Cisco SD-WAN Software Privilege Escalation Vulnerability

Cisco SD-WAN Software Privilege Escalation Vulnerability

Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.

Fixed Releases
Customers are advised to upgrade to an appropriate fixed software release as indicated in the following table(s):

Cisco SD-WAN Software Release
First Fixed Release

18.4 and earlier
Not vulnerable

19.2
Not vulnerable

20.1
Not vulnerable

20.3
Not vulnerable

20.4
20.4.2

20.5
20.5.1

Cisco Integrated Management Controller Open Redirect Vulnerability

For information about fixed software releases, consult the Cisco bug ID(s) at the top of this advisory.
When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Fixed Releases
At the time of publication, Cisco IMC Software releases 3.2(12.4) contained the fix for this vulnerability.
At the time of publication, Cisco had not released updates that address this vulnerability for the following Cisco products:

UCS E-Series Blade Servers
UCS Manager Software
UCS S-Series Servers in standalone mode

See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.

Cisco AnyConnect Secure Mobility Client Arbitrary Code Execution Vulnerability

Workarounds that address this vulnerability were introduced in Cisco bug ID CSCvw48062 via new configuration settings. The new settings are available in releases 4.9.04053 and later. Cisco recommends using additional settings that were introduced in Release 4.10.00093 instead of using the settings introduced in 4.9.04053.
The settings introduced in 4.10.00093 allow connections to trusted headends only, without any functionality loss. Additional information about the new settings is in the Recommendations section of this advisory.
Cisco AnyConnect Secure Mobility Client Software Release 4.10.00093
Releases 4.10.00093 and later contain the fix for Cisco bug ID CSCvv30103 with no additional configuration required. See the Recommendations section for additional optional but recommended settings.
Upgrade instructions for systems where workarounds were previously applied
This section is relevant only to customers that had previously applied the workaround settings for releases 4.9.04053, 4.9.05042, or 4.9.06037 or mitigation settings for releases earlier than Release 4.9.04053. If the workarounds or mitigations listed on this advisory were not previously used, use the normal upgrade process. More information about the normal upgrade process is in the Release Notes or Configuration Guide.
The following instructions describe how to upgrade to Release 4.10.00093 and remove the previously applied settings in the AnyConnectLocalPolicy.xml file. This file is in the following locations:

Windows::ProgramDataCiscoCisco AnyConnect Secure Mobility Client
macOS: /opt/cisco/anyconnect/
Linux: /opt/cisco/anyconnect/

AnyConnect Secure Mobility Client Software Release
AnyConnectLocalPolicy.xml Settings
Instructions

Earlier than 4.9.04053

Previously deployed AnyConnectLocalPolicy.xml settings:

BypassDownloader= true

New AnyConnectLocalPolicy.xml settings:

BypassDownloader=false

Upgrade to 4.10 using a predeploy method.
Redistribute the AnyConnectLocalPolicy.xml file with new settings using an out-of-band deployment method.
Apply the new 4.10 settings shown in the Recommendations section.

4.9.04053, 4.9.05042, 4.9.06037

Previously deployed AnyConnectLocalPolicy.xml settings:

RestrictScriptWebDeploy=true
RestrictHelpWebDeploy=true
RestrictResourceWebDeploy=true
RestrictLocalizationWebDeploy=true
BypassDownloader=false

New AnyConnectLocalPolicy.xml settings:

RestrictScriptWebDeploy=false
RestrictHelpWebDeploy=false
RestrictResourceWebDeploy=false
RestrictLocalizationWebDeploy=false
BypassDownloader=false

Upgrade to 4.10 using either a predeploy or webdeploy method.
Redistribute1 the AnyConnectLocalPolicy.xml file with new settings using an out-of-band deployment method.
Apply the new 4.10 settings shown in the Recommendations section.

1. Customers may leave the settings intact for RestrictScriptWebDeploy, RestrictHelpWebDeploy, RestrictResourceWebDeploy, and RestrictLocalizationWebDeploy if the restricted functionality is not required. If these settings remain true, files must be distributed using an out-of-band deployment method.

