5 abril, 2022

9VSA22-00609-01 CSIRT comparte información de Cisco sobre vulnerabilidad Spring4Shell

Resumen

El Equipo de Respuesta ante Incidentes de Seguridad Informática del Gobierno de Chile, CSIRT de Gobierno, comparte información sobre productos de Cisco afectados por la vulnerabilidad conocida como Spring4Shell.

Este informe incluye las medidas de mitigación, consistentes en instalar la última actualización de los productos afectados.

Vulnerabilidad

CVE-2022-22965

Impacto

CVE-2022-22965: Conocida como Spring4Shell, esta vulnerabilidad crítica permite a un atacante remoto ejecutar código arbitrario en el sistema objetivo. La vulnerabilidad existe debido a una inapropiada validación de inputs. La explotación exitosa de esta vulnerabilidad puede resultar en un compromiso total de un sistema vulnerable.

Productos afectados

Productos confirmados por Cisco como afectados hasta el momento de la redacción de este documento:

Cisco Crosswork Optimization Engine
Cisco Crosswork Zero Touch Provisioning (ZTP)
Cisco Edge Intelligence

Productos en investigación por Cisco (la empresa irá actualizando a continuación a medida que confirma o descarta que los siguientes productos estén afectados por Spring4Shell):

Cisco Application-Oriented Networking Healthcare Services Extensions
Cisco Continuous Deployment and Automation Framework
Cisco Ultra Cloud Core – Network Respository Function
Cisco Ultra Cloud Core – User Plane Function
Cisco CX Cloud Agent Software
Cisco Extensible Network Controller (XNC)
Cisco Network Insights for Data Center
Cisco Nexus Dashboard Data Broker, formerly Cisco Nexus Data Broker
Cisco Nexus Insights
Cisco Wide Area Application Services (WAAS)
Cisco Adaptive Security Appliance (ASA)
Cisco Firepower Management Center (FMC)
Cisco Firepower System Software
Cisco Security Manager
Cisco Automated Subsea Tuning
Cisco CloudCenter Action Orchestrator
Cisco CloudCenter Workload Manager
Cisco Collaboration Audit and Assessments
Cisco Common Services Platform Collector (CSPC)
Cisco Connected Mobile Experiences
Cisco Connected Pharma
Cisco Crosswork Change Automation
Cisco Crosswork Data Gateway
Cisco Crosswork Network Automation
Cisco Crosswork Network Controller
Cisco Crosswork Situation Manager
Cisco DNA Assurance
Cisco Data Center Network Manager (DCNM)
Cisco Evolved Programmable Network Manager
Cisco Intelligent Node (iNode) Manager
Cisco IoT Field Network Director
Cisco Network Change and Configuration Management
Cisco Nexus Dashboard, formerly Cisco Application Services Engine
Cisco Optical Network Planner
Cisco Shelf Virtualization Orchestrator (SVO)
Cisco Smart PHY
Cisco Smart Software Manager
Cisco Virtual Topology System – Virtual Topology Controller (VTC) VM
Cisco WAN Automation Engine (WAE)
Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM)
Cisco DNA Center
Cisco IOx Fog Director
Cisco Mobility Unified Reporting and Analytics System
Cisco Network Assurance Engine
Cisco Network Convergence System 2000 Series
Cisco ONS 15454 Series Multiservice Provisioning Platforms
Cisco Optical Network Controller
Cisco SD-WAN Cloud OnRamp for Co-Location
Cisco SD-WAN vManage
Cisco Ultra Cloud Core – Access and Mobility Management Function
Cisco Ultra Cloud Core – Policy Control FunctionCisco Ultra Cloud Core – Session Management Function
Cisco Ultra Services Platform

Cisco Business Dashboard

Cisco HyperFlex HX Data Platform

Cisco BroadCloud for Carriers

Cisco BroadWorks

Cisco Cloud Connect

Cisco Emergency Responder

Cisco Enterprise Chat and Email

Cisco Unified Customer Voice Portal

Cisco Unified Intelligence Center

Cisco Unity Connection

Cisco Virtualized Voice Browser

Cisco Webex Board, formerly Cisco Spark Board

Cisco Meeting Server

Cisco Video Surveillance Operations Manager

Cisco Vision Dynamic Signage Director

Cisco Cloud Hosted Services

Cisco BroadCloud

Cisco Cloud Application Policy Infrastructure Controller (Cloud APIC)

Cisco Cloud Email Security

Cisco Cognitive Intelligence

Cisco DNA Center Cloud

Cisco Intersight

Cisco IoT Control Center

Cisco Managed Services Accelerator (MSX)

Cisco Registered Envelope Service

Cisco Smart Collector – Lifecycle Management

Cisco Umbrella

Cisco Webex Centers – Meeting Center, Training Center, Event Center, Support Center

Cisco Webex Events

Cisco Webex Meeting Server – Multimedia Platform

Cisco Webex Meetings

Mitigación

Instalar las respectivas actualizaciones entregadas por el proveedor, en la medida en que estén disponibles.

Enlaces

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-scf-rce-DQrHhJxH

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963

Informe

El informe oficial publicado por el CSIRT del Gobierno de Chile está disponible en el siguiente enlace: 9VSA22-00609-01

9VSA22-00609-01 CSIRT comparte información de Cisco sobre vulnerabilidad Spring4Shell