STE WILLIAMS

November’s high-profile Java deserialisation bug has bitten Cisco, with the company announcing vulnerabilities across the board in its huge product line.

The problem is so pervasive that it reaches into the most trivial activities of the sysadmin, such as serial number assessment services.

The original advisory made by FoxGlove Security focussed on the Apache Commons Collections (ACCs), but a few days ago, SourceClear warned that it appeared in a lot more libraries than originally believed.

Cisco agrees: in its advisory, it notes that “Any application or application framework could be vulnerable if it uses the ACC library and deserializes arbitrary, user-supplied Java serialized data”.

Under investigation are products in its collaboration software, endpoint client software, network acceleration, network content and security, network management and provisioning, switching and routing (including various versions of IOS), unified computing, unified communications, video, telepresence and wireless products.

Cisco’s cloud services are also getting the hard eye to see if the ACC bug affects them.

We’ve included below Cisco’s table of products so far confirmed vulnerable.

The Borg says it is now working on software updates. ®

Vulnerable products so far

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/10/cisco_java_deserialisation_bug/