Guest

Preview Tool

Cisco Bug: CSCun31301 - MXE - Apache Struts 2 Command Execution Vulnerability - CVE-2010-1870

Last Modified

Aug 06, 2018

Products (1)

  • Cisco MXE 3000 Series (Media Experience Engines)

Known Affected Releases

3.2.0 3.2.1 3.3.0 3.3.1 3.3.2

Description (partial)

Symptom:
Multiple Cisco products include an implementation of the Apache Struts 2 component that is affected by a remote command execution vulnerability
identified by Apache with Common Vulnerabilities and Exposures ID CVE-2010-1870.

The vulnerability is due to insufficient sanitization on user-supplied input in the XWorks component of the affected software. The component uses
the ParameterInterceptors directive to parse the Object-Graph Navigation Language (OGNL) expressions that are implemented via a whitelist
feature. An attacker could exploit this vulnerability by sending crafted requests that contain OGNL expressions to an affected system. An exploit
could allow the attacker to execute arbitrary code on the targeted system.

Cisco has released free software updates that address this vulnerability for all the affected products except Cisco Business Edition 3000 Series.
Customers using Cisco Business Edition 3000 Series should contact their Cisco representative for available options.

Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available. This
advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140709-struts2

Conditions:
See published Cisco Security Advisory
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.