You are here

T-614: Cisco Unified Communications Manager Database Security Vulnerability

May 3, 2011 - 7:37am

Addthis

PROBLEM:

Cisco Unified Communications Manager contains a vulnerability that could allow an authenticated, remote attacker to inject arbitrary script code on a targeted system.

PLATFORM:

Cisco Unified Communications Manager versions prior to 8.5(1), 8.0(3), 7.1(5)su1, and 6.1(5)su2 are vulnerable.

ABSTRACT:

The vulnerability is due to unspecified errors in the affected software that may allow the attacker to perform SQL injections. An authenticated, remote attacker could inject arbitrary SQL code on the system, allowing the attacker to take unauthorized actions.

reference LINKS:

IntelliShield ID: 22977
Advisory ID: cisco-sa-20110427-cucm
CVE-2011-1609
Cisco Advisory Alerts

IMPACT ASSESSMENT:

High

Discussion:

The vulnerability is due to unspecified errors in the vulnerable software, which could allow arbitrary SQL code injection that interferes with the logic of the application.
An authenticated, remote attacker could exploit this vulnerability to inject arbitrary SQL code on the targeted system. The attacker could then read and modify arbitrary data on system.

Impact:

An authenticated, remote attacker could exploit this vulnerability to inject arbitrary SQL code on the system, which could allow the attacker to read and modify arbitrary data.

Solution:

Administrators are advised to apply the appropriate updates.
Administrators are advised to allow only trusted users to have network access.

Administrators are advised to allow only privileged users to access administration or management systems.
Administrators are advised to monitor affected systems.
Cisco customers with active contracts can obtain updates through the Software Center at the following link:
Cisco Software Download

 

Addthis