Cisco has told customers it has updates available for some of its affected products that contain the vulnerable Apache Struts library disclosed last week.
The flaw in Apache Struts 2, CVE-2018-11776, could given an attacker to remote code execution on affected system using the software library and was found to have been used to install an unwanted cryptocurrency miner shortly after it was disclosed.
The Struts flaw was remarkable because it was the software that attackers used in the breach at credit reporting bureau Equifax in 2017. Struts is a component commonly used in web applications.
Oracle earlier this week warned that some of its products included the affected Struts library, and now Cisco has warned that its products too are affected.
Cisco has rated the Struts issue affecting several of its software and devices as critical however it notes there some contingencies, namely that there isn’t any known methods of exploiting the way Struts is implemented within Cisco’s products.
The only affected product with a patch available so far is the Cisco Identity Services Engine, while patches for Cisco Finesse, and its Unified Contact Center Enterprise - Live Data server are schedule for 7 September. In total 19 products are affected and most don’t have a schedule delivery date. Cisco has also provided a list of products it’s confirmed aren’t vulnerable in the advisory.
Cisco has also released a patch for a critical flaw in the Cisco Umbrella API, however users aren’t required to take any action to remediate the issue. Umbrella is Cisco’s security internet gateway in the cloud based on technology its purchase of OpenDNS and other security acquisitions.
The third critical update this month addresses a flaw in web interface for managing several small business network devices, including its RV110W Wireless-N VPN Firewall, RV130W Wireless-N Multifunction VPN Router, and RV215W Wireless-N VPN Router.
The flaw could allow a remote attacker without valid credentials to cause a denial of service or execute malicious code.
Cisco notes that the devices are only vulnerable if the Guest user of the web interface is enabled, and can be accessed via a local LAN connection or via a remote management feature, which is disabled by default. Guest user is also disabled by default.
Cisco is only providing a fix for Cisco RV130W Wireless-N Multifunction VPN Router. Businesses using the other two devices are on their own as Cisco has no intention of supplying fixes. Cisco stopped delivering software updates to the RV110W Wireless-N VPN Firewall in February 2017.
Cisco also released security updates to address 27 additional flaws affecting multiple products.