Cisco Security Advisory http://tools.cisco.com/security/center/psirtrss20/CiscoSecurityAdvisory.xml en-us 1992-2010 Cisco Systems, Inc. All rights reserved. Cisco Security Advisory Cisco Systems, Inc. 15 Cisco UCS Central Software Arbitrary Command Execution Vulnerability http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150506-ucsc?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20UCS%20Central%20Software%20Arbitrary%20Command%20Execution%20Vulnerability&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Cisco UCS Central Software Arbitrary Command Execution Vulnerability" border='0' height='0' width='0'></img>A vulnerability in the web framework of Cisco UCS Central Software could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device.<br /> <br /> The vulnerability is due to improper input validation. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. An exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of the <em>root</em> user.<br /> <br /> Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available. This advisory is available at the following link:<br /> <a href="http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150506-ucsc">http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150506-ucsc</a> Wed, 06 May 2015 16:00:00 PDT http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150506-ucsc Multiple Vulnerabilities in ntpd (April 2015) Affecting Cisco Products http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-ntpd?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Multiple%20Vulnerabilities%20in%20ntpd%20(April%202015)%20Affecting%20Cisco%20Products&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Multiple Vulnerabilities in ntpd (April 2015) Affecting Cisco Products" border='0' height='0' width='0'></img>Multiple Cisco products incorporate a version of the <em>ntpd</em> package. Versions of this package are affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to bypass authentication controls or to create a denial of service (DoS) condition.<br /> <br /> On April 7, 2015, NTP.org and US-CERT released a security advisory dealing with two issues regarding bypass of authentication controls. These vulnerabilities are referenced in this document as follows:<br /> <ul> <li>CVE-2015-1798: NTP Authentication bypass vulnerability</li> <li>CVE-2015-1799: NTP Authentication doesn't protect symmetric associations against DoS attacks</li> </ul> Cisco has released free software updates that address these vulnerabilities. <br /> <br /> Workarounds that mitigate these vulnerabilities are available.<br /> <br /> This advisory is available at the following link:<br /> <a href="http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-ntpd">http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-ntpd</a> Wed, 06 May 2015 13:56:32 PDT http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-ntpd Multiple Vulnerabilities in OpenSSL (January 2015) Affecting Cisco Products http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150310-ssl?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Multiple%20Vulnerabilities%20in%20OpenSSL%20(January%202015)%20Affecting%20Cisco%20Products&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Multiple Vulnerabilities in OpenSSL (January 2015) Affecting Cisco Products" border='0' height='0' width='0'></img>Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service condition or perform a man-in-the-middle attack. On January 8, 2015, the OpenSSL Project released a security advisory detailing eight distinct vulnerabilities. The vulnerabilities are referenced in this document as follows: <ul> <li>CVE-2014-3571: OpenSSL DTLS Message Processing Denial of Service Vulnerability</li> <li>CVE-2015-0206: OpenSSL dtls1_buffer_record Function DTLS Message Processing Denial of Service Vulnerability</li> <li>CVE-2014-3569: OpenSSL no-ssl3 Option NULL Pointer Dereference Vulnerability</li> <li>CVE-2014-3572: OpenSSL Elliptic Curve Cryptographic Downgrade Vulnerability</li> <li>CVE-2015-0204: OpenSSL RSA Temporary Key Cryptographic Downgrade Vulnerability</li> <li>CVE-2015-0205: OpenSSL Diffie-Hellman Certificate Validation Authentication Bypass Vulnerability</li> <li>CVE-2014-8275:&nbsp;OpenSSL Certificate Fingerprint Validation Vulnerability</li> <li>CVE-2014-3570: OpenSSL BN_sql Function Incorrect Mathematical Results Issue</li> </ul> Cisco will release free software updates that address these vulnerabilities.<br /> <br /> Workarounds that mitigate these vulnerabilities may be available.<br /> <br /> This advisory is available at the following link:<br /> <a href="http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150310-ssl">http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150310-ssl</a> Wed, 06 May 2015 13:25:25 PDT http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150310-ssl Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150320-openssl?