Note to readers

This publication does not currently meet the Government of Canada's Web Standards. The information remains valid.

Cisco security updates

Number: AV17-162
Date: 1 November 2017

Purpose

The purpose of this advisory is to bring attention to multiple Cisco security advisories.

Assessment

Cisco released multiple security updates to address vulnerabilities (medium to critical) in the following products.

  • Cisco FXOS and NX-OS System Software Authentication, Authorization, and Accounting Denial of Service Vulnerability
  • Cisco Wireless LAN Controller 802.11v Basic Service Set Transition Management Denial of Service Vulnerability
  • Cisco Wireless LAN Controller Simple Network Management Protocol Memory Leak Denial of Service Vulnerability
  • Cisco Identity Services Engine Privilege Escalation Vulnerability
  • Cisco Firepower 4100 Series NGFW and Firepower 9300 Security Appliance Smart Licensing Command Injection Vulnerability
  • Cisco Prime Collaboration Provisioning Authenticated SQL Injection Vulnerability
  • Cisco Application Policy Infrastructure Controller Enterprise Module Unauthorized Access Vulnerability
  • Cisco Aironet 1560, 2800, and 3800 Series Access Point Platforms Extensible Authentication Protocol Denial of Service Vulnerability
  • Cisco Aironet 1560, 2800, and 3800 Series Access Point Platforms 802.11 Denial of Service Vulnerability
  • Cisco Wireless LAN Controller Access Network Query Protocol Denial of Service Vulnerability
  • Cisco Wireless LAN Controller CAPWAP Discovery Request Denial of Service Vulnerability
  • Cisco WebEx Meetings Server Information Disclosure Vulnerability
  • Cisco WebEx Meeting Center Cross-Site Scripting Vulnerability
  • Cisco IOS Software for Cisco Aironet Access Points Information Disclosure Vulnerability
  • Cisco UCS Manager, Cisco Firepower 4100 Series NGFW, and Cisco Firepower 9300 Security Appliance   Command Injection Vulnerability
  • Cisco Aironet 3800 Series Access Points Protected Management Frames User Denial of Service Vulnerability
  • Cisco Aironet 1800, 2800, and 3800 Series Access Points MAC Authentication Bypass Vulnerability
  • Cisco Expressway Series, Cisco TelePresence Video Communication Server, and Cisco TelePresence Conductor REST API Denial of Service Vulnerability
  • Cisco Smart Install Protocol Misuse
  • Cisco Integrated Management Controller Remote Code Execution Vulnerability
  • Multiple Vulnerabilities in Wi-Fi Protected Access and Wi-Fi Protected Access II
  • Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products: September 2017
  • Apache Struts 2 Remote Code Execution Vulnerability Affecting Multiple Cisco Products: September 2017
  • Cisco NX-OS Software TCP Netstack Denial of Service Vulnerability
  • Cisco Spark Hybrid Calendar Service Information Disclosure Vulnerability
  • Cisco AMP for Endpoints Static Key Vulnerability
  • Cisco Nexus Series Switches CLI Command Injection Vulnerability

CVE References:   CVE-2017-3883, CVE-2017-12275,   CVE-2017-12278, CVE-2017-12261,  CVE-2017-12277, CVE-2017-12276, CVE-2017-12262, CVE-2017-12274, CVE-2017-12273, CVE-2017-12282, CVE-2017-12280, CVE-2017-12295, CVE-2017-12294, CVE-2017-12279, CVE-2017-12243,  CVE-2017-12283, CVE-2017-12281,  CVE-2017-12287, CVE-2017-6616,  CVE-2017-13077, CVE-2017-13078,  CVE-2017-9793, CVE-2017-9804, CVE-2017-12611, CVE-2015-0718,  CVE-2017-12310,  CVE-2017-12317, CVE-2017-6649.

Suggested Action

CCIRC recommends that system administrators test and deploy the vendor-released updates to affected applications accordingly.

References:

Date modified: