Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
688
Views
0
Helpful
1
Replies

Java Deserialisation bug

exMSW4319
Level 3
Level 3

‎12-10-2015 06:33 AM

The list of Cisco products considered vulnerable to the subject bug now appears to include ESA and SMA boxes:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization

The article on The Register that led me there states that only Cloud and CRES customers are at risk.

Could we have some clarification on this?

If ESA tin is vulnerable, are there any obvious points that might reassure us?

Labels:
0 Helpful
1 Reply 1

Mathew Huynh
Cisco Employee
Cisco Employee

‎12-13-2015 05:23 PM

Hello,

The CES (Cisco Cloud ESA) uses a version of Commons Collections library within it's Java process so it is deemed vulnerable. -> https://tools.cisco.com/bugsearch/bug/CSCux34593

The physical systems are currently under review and no further details has been disclosed as yet.

When investigation is done, we'll be able to update you -- however if it is vulnerable there will be a bug published to track this.

Regards,

Matthew

0 Helpful
Customers Also Viewed These Support Documents