarounds that mitigate this vulnerability are not available. This advisory 
is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-struts2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: GPGTools - http://gpgtools.org

iF4EAREIAAYFAlJn58YACgkQUddfH3/BbTqtIAD8CazUZc6aTemD1bZtDxo/oi/W
W33zrOUz45kD8clR/7QA/julEKAMtCsAR7O2Q9zdsitg5kK/z9M2UBVVG/tWix3G
=sr+X
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/