Cisco Prime DCNM is a management tools for your Storage and Ethernet Networks, provides a robust framework and comprehensive feature set that meets the routing, switching, and storage administration needs of present and future virtualized data centers.
According to an advisory released, Cisco Prime Data Center Network Manager (DCNM) contains a remote command execution vulnerability that may allow a remote, unauthenticated attacker to execute arbitrary commands on the computer that is running the Cisco Prime DCNM application.
The vulnerability exists because JBoss Application Server Remote Method Invocation (RMI) services, specifically the jboss.system:service=MainDeployer functionality, are exposed to unauthorized users.
All Cisco Prime Data Center Network Manager releases prior to release 6.1(1), for both the Microsoft Windows and Linux platforms, are affected by this vulnerability.
Successful exploitation of the vulnerability may allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system that hosts the Cisco Prime DCNM application in the context of the System user for Cisco Prime DCNM running on Microsoft Windows) or the root user for Cisco Prime DCNM running on Linux.
Cisco has released free software updates that address this vulnerability.
Update: Another Advisory from Cisco reporting a SQL injection and buffer overrun vulnerability in Cisco Unified MeetingPlace Web Conferencing product. SQL Injection Vulnerability may allow an unauthenticated, remote attacker to send Structured Query Language (SQL) commands to manipulate the MeetingPlace database stores information about server configuration, meetings, and users. These commands may be used to create, delete, or alter some of the information in the Cisco Unified MeetingPlace Web Conferencing database.
Affected versions are Prior to 7.0 ,7.0 ,7.1 ,8.0 and 8.5. Cisco has released free software updates that address the vulnerabilities described in this advisory.
Update: Another Advisory from Cisco reporting a SQL injection and buffer overrun vulnerability in Cisco Unified MeetingPlace Web Conferencing product. SQL Injection Vulnerability may allow an unauthenticated, remote attacker to send Structured Query Language (SQL) commands to manipulate the MeetingPlace database stores information about server configuration, meetings, and users. These commands may be used to create, delete, or alter some of the information in the Cisco Unified MeetingPlace Web Conferencing database.
Affected versions are Prior to 7.0 ,7.0 ,7.1 ,8.0 and 8.5. Cisco has released free software updates that address the vulnerabilities described in this advisory.
