When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Alerts archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
There is no fixed software for this vulnerability. Cisco Secure Desktop packages that include the affected .jar
files have been removed and are no longer available for download.
Customers using Cisco Secure Desktop should migrate to the Cisco Host Scan standalone package.
The Cache Cleaner feature has been deprecated since November 2012. Additional information can be found at
This vulnerability affects the host that executes the malicious .jar
file. Cisco ASA Software and Cisco IOS Software are not affected by this vulnerability.
Because the attacker can exploit a vulnerability in the .jar
file, which is
signed by Cisco, this vulnerability can be exploited against any users
and not just against consumers of Cisco Secure Desktop.
Cisco has provided
the SHA-1 hashes for the affected version of the .jar
can be used to prevent the exploit via the Java Blacklist Jar feature.
Cisco has also requested Java to blacklist the affected .jar
by default. This change will be available in Java SE 8 Update 45. See
the "Workarounds" section of this advisory for additional details.