On September 5th a critical vulnerability affecting the Apache Struts 2 framework was made public with the release of an updated version 2.5.13.
There is already publicly available exploit code for metasploit circulating for this vulnerability (be careful if you use this code, we can’t vouch for its security and early release exploit code sometimes targets the user).
Impact of CVE-2017-9805 on Cisco Products (UPDATED Sep. 08)
In their analysis Cisco has confirmed that CUCM, CUPS and ISE are not affected by this vulnerability, unlike the March issue. There is a long list of products still being validated but the impact of this issue seems to be much less significant than the last Struts vulnerability.
Additionally, the Cisco ID cisco-sa-20170907-struts2 SEO advisory indicates that there are two other struts attacks though their impact may be less significant.
What can you do now?
Many of the critical systems that enterprises depend on are and will be affected by vulnerabilities. It’s complicated to ensure that all of these systems are patched, if patches are even made available by the vendor. In order to ensure the security of your systems, it’s critical that you isolate administrative interfaces from regular users. Just like you limit what ports and services can be access from the Internet to servers in your DMZ this same practice should be followed to separate users from server management interfaces. Administrative users should use VPN or other access control methods to ensure that only they can reach these sensitive interfaces. Following this practice allows an enterprise to ensure the security of services while limiting the scope of impact
While some UC servers and ISE services must be made available to end users the majority of them do not, only the user facing portion of ISE and the self-service features UC should need to be exposed. This greatly reduces the number of systems that will need to be immediately patched.
If you need help segregating and securing your environment please do not hesitate to contact our Services Team.
Ready to take your unified communications from headache to hassle-free?
No throwing darts at proposals or contracts. No battling through the back-end. No nonsense, no run-around.