Contáctanos al
1510
Resumen
El Equipo de Respuesta ante Incidentes de Seguridad Informática del Gobierno de Chile, CSIRT de Gobierno, comparte información sobre productos de Cisco afectados por la vulnerabilidad conocida como Spring4Shell.
Este informe incluye las medidas de mitigación, consistentes en instalar la última actualización de los productos afectados.
Vulnerabilidad
CVE-2022-22965
Impacto
CVE-2022-22965: Conocida como Spring4Shell, esta vulnerabilidad crítica permite a un atacante remoto ejecutar código arbitrario en el sistema objetivo. La vulnerabilidad existe debido a una inapropiada validación de inputs. La explotación exitosa de esta vulnerabilidad puede resultar en un compromiso total de un sistema vulnerable.
Productos afectados
Productos confirmados por Cisco como afectados hasta el momento de la redacción de este documento:
Cisco Crosswork Optimization Engine
Cisco Crosswork Zero Touch Provisioning (ZTP)
Cisco Edge Intelligence
Productos en investigación por Cisco (la empresa irá actualizando a continuación a medida que confirma o descarta que los siguientes productos estén afectados por Spring4Shell):
Cisco Application-Oriented Networking Healthcare Services Extensions
Cisco Continuous Deployment and Automation Framework
Cisco Ultra Cloud Core – Network Respository Function
Cisco Ultra Cloud Core – User Plane Function
Cisco CX Cloud Agent Software
Cisco Extensible Network Controller (XNC)
Cisco Network Insights for Data Center
Cisco Nexus Dashboard Data Broker, formerly Cisco Nexus Data Broker
Cisco Nexus Insights
Cisco Wide Area Application Services (WAAS)
Cisco Adaptive Security Appliance (ASA)
Cisco Firepower Management Center (FMC)
Cisco Firepower System Software
Cisco Security Manager
Cisco Automated Subsea Tuning
Cisco CloudCenter Action Orchestrator
Cisco CloudCenter Workload Manager
Cisco Collaboration Audit and Assessments
Cisco Common Services Platform Collector (CSPC)
Cisco Connected Mobile Experiences
Cisco Connected Pharma
Cisco Crosswork Change Automation
Cisco Crosswork Data Gateway
Cisco Crosswork Network Automation
Cisco Crosswork Network Controller
Cisco Crosswork Situation Manager
Cisco DNA Assurance
Cisco Data Center Network Manager (DCNM)
Cisco Evolved Programmable Network Manager
Cisco Intelligent Node (iNode) Manager
Cisco IoT Field Network Director
Cisco Network Change and Configuration Management
Cisco Nexus Dashboard, formerly Cisco Application Services Engine
Cisco Optical Network Planner
Cisco Shelf Virtualization Orchestrator (SVO)
Cisco Smart PHY
Cisco Smart Software Manager
Cisco Virtual Topology System – Virtual Topology Controller (VTC) VM
Cisco WAN Automation Engine (WAE)
Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM)
Cisco DNA Center
Cisco IOx Fog Director
Cisco Mobility Unified Reporting and Analytics System
Cisco Network Assurance Engine
Cisco Network Convergence System 2000 Series
Cisco ONS 15454 Series Multiservice Provisioning Platforms
Cisco Optical Network Controller
Cisco SD-WAN Cloud OnRamp for Co-Location
Cisco SD-WAN vManage
Cisco Ultra Cloud Core – Access and Mobility Management Function
Cisco Ultra Cloud Core – Policy Control FunctionCisco Ultra Cloud Core – Session Management Function
Cisco Ultra Services Platform
Cisco Business Dashboard
Cisco HyperFlex HX Data Platform
Cisco BroadCloud for Carriers
Cisco BroadWorks
Cisco Cloud Connect
Cisco Emergency Responder
Cisco Enterprise Chat and Email
Cisco Unified Customer Voice Portal
Cisco Unified Intelligence Center
Cisco Unity Connection
Cisco Virtualized Voice Browser
Cisco Webex Board, formerly Cisco Spark Board
Cisco Meeting Server
Cisco Video Surveillance Operations Manager
Cisco Vision Dynamic Signage Director
Cisco Cloud Hosted Services
Cisco BroadCloud
Cisco Cloud Application Policy Infrastructure Controller (Cloud APIC)
Cisco Cloud Email Security
Cisco Cognitive Intelligence
Cisco DNA Center Cloud
Cisco Intersight
Cisco IoT Control Center
Cisco Managed Services Accelerator (MSX)
Cisco Registered Envelope Service
Cisco Smart Collector – Lifecycle Management
Cisco Umbrella
Cisco Webex Centers – Meeting Center, Training Center, Event Center, Support Center
Cisco Webex Events
Cisco Webex Meeting Server – Multimedia Platform
Cisco Webex Meetings
Mitigación
Instalar las respectivas actualizaciones entregadas por el proveedor, en la medida en que estén disponibles.
Enlaces
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-scf-rce-DQrHhJxH
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963
Informe
El informe oficial publicado por el CSIRT del Gobierno de Chile está disponible en el siguiente enlace: 9VSA22-00609-01