Last week Cisco issued security updates for the following 2 network management systems:
- Cisco IMC Supervisor prior to software version 220.127.116.11
- Cisco UCS Director (formally known as Cloupia Unified Infrastructure Controller) prior to software version 18.104.22.168
The updates address a single security issue that could allow an unauthenticated remote attacker to overwrite key system files which would result in the systems becoming unstable and thus unable to perform their responsibilities. Such unavailability could be called a DoS (Denial of Service) attack (Denial of Service, defined). This issue is caused by the incorrect validation of input passed to JavaServer Pages (JSP) within the above management systems. An attacker could take advantage of this fact by sending specifically crafted HTTP requests to these network management systems.
No workarounds are available for this vulnerability but there are no known instances of this issue being publically exploited. Cisco discovered this flaw during internal testing.
How Can I Protect Myself From This Issue?
If your company makes use of either of the above network management systems from Cisco, please follow the directions within this Cisco security advisory to install the necessary security updates.