Cisco AnyConnect Secure Mobility Client Software Releases 4.9.04053, 4.9.05042, and 4.9.06037
For customers who have already applied the RestrictScriptWebDeploy workaround
For customers using Release 4.9.04053, 4.9.05042, or 4.9.06037 who have already applied the RestrictScriptWebDeploy, RestrictHelpWebDeploy, RestrictResourceWebDeploy, RestrictLocalizationWebDeploy workarounds, nothing further needs to be done to help ensure protection against exploitation of this vulnerability.
To restore full functionality to the product, customers should upgrade to Release 4.10.00093 and apply the recommended settings shown in the Recommendations section. After full functionality is restored, customers can once again deploy files from the headend instead of using an out-of-band deployment method.
For customers who cannot upgrade to Release 4.10.00093 or later
For customers using Release 4.9.04053, 4.9.05042, or 4.9.06037 who cannot upgrade to Release 4.10.00093 or later, the recommended workaround for these releases is to edit the AnyConnectLocalPolicy.xml file to set RestrictScriptWebDeploy to true and ensure that BypassDownloader is set to false. The new AnyConnectLocalPolicy.xml file would then be deployed to end machines using an out-of-band method of deployment. 
There are additional configuration settings for releases 4.9.04053, 4.9.05042, and 4.9.06037 that are strongly recommended for increased protection. The full set of custom web-deploy restrictions is listed below. For more details about the new configuration settings and implications of their use, refer to the Release Notes or Cisco bug ID CSCvw48062. These settings would allow profile updates and future software upgrades while helping to protect against exploitation of this vulnerability.

RestrictScriptWebDeploy
RestrictHelpWebDeploy
RestrictResourceWebDeploy
RestrictLocalizationWebDeploy

The following procedure is for editing the policy on a local machine. In most deployment scenarios, the modification would be done to the AnyConnectLocalPolicy.xml file and then deployed to all client machines using an out-of-band method of deployment such as an enterprise software management system. Any modifications to the AnyConnectLocalPolicy.xml file must be done with sudo or admin rights.

Find the AnyConnectLocalPolicy.xml file on the client machine. This file is in the following locations:

Windows::ProgramDataCiscoCisco AnyConnect Secure Mobility Client
macOS:/opt/cisco/anyconnect/
Linux:/opt/cisco/anyconnect/

Open the AnyConnectLocalPolicy.xml file in a text editor and look for the following lines:
false
false
false
false

Change that setting to true, as shown in the following example:
true
true
true
true

Verify that the BypassDownloader setting is correct by looking for the following line:

false

If the BypassDownloader setting is true, change it to false, as shown in the following example:

false

Save the file to the original location. The network paths are noted above.
Restart the VPN Agent service or reboot the client machine.

Cisco AnyConnect Secure Mobility Client Software Earlier than Release 4.9.04053
For customers who have already applied the BypassDownloader mitigation
For customers using releases earlier than Release 4.9.04053 who have already applied the BypassDownloader mitigation, nothing further needs to be done to enable protection against exploitation of this vulnerability. Because this mitigation is not recommended, customers could upgrade to Release 4.10.00093 and apply the recommended settings shown in the Recommendations section.
For customers who cannot upgrade to Release 4.10.00093 or later
For customers using releases earlier than Release 4.9.04053 who cannot upgrade to Release 4.10.00093 or later and/or do not require updated content on the VPN headend device to be downloaded to the client, enabling the BypassDownloader setting is a possible mitigation.
Warning: Changing the BypassDownloader setting is not recommended in most customer environments. If the BypassDownloader is set to true, VPN users could be refused a connection from the VPN headend if their local VPN XML profiles are out of date with what is configured on the VPN headend.
Note: Enabling the BypassDownloader setting can be done only out-of-band on the client devices and has a couple of implications:

All future updates to either Cisco AnyConnect Secure Mobility Client Software or the AnyConnect profile would have to be done out-of-band. AnyConnect will no longer download updated content from the headend device.
AnyConnect profiles would still need to be in sync between the headend device and the client. If the profiles are not in sync, the VPN connection could be established with default settings instead of with settings on the headend or client. The VPN headend could also refuse the connection.

