AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C
-
Apache Tomcat is the servlet container for JavaServlet and JavaServer Pages Web within the Cisco Wireless Control System (WCS). A vulnerability exists in the mod_jk.so URI handler within Apache Tomcat which, if exploited, may result in a remote code execution attack.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080130-wcs.
-
This section provides details on affected products.
Vulnerable Products
Cisco WCS devices running software 3.x and 4.0.x prior to 4.0.100.0 are affected by this vulnerability. Cisco WCS devices running software 4.1.x and 4.2.x prior to to version 4.2.62.0 are also vulnerable.
Note: The version of WCS software installed on a particular device can be found via the WCS HTTP management interface. Select Help -> About the Software to obtain the software version.
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by this vulnerability.
-
The Cisco Wireless Control System is a centralized, systems-level platform for managing and controlling lightweight access points, wireless LAN controllers, and Wireless Location Appliances for the Cisco Unified Wireless Network. The Cisco Wireless Control System uses Apache Tomcat. A vulnerability in Apache Tomcat may allow for remote code execution attacks. The mod_jk.so URI handler does not handle long URLs correctly. An insecure memory copy triggers an exploitable stack overflow. This vulnerability is documented in CVE-2007-0774 and in Cisco bug ID CSCsk18191 ( registered customers only) .
-
The following workarounds can be implemented.
Transit ACLs (tACL)
Filters that deny HTTPS packets using TCP port 443 should be deployed throughout the network as part of a tACL policy for protection of traffic which enters the network at ingress access points. This policy should be configured to protect the network device where the filter is applied and other devices behind it. Filters for HTTPS packets using TCP port 443 should also be deployed in front of vulnerable network devices so that traffic is only allowed from trusted clients.
Additional information about tACLs is available in "Transit Access Control Lists: Filtering at Your Edge":
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml
Additional Mitigation Techniques
Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this advisory:
-
Each row of the following software table (below) describes a release train and the platforms or products for which it is intended. If a given release train is vulnerable, then the earliest possible releases that contain the fix are shown in the "First Fixed Release" column. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. The release should be upgraded at least to the indicated release or a later version (greater than or equal to the First Fixed Release label).
Affected Releases
First Fixed Releases
WCS for Linux and Windows 4.0.x and earlier
4.0.100.0
WCS for Linux and Windows 4.1.91.0 and earlier
4.2.62.0
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory, and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.
-
The Cisco PSIRT is aware of the availability of proof-of-concept exploits.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.1
2008-April-25
Updated CVSS link for CSCsk18191.
Revision 1.0
2008-January-30
Initial public release.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.