Cisco released two patches that correct issues in several of its enterprise-class products, including the widely deployed PIX 500 series appliance.
The company said one of the flaws could result in a sustained DoS attack against two of its security products, while the second bug could allow an attacker to take full administrative control of the impacted system.
Furthermore, Cisco said the PIX 500 firewall and its 5500 Series Adaptive Security Appliance (ASA) are vulnerable to a crafted IP packet vulnerability.
This flaw occurs during processing of a crafted IP packet, purposely modified to trigger the issue. Processed when the Time-to-Live (TTL) decrement feature is enabled, this vulnerability can cause the affected device to reload its operating environment. Repeated exploitation of the flaw can cause a DoS attack, according to Cisco.
Cisco has posted a workaround that fixes the problem. The company also noted that versions 7.2(3)6 or 8.0(3) and later of the PIX 500 and ASA operating software contain fixes for the bug.
In addition to giving an attacker full administrator rights, the remaining vulnerability, in Cisco's Application Velocity System (AVS), an appliance that improves the performance of HTML- and XML-based applications, can open user-level access to the appliance's underlying operating system.
This vulnerability affects the Cisco AVS 3110, 3120, 3180 and 3180A management station appliances running software versions prior to AVS 5.1.0, according to the company. Cisco said it is offering free upgrade software to fix the vulnerability.
Sun's release of a new JavaSE Runtime Environment impacts users of Windows, Linux and Solaris systems. This release takes the software to Java 6 Update 4.
Windows users can determine what version they have with the Add/Remove Programs icon in the Control Panel. It is listed in various forms -- J2SE Runtime Environment, Java(TM) SE Runtime Environment or just Java(TM).
The Java update is available here . After installing the Java upgrade, Windows users will most likely have multiple versions of Java installed; they should remove the earlier versions after upgrading their system.
See original article on SC Magazine US
Cisco, Sun patch flaws, including 370 bugs in JavaSE
By Jim Carr on Jan 29, 2008 10:43AM