The procedure that follows is for editing the policy on a local machine. In most deployment scenarios, the modification would be done to the AnyConnectLocalPolicy.xml file and then deployed to all client machines using an out-of-band method of deployment such as an enterprise software management system. Any modifications to the AnyConnectLocalPolicy.xml file must be done with sudo or admin rights.

Find the AnyConnectLocalPolicy.xml file on the client machine. This file is in the following locations:

Windows::ProgramDataCiscoCisco AnyConnect Secure Mobility Client
macOS:/opt/cisco/anyconnect/
Linux: /opt/cisco/anyconnect/

Open the AnyConnectLocalPolicy.xml file in a text editor and look for the following line:

false

Change that setting to true, as shown in the following example:

true

Save the file to the original location. The network paths are noted above.
Restart the VPN Agent service or reboot the client machine.

Multiple Cisco Products Snort HTTP Detection Engine File Policy Bypass Vulnerabilities

When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Fixed Releases
At the time of publication, the release information in the following table(s) was accurate. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.
The left column lists Cisco software releases, and the right column indicates whether a release was affected by the vulnerabilities described in this advisory and which release included the fix for these vulnerabilities.
Cisco FTD Software

Cisco FTD Software Release
First Fixed Release for these Vulnerabilities

Earlier than 6.2.21
Migrate to a fixed release.

6.2.2
Migrate to a fixed release.

6.2.3
Migrate to a fixed release.

6.3.0
Migrate to a fixed release.

6.4.0
6.4.0.12

6.5.0
Migrate to a fixed release.

6.6.0
6.6.42

6.7.0
6.7.0.2

1. Cisco FMC and FTD Software releases 6.0.1 and earlier, as well as releases 6.2.0 and 6.2.1, have reached end of software maintenance. Customers are advised to migrate to a supported release that includes the fix for this vulnerability.

2. The First Fixed Release for the 6.6.0 code train was 6.6.3; however, due to upgrade issues associated with CSCvx86231 the recommended release is 6.6.4.

To upgrade to a fixed release of Cisco FTD Software, do one of the following:

For devices that are managed by using Cisco Firepower Management Center (FMC), use the FMC interface to install the upgrade. After installation is complete, reapply the access control policy.
For devices that are managed by using Cisco Firepower Device Manager (FDM), use the FDM interface to install the upgrade. After installation is complete, reapply the access control policy.

Cisco IOS XE Software and Cisco IOS XE SD-WAN Software

Cisco UTD Snort IPS Engine Software for IOS XE and Cisco UTD Engine for IOS XE SD-WAN Software1
First Fixed Release for these Vulnerabilities

Earlier than 16.12
Migrate to a fixed release.

16.12
16.12.5

17.1
Migrate to a fixed release.

17.2
Migrate to a fixed release.

17.3
17.3.3

17.4
17.4.1

1Starting with release 17.2.1, Cisco IOS XE Software and Cisco IOS XE SD-WAN Software share the same image file.
Open Source Snort
The open source Snort project releases 2.9.17.1 and later contain the fix for these vulnerabilities. For more information on open source Snort, see the Snort website.

Multiple Cisco Products Snort TCP Fast Open File Policy Bypass Vulnerability

While this workaround has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.
Cisco FTD Software Release 6.7.0
For Cisco FTD Software Release 6.7.0, as a workaround when the Snort 3 configuration option is enabled, an administrator may enable built-in rule 129:2 in the intrusion policy and set the action to Drop instead of Alert.
Use the following steps to verify that the Snort 3 configuration option is enabled. For more details, see the Switching Between Snort 2 and Snort 3 section of the Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version 6.7.

Log in to the Admin Portal for the FTD deployment.
Navigate to Policies  > Intrusion.
Look for the Snort Version line above the table. The current version is the first number in the complete version number. For example, 2.9.17-95 is a Snort 2 version.

Use the following steps to enable rule 129:2. For more details, see the Changing Intrusion Rule Actions (Snort 3) section of the Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version 6.7.

Log in to the Admin Portal for the FTD deployment.
Navigate to Policies  > Intrusion.
Choose any system-provided policy, such as Balanced Security and Connectivity.
Search for rule 129:2.
Check the check box next to the rule to enable it.
Choose Drop from the Action drop-down list.
Add the intrusion policy to a rule in Access control policy.

Cisco NX-OS Software CLI Bypass to Internal Service Vulnerability

Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.

Fixed Releases
No upgrade action is necessary for customers who have already applied a recommended release to address the March 2019 Cisco FXOS and NX-OS Software bundle. See
Cisco Event Response: March 2019 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication for a list of advisories in the bundle.
Customers who have not applied a recommended release to address the March 2019 bundle are advised to upgrade to an appropriate release as indicated in the applicable table in this section. In the following tables, the left column lists Cisco NX-OS Software releases. The right column indicates the first release that includes the fix for this vulnerability.
MDS 9000 Series Multilayer Switches: CSCvi99248

Cisco NX-OS Software Release
First Fixed Release for This Vulnerability

5.2
6.2(25)

6.2
6.2(25)

7.3
8.3(2)

8.1
8.3(2)

8.2
8.3(2)

8.3
8.3(2)

Nexus 3000 Series Switches and Nexus 9000 Series Switches in Standalone NX-OS Mode: CSCvh24771

Cisco NX-OS Software Release
First Fixed Release for This Vulnerability

Prior to 7.0(3)I7
7.0(3)I7(3)

7.0(3)I7
7.0(3)I7(3)

9.2(1)
Not vulnerable

Nexus 3500 Platform Switches: CSCvi99250

Cisco NX-OS Software Release
First Fixed Release for This Vulnerability

Prior to 6.0(2)A8
6.0(2)A8(11) 

6.0(2)A8
6.0(2)A8(11)

7.0(3)
7.0(3)I7(3)

9.2
Not vulnerable

Nexus 3600 Platform Switches and Nexus 9500 R-Series Switching Platform: CSCvi99247

Cisco NX-OS Software Release
First Fixed Release for This Vulnerability

7.0(3)
9.2(1)

9.2
9.2(1)

Nexus 5500, 5600, and 6000 Series Switches: CSCvi99251

Cisco NX-OS Software Release
First Fixed Release for This Vulnerability

Prior to 7.3
7.3(4)N1(1)

7.3
7.3(4)N1(1)

Nexus 7000 and 7700 Series Switches: CSCvi99248

Cisco NX-OS Software Release
First Fixed Release for This Vulnerability

Prior to 6.2
6.2(22)

6.2
6.2(22)

7.2
7.3(3)D1(1)

7.3
7.3(3)D1(1)

8.0
8.2(3)

8.1
8.2(3)

8.2
8.2(3)

8.3
8.3(2)

UCS 6200, 6300, and 6400 Series Fabric Interconnects: CSCvi99252 and CSCvn11851

Cisco NX-OS Software Release
First Fixed Release for This Vulnerability

Prior to 4.0
4.0(1d)

4.0
4.0(1d)

Additional Resources
For help determining the best Cisco NX-OS Software release for a Cisco Nexus Switch, administrators can refer to the following Recommended Releases documents. If a security advisory recommends a later release, Cisco recommends following the advisory guidance.

Cisco MDS Series SwitchesCisco Nexus 1000V for VMware SwitchCisco Nexus 3000 Series and 3500 Series SwitchesCisco Nexus 5000 Series SwitchesCisco Nexus 5500 Platform SwitchesCisco Nexus 6000 Series SwitchesCisco Nexus 7000 Series SwitchesCisco Nexus 9000 Series SwitchesCisco Nexus 9000 Series ACI-Mode Switches
For help determining the best Cisco NX-OS Software release for Cisco UCS, refer to the Recommended Releases documents in the release notes for the device.

Cisco Finesse Open Redirect Vulnerability

When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Fixed Releases
For information about fixed software releases, see the Details section in the bug ID(s) at the top of this advisory.

Cisco DNA Spaces Connector Command Injection Vulnerabilities

When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Fixed Releases
At the time of publication, Cisco DNA Spaces: Connector docker software releases 2.0.519 and later contained the fix for these vulnerabilities.
See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.

Cisco DNA Spaces Connector Privilege Escalation Vulnerabilities

When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Fixed Releases
At the time of publication, Cisco DNA Spaces Connector releases 2.3.1 and later contained the fix for these vulnerabilities.
See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.

Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager Command Injection Vulnerability

Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.

Fixed Releases
Cisco fixed this vulnerability in the following releases:

Cisco Prime Infrastructure releases 3.9 and later
Cisco EPN Manager releases 5.1 and later

Cisco Modeling Labs Web UI Command Injection Vulnerability

Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.

Fixed Releases
Cisco fixed this vulnerability in Cisco Modeling Lab releases 2.2.1 and later.

Cisco ADE-OS Local File Inclusion Vulnerability

When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Fixed Releases
At the time of publication, the release information in the following table(s) was accurate. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.

Cisco Product
Fixed Releases

EPN Manager
5.0.1 and later

ISE
2.7 Patch4 and later3.0 Patch2 and later3.1 and later

Prime Infrastructure
3.8.1 Update 2 and later3.9.0 and later

Cisco Finesse Cross-Site Scripting Vulnerabilities

When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Fixed Releases
At the time of publication, Cisco Finesse releases 12.6(1) and later contained the fix for these vulnerabilities.
See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.

Cisco Unified Intelligence Center Reflected Cross-Site Scripting Vulnerability

When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Fixed Releases
At the time of publication, the release information in the following table(s) was accurate. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.
The left column lists Cisco software releases, and the right column indicates whether a release was affected by the vulnerability described in this advisory and which release included the fix for this vulnerability.
Unified Intelligence Center

Cisco Unified Intelligence Center Releases
First Fixed Release for This Vulnerability

11.6(1) and earlier
Migrate to a fixed release.

12.0(1)
Migrate to a fixed release.

12.5(1)
12.6(1)

Unified Contact Center Express

Cisco Unified Contact Center Express Releases
First Fixed Release for This Vulnerability

11.6(1) and earlier
Migrate to a fixed release.

12.0(1)
Migrate to a fixed release.

12.5(1)
12.5(1) SU1

Cisco Hosted Collaboration Mediation Fulfillment Denial of Service Vulnerability

When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Fixed Releases
At the time of publication, Cisco HCM-F releases 12.6 and later contained the fix for this vulnerability.
See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.

MacOS Local Privilege Escalation Exploitable through Cisco AnyConnect Secure Mobility Client

THIS DOCUMENT IS PROVIDED ON AN “AS IS” BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.

Cisco HyperFlex HX Command Injection Vulnerabilities

Cisco has released free software updates that address the vulnerabilities described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.

Fixed Releases
In the following table(s), the left column lists Cisco software releases. The right column indicates whether a release is affected by the vulnerabilities described in this advisory and the first release that includes the fix for these vulnerabilities. Customers are advised to upgrade to an appropriate fixed software release as indicated in this section.

Cisco HyperFlex HX Release
First Fixed Release

Earlier than 4.0
Migrate to 4.0(2e)

4.0
4.0(2e)

4.5
4.5(2a)

Cisco HyperFlex HX Data Platform File Upload Vulnerability

When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Fixed Releases
At the time of publication, the release information in the following table(s) was accurate. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.
The left column lists Cisco software releases, and the right column indicates whether a release was affected by the vulnerability described in this advisory and which release included the fix for this vulnerability.

Cisco HyperFlex HX Data Platform Software Release
First Fixed Release for This Vulnerability

Earlier than 4.0
Migrate to 4.0(2e)

4.0
4.0(2e)

4.5
4.5(2a)