Cisco has released software updates to patch a remotely exploitable vulnerability affecting the company’s UCS Director and Integrated Management Controller (IMC) Supervisor products.
Cisco UCS Director, a unified infrastructure management solution, and Cisco IMC Supervisor, a centralized management solution for C-series and E-series servers, are plagued by a flaw (CVE-2015-6259) that allows a remote, unauthenticated attacker to overwrite arbitrary files by sending specially crafted HTTP requests to the affected system. This can result in system instability or a denial-of-service (DoS) condition.
The vulnerability, found in JavaServer Pages (JSP) input validation routines, is caused by improper input sanitization on certain JSP pages, Cisco explained in an advisory.
Cisco IMC Supervisor running software versions prior to 220.127.116.11, and Cisco UCS Director running software versions prior to 18.104.22.168 are affected by the vulnerability.
The security hole has been assigned a CVSS score of 7.8, which puts it in the high severity category.
Cisco says the flaw has been discovered by its own security team, and there is no evidence that it has been exploited in the wild. Users are advised to apply the software updates released by Cisco to prevent potential incidents. The company has pointed out that no workaround is available.
Related Reading: Default SSH Keys Expose Cisco’s Virtual Security Appliances
Related Reading: Cisco Patches DoS Vulnerability in ASR Routers