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Multiple%20Vulnerabilities%20in%20OpenSSL%20(March%202015)%20Affecting%20Cisco%20Products&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products" border='0' height='0' width='0'></img>Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or corrupt portions of OpenSSL process memory. On March 19, 2015, the OpenSSL Project released a security advisory detailing 13 distinct vulnerabilities. The following seven are actively under investigation and the vulnerabilities are referenced in this document as follows:<br /> <br /> <ul> <li>CVE-2015-0286: OpenSSL ASN1_TYPE_cmp Denial of Service Vulnerability</li> <li>CVE-2015-0287: OpenSSL ASN.1 Structure Reuse Memory Corruption Vulnerability</li> <li>CVE-2015-0289: OpenSSL PKCS7 NULL Pointer Dereference Denial of Service Vulnerability</li> <li>CVE-2015-0292: OpenSSL Base64 Decoding Memory Corruption Vulnerability</li> <li>CVE-2015-0293: OpenSSL SSLv2 CLIENT-MASTER-KEY Denial of Service Vulnerability&nbsp;</li> <li>CVE-2015-0209: OpenSSL Elliptic Curve d2i_ECPrivateKey Denial of Service Vulnerability</li> <li>CVE-2015-0288: OpenSSL X.509 to PKCS#10 Denial of Service Vulnerability</li> </ul> <br /> The following six vulnerabilities do not affect any Cisco products:<br /> <ul> <li>CVE-2015-0291: OpenSSL ClientHello sigalgs Denial of Service Vulnerability</li> <li>CVE-2015-0290: OpenSSL Multiblock Denial of Service Vulnerability&nbsp;</li> <li>CVE-2015-0207: OpenSSL DTLSv1_listen SSL Object Corruption Denial of Service Vulnerability</li> <li>CVE-2015-0208: OpenSSL Invalid Probabilistic Signature Scheme Parameters Denial of Service Vulnerability&nbsp;</li> <li>CVE-2015-1787: OpenSSL Empty ClientKeyExchange Denial of Service Vulnerability&nbsp;</li> <li>CVE-2015-0285: OpenSSL Handshake with Unseeded PRNG Predictable Value Vulnerability&nbsp;</li> </ul> <br /> This advisory will be updated as additional information becomes available.<br /> <br /> Cisco will release free software updates that address these vulnerabilities.<br /> <br /> Workarounds that mitigate these vulnerabilities may be available.<br /> <br /> This advisory is available at the following link:<br /> <a href="http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150320-openssl">http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150320-openssl</a> Fri, 01 May 2015 20:48:28 PDT http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150320-openssl GNU glibc gethostbyname Function Buffer Overflow Vulnerability http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150128-ghost?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=GNU%20glibc%20gethostbyname%20Function%20Buffer%20Overflow%20Vulnerability&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=GNU glibc gethostbyname Function Buffer Overflow Vulnerability" border='0' height='0' width='0'></img>On January 27, 2015, a buffer overflow vulnerability in the GNU C library (glibc) was publicly announced. This vulnerability is related to the various gethostbyname functions included in glibc and affects applications that call these functions. This vulnerability may allow an attacker to obtain sensitive information from an exploited system or, in some instances, perform remote code execution with the privileges of the application being exploited.<br /> <br /> The <em>glibc</em> library is a commonly used third-party software component that is released by the GNU software project and a number of Cisco products are likely affected.<br /> <br /> This advisory will be updated as additional information becomes available. Cisco will release free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available. <br /> <br /> This advisory is available at the following link:<br /> <a href="http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150128-ghost">http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150128-ghost</a> Tue, 28 Apr 2015 17:36:16 PDT http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150128-ghost Cisco IOS XR Software BVI Routed Packet Denial of Service Vulnerability http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150415-iosxr?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20IOS%20XR%20Software%20BVI%20Routed%20Packet%20Denial%20of%20Service%20Vulnerability&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Cisco IOS XR Software BVI Routed Packet Denial of Service Vulnerability" border='0' height='0' width='0'></img>A vulnerability in the packet-processing code of Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers (ASR) could allow an unauthenticated, remote attacker to cause a lockup and eventual reload of a network processor chip and the line card that is processing traffic. Only Typhoon-based line cards on Cisco ASR 9000 Series Aggregation Services Routers are affected by this vulnerability.<br /> <br /> The vulnerability is due to improper processing of packets that are routed via the bridge-group virtual interface (BVI) when any of the following features are configured: Unicast Reverse Path Forwarding (uRPF), policy-based routing (PBR), quality of service (QoS), or access control lists (ACLs). An attacker could exploit this vulnerability by sending IPv4 packets through an affected device that is configured to route them via the BVI interface. A successful exploit could allow the attacker to cause a lockup and eventual reload of a network processor chip and the line card that is processing traffic, leading to a denial of service (DoS) condition.<br /> <br /> Cisco has released free software updates that address this vulnerability. There are no workarounds to address this vulnerability.<br /> <br /> This advisory is available at the following link:<br /> <a href="http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150415-iosxr">http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150415-iosxr</a> Fri, 17 Apr 2015 13:44:03 PDT http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150415-iosxr Cisco Secure Desktop Cache Cleaner Command Execution Vulnerability http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150415-csd?