In November this year, a security outfit called Foxglove Security advised that a part of Java (called the Apache Common Collection) had some serious issues. This has now blown up into an array of apparent issues with many more libraries.
What does this mean? Well the problem is that the issue is so all over the Java code that according to Cisco’s advisory ‘Any application or application framework could be vulnerable if it uses the ACC library and deserializes arbitrary, user-supplied Java serialized data’.
How does this impact you: Well since there is Java code embedded in pretty much every Cisco system, for management etc. vulnerable products across many code releases are being identified by the hour.
You can read the high rated advisory from The Borg here.
The bad news is that there are currently no patches available (but you can expect them very soon, probably in time for Christmas) and a vast swathe of products can be hit.
The Cisco advisory claims that there are ‘no workarounds that mitigate this vulnerability’, so this is a big deal. At ITC we will be investigating if turning off web/browser management from Internet connected devices might be a good idea and will advise our NetSure360°customers of the results of our research as soon as possible.
We have not seen or heard of any attacks in the wild but as these develop, as they most certainly will, we will also look at building a use case for NetSure360° to alert on.
The extra good news is that we are fairly certain that this will affect loads more products running Java, so keep reading advisories from your vendors, or be proactive and ask them.
If you would like to discuss this sorry state of affairs with one of our engineering team (currently looking for the service revolver to put to the temple), please contact us on: 020 7517 3900 or email us at: [email protected]
