Cisco Releases security updates

Number: AV16-208
Date: 24 December 2016

Purpose

The purpose of this advisory is to bring attention to multiple Cisco security advisories.

Assessment

Cisco released multiple security updates to address vulnerabilities (critical to medium) in the following products.

Cisco IOS XE Software Directory Traversal Vulnerability
Cisco ASA Input Validation File Injection Vulnerability
Cisco ASR 5000 Series ipsecmgr Service Denial of Service Vulnerability
Cisco Email Security Appliance MIME Header Processing Filter Bypass Vulnerability
Cisco Firepower System Software FTP Malware Vulnerability
Cisco Unified Communications Manager Web Interface Cross-Site Scripting Vulnerability
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: September 2016
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: November 2016
Cisco AnyConnect Secure Mobility Client Local Privilege Escalation Vulnerability
Cisco ASR 5000 Series IPv6 Packet Processing Denial of Service Vulnerability
Cisco ASR 5000 Series IKEv2 Denial of Service Vulnerability
Cisco Security Appliances AsyncOS Software Update Server Certificate Validation Vulnerability
Cisco IOx Application-Hosting Framework Directory Traversal Vulnerability
Cisco Emergency Responder Cross-Site Request Forgery Vulnerability
Cisco Emergency Responder Directory Traversal Vulnerability
Cisco ONS 15454 Series Multiservice Provisioning Platforms TCP Port Management Denial of Service Vulnerability
Cisco Unified Communications Manager Administration Page Cross-Site Scripting Vulnerability
Cisco Unified Communications Manager Unified Reporting Upload Tool Directory Traversal Vulnerability
Cisco Email Security Appliance SMTP Cross-Site Scripting Vulnerability
Cisco FireAMP Connector Endpoint Software Denial of Service Vulnerability
Cisco Firepower Management Center and Cisco FireSIGHT System Software Malicious Software Detection Bypass Vulnerability
Cisco FirePOWER Malware Protection Bypass Vulnerability
Cisco Hybrid Media Service Privilege Escalation Vulnerability
Cisco Intercloud Fabric Director Static Credentials Vulnerability
Cisco IOS Frame Forwarding Denial of Service Vulnerability
Cisco IOS and IOS XE Software SSH X.509 Authentication Bypass Vulnerability
Cisco IOS XR Software HTTP 2.0 Request Handling Event Service Daemon Denial of Service Vulnerability
Cisco IOS and Cisco IOS XE Software Zone-Based Firewall Feature Bypass Vulnerability
Cisco IOS XR Software Default Credentials Vulnerability
Cisco Identity Services Engine Active Directory Integration Component Denial of Service Vulnerability
Cisco Identity Services Engine Cross-Site Scripting Vulnerability
Cisco Prime Collaboration Assurance Cross-Site Scripting Vulnerability
Cisco Unified Communications Manager IM and Presence Service Information Disclosure Vulnerability
Cisco Firepower Management Center Information Disclosure Vulnerability
Cisco Web Security Appliance HTTP URL Denial of Service Vulnerability
Cisco Web Security Appliance Drop Decrypt Policy Bypass Vulnerability
Cisco IOS Software and IOS XE Software Internet Key Exchange Version 2 Denial of Service Vulnerabilities
Vulnerability in Linux Kernel Affecting Cisco Products: October 2016
Cisco Email Security Appliance Content Filter Bypass Vulnerability
Cisco IOS and IOS XE Software IPv6 First Hop Security Denial of Service Vulnerabilities
Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: November 2016
Cisco Expressway Series Software Security Bypass Vulnerability
Cisco Intercloud Fabric Database Static Credentials Vulnerability
Cisco Jabber Guest Server HTTP URL Redirection Vulnerability
Cisco CloudCenter Orchestrator Docker Engine Privilege Escalation Vulnerability

CVE References:
Critical Impact CVE: CVE-2016-9223
High Impact CVEs: CVE-2015-0642, CVE-2015-0643, CVE-2015-6278, CVE-2015-6279
Medium Impact CVEs: CVE-2016-6450, CVE-2016-6461, CVE-2016-6466, CVE-2016-6462, CVE-2016-6463, CVE-2016-6460, CVE-2016-6472, CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-2180, CVE-2016-2181, CVE-2016-2182, CVE-2016-2183, CVE-2016-6302, CVE-2016-6303, CVE-2016-6304, CVE-2016-6305, CVE-2016-6306, CVE-2016-6307, CVE-2016-6308, CVE-2016-6309, CVE-2016-7052, CVE-2016-7053, CVE-2016-7054, CVE-2016-7055, CVE-2016-9192, CVE-2016-6467, CVE-2016-9203, CVE-2016-1411, CVE-2016-9199, CVE-2016-6468, CVE-2016-9208, CVE-2016-9211, CVE-2016-9206, CVE-2016-9210, CVE-2016-9202, CVE-2016-6449, CVE-2016-9193, CVE-2016-9209, CVE-2016-6470, CVE-2016-9204, CVE-2016-6473, CVE-2016-6474, CVE-2016-9205, CVE-2016-9201, CVE-2016-9215, CVE-2016-9198, CVE-2016-9214, CVE-2016-9200, CVE-2016-6464, CVE-2016-6471, CVE-2016-6469, CVE-2016-9212, CVE-2016-5195, CVE-2016-6465, CVE-2015-8138, CVE-2016-7426, CVE-2016-7427, CVE-2016-9207, CVE-2016-9217, CVE-2016-9224

Suggested action

CCIRC recommends that system administrators test and deploy the vendor-released updates to affected applications accordingly.

References

Language selection

Search

Purpose

Assessment

Suggested action

References

Note to readers

Cisco Releases security updates

Purpose

Assessment

Suggested action

References