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20Secure%20Desktop%20Cache%20Cleaner%20Command%20Execution%20Vulnerability&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Cisco Secure Desktop Cache Cleaner Command Execution Vulnerability" border='0' height='0' width='0'></img>A vulnerability in a Cisco-signed <span class="st">Java Archive</span> (JAR) executable Cache Cleaner<em> </em>component of Cisco Secure Desktop could allow an unauthenticated, remote attacker to execute arbitrary commands on the client host where the affected .<em>jar</em> file is executed. Command execution would occur with the privileges of the user.<br /> <br /> The Cache Cleaner feature has been deprecated since November 2012. <br /> <br /> There is no fixed software for this vulnerability. Cisco Secure Desktop packages that include the affected <em>.jar</em> files have been removed and are no longer available for download. <br /> <br /> Because Cisco does not control all existing Cisco Secure Desktop packages, customers are advised to ensure that their Java blacklist controls have been updated to avoid potential exploitation. Refer to the "Workarounds" section of this advisory for additional information on how to mitigate this vulnerability.<br /> <br /> Customers using Cisco Secure Desktop should migrate to the Cisco Host Scan standalone package. <br /> <br /> This advisory is available at the following link:<br /> <a href="http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150415-csd">http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150415-csd</a> Wed, 15 Apr 2015 16:00:00 PDT http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150415-csd SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141015-poodle?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=SSL%20Padding%20Oracle%20On%20Downgraded%20Legacy%20Encryption%20(POODLE)%20Vulnerability&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability" border='0' height='0' width='0'></img>On October 14, 2014, a vulnerability was publicly announced in the Secure Sockets Layer version 3 (SSLv3) protocol when using a block cipher in Cipher Block Chaining (CBC) mode. SSLv3 is a cryptographic protocol designed to provide communication security, which has been superseded by Transport Layer Security (TLS) protocols. By exploiting this vulnerability, an attacker could decrypt a subset of the encrypted communication.<br /> <br /> This advisory is available at the following link:<br /> <a href="http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141015-poodle">http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141015-poodle</a> Thu, 09 Apr 2015 21:10:48 PDT http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141015-poodle Multiple Vulnerabilities in Cisco ASA Software http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-asa?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Multiple%20Vulnerabilities%20in%20Cisco%20ASA%20Software&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Multiple Vulnerabilities in Cisco ASA Software" border='0' height='0' width='0'></img><p>Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: </p> <ul> <li>Cisco ASA Failover Command Injection Vulnerability</li> <li>Cisco ASA DNS Memory Exhaustion Vulnerability</li> <li>Cisco ASA VPN XML Parser Denial of Service Vulnerability </li> </ul> Successful exploitation of the Cisco ASA Failover Command Injection Vulnerability would allow an attacker to submit failover commands to the failover units,&nbsp; which may result in an attacker taking full control of the systems.<br /> <br /> Successful exploitation of the Cisco ASA DNS Memory Exhaustion Vulnerability may result in system instability and dropped traffic.<br /> <br /> Successful exploitation of the Cisco ASA VPN XML Parser Denial of Service Vulnerability may result in a crash of the WebVPN process, which may lead to the reset of all SSL VPN connections, system instability, and a reload of the affected system.<br /> <br /> <br /> Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available for the Cisco ASA Failover Command Injection Vulnerability and Cisco ASA DNS Memory Exhaustion Vulnerability. This advisory is available at the following link:<br /> <a href="http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-asa">http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-asa</a><br /> <br /> <strong>Note:</strong> The resolution of the vulnerability in the Cisco Security Advisory<em> Cisco ASA FirePOWER Services and Cisco ASA CX Crafted Packets Denial of Service Vulnerability</em>,&nbsp;cisco-sa-20150408-cxfp,&nbsp; released on the 8th of April may require an upgrade of the Cisco ASA Software release. Cisco ASA customers should review cisco-sa-20150408-cxfp before deciding which Cisco ASA Software release to upgrade to.<br /> <br /> The Cisco Security Advisory <em>Cisco ASA FirePOWER Services and Cisco ASA CX Crafted Packets Denial of Service Vulnerability</em> is available at the following link:<br /> <a href="http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-cxfp">http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-cxfp</a> Wed, 08 Apr 2015 16:00:00 PDT http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-asa Cisco ASA FirePOWER Services and Cisco ASA CX Services Crafted Packets Denial of Service Vulnerability http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-cxfp?