cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1438
Views
7
Helpful
17
Replies

CSCwa25099, CSCwa25100 and CSCwa25074 - Expressway Cross-Site Vulnerab

Elter
Level 4
Level 4

Hello,

the Cisco Security Advisory raised yesterday relates to bugs CSCwa25099, CSCwa25100 and CSCwa25074:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-expressway-csrf-KnnZDMj3

and basically mention: "This vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected system."

and also mention that there is no workaround, must upgrade to a fixed release.

 

If the bug is specific to the web-based management, I was wondering we disable web access to the expressway, either by block with internal or external firewall or directly disabling web mgmt interface, would be enough to not be exposed, while planning the upgrade to a fixed release.

Any thoughts?

Best regards

17 Replies 17

The Fixed release table explicitly indicates that versions prior to 14.0 require an upgrade to the fixed versions.

 



Response Signature


TXG
Level 5
Level 5

Under the first fixed releases it says after the upgrade you need issue the command "xconfiguration Security CSRFProtection status : "Enabled"" does this need to be done on the C, E, or both?

On both C and E.



Response Signature