Cisco Releases Four Security Advisories To Address Vulnerabilities Affecting Cisco WebEx Recording Format Player, Cisco UCCX, CSA And CUCM

Cisco has released four security advisories: cisco-sa-20111026-webex, cisco-sa-20111026-uccx, cisco-sa-20111026-csa, and cisco-sa-20111026-cucm to address vulnerabilities affecting Cisco WebEx Recording Format (WRF) player, Cisco Unified Contact Center Express, Cisco Security Agent and Cisco Unified Communications Manager respectively. These vulnerabilities may allow an attacker to execute arbitrary code or obtain sensitive information.

US-CERT encourages users and administrators to review the following Cisco security advisories and apply any necessary updates to help mitigate the risks.

Buffer Overflow Vulnerabilities in the Cisco WebEx Player
This advisory is posted at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111026-webex

Cisco has released free software updates that address these vulnerabilities.

Summary:
Multiple buffer overflow vulnerabilities exist in the Cisco WebEx Recording Format (WRF) player. In some cases, exploitation of the vulnerabilities could allow a remote attacker to execute arbitrary code on the system with the privileges of a targeted user.

The Cisco WebEx Players are applications that are used to play back WebEx meeting recordings that have been recorded on a WebEx meeting site or on the computer of an online meeting attendee. The players can be automatically installed when the user accesses a recording file that is hosted on a WebEx meeting site. The players can also be manually installed for offline playback after downloading the application from www.webex.com.

If the WRF player was automatically installed, it will be automatically upgraded to the latest, nonvulnerable version when users access a recording file that is hosted on a WebEx meeting site. If the WRF player was manually installed, users will need to manually install a new version of the player after downloading the latest version from www.webex.com.

Cisco Unified Contact Center Express Directory Traversal Vulnerability
This advisory is posted at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111026-uccx

Cisco has released free software updates that address this vulnerability.

Summary:
Cisco Unified Contact Center Express (UCCX or Unified CCX) and Cisco Unified IP Interactive Voice Response (Unified IP-IVR) contain a directory traversal vulnerability that may allow a remote, unauthenticated attacker to retrieve arbitrary files from the filesystem.

Cisco Security Agent Remote Code Execution Vulnerabilities
This advisory is posted at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111026-csa

Cisco has released free software updates that address these vulnerabilities.

Summary:
Cisco Security Agent is affected by vulnerabilities that could allow an unauthenticated attacker to perform remote code execution on the affected device. These vulnerabilities are in a third-party library (Oracle Outside In) and are documented in CERT-CC Vulnerability Note VU#520721 at http://www.kb.cert.org/vuls/id/520721leavingcisco.com

Cisco Unified Communications Manager Directory Traversal Vulnerability
This advisory is posted at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111026-cucm

Cisco has released free software updates that address this vulnerability.

Summary:
Cisco Unified Communications Manager contains a directory traversal vulnerability that may allow an unauthenticated, remote attacker to retrieve arbitrary files from the filesystem.

Source: US-CERT

No comments: