cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
684
Views
0
Helpful
1
Replies

Java Deserialisation bug

exMSW4319
Level 3
Level 3

The list of Cisco products considered vulnerable to the subject bug now appears to include ESA and SMA boxes:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization

The article on The Register that led me there states that only Cloud and CRES customers are at risk.

Could we have some clarification on this?

If ESA tin is vulnerable, are there any obvious points that might reassure us?

1 Reply 1

Mathew Huynh
Cisco Employee
Cisco Employee

Hello,

The CES (Cisco Cloud ESA) uses a version of Commons Collections library within it's Java process so it is deemed vulnerable. -> https://tools.cisco.com/bugsearch/bug/CSCux34593

The physical systems are currently under review and no further details has been disclosed as yet.

When investigation is done, we'll be able to update you -- however if it is vulnerable there will be a bug published to track this.

Regards,

Matthew