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20ASA%20FirePOWER%20Services%20and%20Cisco%20ASA%20CX%20Services%20Crafted%20Packets%20Denial%20of%20Service%20Vulnerability&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Cisco ASA FirePOWER Services and Cisco ASA CX Services Crafted Packets Denial of Service Vulnerability" border='0' height='0' width='0'></img><span id="ctl00_MainBodyContainer_DgFields_ctl02_lblField">A vulnerability in the virtualization layer of the Cisco ASA FirePOWER Services and Cisco ASA Context Aware (CX) Services could allow an unauthenticated, remote attacker to cause the a reload of the affected system.<br /> </span><br /> Cisco has released free software updates that address this vulnerability. The resolution includes upgrading the Cisco ASA FirePOWER Services Software or the Cisco ASA CX Services Software and the Cisco ASA Software. Workarounds that mitigate this vulnerability are not available. This advisory is available at the following link:<br /> <a href="http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-cxfp">http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-cxfp</a><br /> <br /> <strong>Note:</strong> Cisco ASA Software is affected by several other vulnerabilities described in the Cisco Security Advisory <em>Multiple Vulnerabilities in Cisco ASA Software</em>, cisco-sa-20150408-asa.<br /> Cisco ASA customers should review&nbsp;cisco-sa-20150408-asa before determining an upgrade release for Cisco ASA Software.<br /> <br /> Cisco Security Advisory <em>Multiple Vulnerabilities in Cisco ASA Software</em> is available at the following link:<br /> <a href="http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-asa">http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-asa</a><br /> Wed, 08 Apr 2015 16:00:00 PDT http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-cxfp GNU Bash Environment Variable Command Injection Vulnerability http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=GNU%20Bash%20Environment%20Variable%20Command%20Injection%20Vulnerability&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=GNU Bash Environment Variable Command Injection Vulnerability" border='0' height='0' width='0'></img><p class="line874" style="text-align: left;">On September 24, 2014, a vulnerability in the Bash shell was publicly announced. The vulnerability is related to the way in which shell functions are passed though environment variables. The vulnerability may allow an attacker to inject commands into a Bash shell, depending on how the shell is invoked. The Bash shell may be invoked by a number of processes including, but not limited to, telnet, SSH, DHCP, and scripts hosted on web servers.</p> All versions of GNU Bash starting with version 1.14 are affected by this vulnerability and the specific impact is determined by the characteristics of the process using the Bash shell. In the worst case, an unauthenticated remote attacker would be able to execute commands on an affected server. However, in most cases involving Cisco products, authentication is required before exploitation could be attempted.<br /> <br /> A number of Cisco products ship with or use an affected version of the Bash shell. The Bash shell is a third-party software component that is part of the GNU software project and used by a number of software vendors. As of this version of the Security Advisory, there have been a number of vulnerabilities recently discovered in the Bash shell, and the investigation is ongoing. For vulnerable products, Cisco has included information on the product versions that will contain the fixed software, and the date these versions are expected to be published on the <a href="http://www.cisco.com/cisco/web/support/index.html#~shp_download">cisco.com download page</a><a>. This advisory will be updated as additional information becomes available. Cisco may release free software updates that address this vulnerability if a product is determined to be affected by this vulnerability. This advisory is available at the following link:<br /> </a><a href="http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash">http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash</a> Wed, 01 Apr 2015 21:14:56 PDT http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash Multiple Vulnerabilities in Cisco Unity Connection http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150401-cuc?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Multiple%20Vulnerabilities%20in%20Cisco%20Unity%20Connection&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Multiple Vulnerabilities in Cisco Unity Connection" border='0' height='0' width='0'></img>Cisco Unity Connection contains multiple vulnerabilities, when it is configured with &nbsp;Session Initiation Protocol (SIP) trunk integration. The vulnerabilities described in this advisory are denial of service vulnerabilities impacting the availability of Cisco Unity Connection for processing SIP messages.<br /> &nbsp;<br /> Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are not available.<br /> <br /> This advisory is available at the following link:<br /> <a href="http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150401-cuc">http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150401-cuc</a> Wed, 01 Apr 2015 16:00:00 PDT http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150401-cuc