Описание
Уязвимость класса DiskFileItem библиотеки Apache Commons FileUpload связана с недостатками механизма десериализации. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, выполнить произвольный код или осуществить манипулирование файлами в целевой системе с помощью специально сформированных данных
Вендор
Apache Software Foundation
Cisco Systems Inc.
Oracle Corp.
Наименование ПО
Struts
Commons FileUpload
Cisco SocialMiner
WebEx Meetings Server
Cisco Webex Management
Cisco Identity Services Engine
Cisco Secure Access Control System
Prime Collaboration Provisioning
Prime Infrastructure
Cisco Prime License Manager
Cisco Prime Network Registrar IP Address Manager
Cisco Prime Network
Cisco Prime Service Catalog
Cisco IOx Fog Director
IoT Field Network Director
Cisco Emergency Responder
Enterprise Chat and Email
Cisco Finesse
Cisco Hosted Collaboration Mediation Fulfillment
Cisco Hosted Collaboration Solution for Contact Center
Cisco MediaSense
Unified Communications Manager IM and Presence Service
Cisco Unified Communications Manager
Cisco Unified Contact Center Enterprise
Cisco Unified Contact Center Express
Cisco Unified E-Mail Interaction Manager
Unified Intelligence Center
Cisco Unified Intelligent Contact Management Enterprise
Cisco Unified Web Interaction Manager
Unity Connection
Cisco Virtualized Voice Browser
Cisco Video Distribution Suite for Internet Streaming
Cisco Mobility Services Engine
Cisco Universal Small Cell RAN Management System
Cisco Prime Network Change and Configuration Management
Cisco Smart Connected Spaces
Cisco Smart Net Total Care
Cisco Webex Centers
Cisco Webex Meetings
Cisco IOS
Enterprise Manager Base Platform
Enterprise Data Quality
Версия ПО
до 2.3.36 включительно (Struts)
до 1.3.2 включительно (Commons FileUpload)
11.6(1) (Cisco SocialMiner)
2.8.3.0 (WebEx Meetings Server)
- (Cisco Webex Management)
2.1(0.474) (Cisco Identity Services Engine)
2.2(0.470) (Cisco Identity Services Engine)
2.3(0.298) (Cisco Identity Services Engine)
2.4(0.357) (Cisco Identity Services Engine)
5.8(0.32.10) (Cisco Secure Access Control System)
12.6 (Prime Collaboration Provisioning)
3.4 (Prime Infrastructure)
10.5(2) (Cisco Prime License Manager)
11.5.1 (Cisco Prime License Manager)
8.3 (Cisco Prime Network Registrar IP Address Manager)
5.2 (Cisco Prime Network)
12.1 (Cisco Prime Service Catalog)
FD-1.8.0 (Cisco IOx Fog Director)
4.4(0.36) (IoT Field Network Director)
10.5(3.13001.1) (Cisco Emergency Responder)
11.0(4.9) (Cisco Emergency Responder)
11.5(4.98300.8) (Cisco Emergency Responder)
12.0(1.91000.7) (Cisco Emergency Responder)
12.0(1) (Enterprise Chat and Email)
11.6(1) (Cisco Finesse)
11.5(3) (Cisco Hosted Collaboration Mediation Fulfillment)
11.0(1) (Cisco Hosted Collaboration Solution for Contact Center)
11.5(1) (Cisco Hosted Collaboration Solution for Contact Center)
11.6(1) (Cisco Hosted Collaboration Solution for Contact Center)
11.5(1) (Cisco MediaSense)
10.5(2) (Unified Communications Manager IM and Presence Service)
11.5(1) (Unified Communications Manager IM and Presence Service)
12.5(1) (Unified Communications Manager IM and Presence Service)
10.5(2.10000.5) (Cisco Unified Communications Manager)
11.5(1.10000.6) (Cisco Unified Communications Manager)
12.0(1.10000.10) (Cisco Unified Communications Manager)
11.0(3) (Cisco Unified Contact Center Enterprise)
11.5(1) (Cisco Unified Contact Center Enterprise)
11.6(1) (Cisco Unified Contact Center Enterprise)
11.6(1) (Cisco Unified Contact Center Express)
11.5(1) (Cisco Unified E-Mail Interaction Manager)
11.6(1) (Unified Intelligence Center)
11.0(3) (Cisco Unified Intelligent Contact Management Enterprise)
11.5(1) (Cisco Unified Intelligent Contact Management Enterprise)
11.6(1) (Cisco Unified Intelligent Contact Management Enterprise)
11.5(1) (Cisco Unified Web Interaction Manager)
10.5(2) (Unity Connection)
11.5 (Unity Connection)
12.0 (Unity Connection)
11.6(1) (Cisco Virtualized Voice Browser)
4.4(2) (Cisco Video Distribution Suite for Internet Streaming)
8.0(150) (Cisco Mobility Services Engine)
5.2.0.HF2 (Cisco Universal Small Cell RAN Management System)
3.6 (Cisco Prime Network Change and Configuration Management)
- (Cisco Smart Connected Spaces)
4.0 (Cisco Smart Net Total Care)
T33.0 (Cisco Webex Centers)
1.3.18.1 (Cisco Webex Meetings)
FD-1.8.0 (Cisco IOS)
13.3.0.0 (Enterprise Manager Base Platform)
13.4.0.0 (Enterprise Manager Base Platform)
11.1.1.9.0 (Enterprise Data Quality)
Тип ПО
Прикладное ПО информационных систем
Сетевое программное средство
Сетевое средство
ПО сетевого программно-аппаратного средства
Операционная система
Операционные системы и аппаратные платформы
-
Уровень опасности уязвимости
Критический уровень опасности (базовая оценка CVSS 2.0 составляет 10)
Критический уровень опасности (базовая оценка CVSS 3.0 составляет 9,8)
Возможные меры по устранению уязвимости
Использование рекомендаций:
Для Apache Commons FileUpload:
https://lists.apache.org/thread.html/d66657323fd25e437face5e84899c8ca404ccd187e81c3f2fa8b6080@%3Cannounce.apache.org%3E
Для программных продуктов Oracle Corp.:
https://www.oracle.com/security-alerts/cpujan2021.html
Для программных продуктов Cisco Systems Inc.:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-struts-commons-fileupload
Статус уязвимости
Подтверждена производителем
Наличие эксплойта
Данные уточняются
Информация об устранении
Уязвимость устранена
Ссылки на источники
Идентификаторы других систем описаний уязвимостей
- CVE
EPSS
Процентиль: 95%
0.19361
Средний
9.8 Critical
CVSS3
10 Critical
CVSS2
Связанные уязвимости
CVSS3: 9.8
ubuntu
больше 9 лет назад
Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution
CVSS3: 7.3
redhat
почти 10 лет назад
Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution
CVSS3: 9.8
nvd
больше 9 лет назад
Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution
CVSS3: 9.8
debian
больше 9 лет назад
Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation ...
EPSS
Процентиль: 95%
0.19361
Средний
9.8 Critical
CVSS3
10 Critical
CVSS2