This vulnerability is documented in Cisco bug ID:
registered customers only)
For customers without access to Cisco's Bug Toolkit, the
full Release Note for Cisco Bug ID CSCtb82159 has been made available here, as
When generating a "Message-handling Errors" message, if an
appropriate error handler is not found, the response discloses the Cisco ACE
XML Gateway (AXG) and the Cisco ACE Web Application Firewall (WAF) client
internal IP address.
All versions prior to system software version 6.1 are
This vulnerability affects the Cisco ACE XML Gateway and
the Cisco ACE Web Application Firewall.
Though the response by itself does not provide any way to
compromise the device, this behavior discloses potentially valuable information
about the internal network structure.
The disclosed address is not the address of the AXG or WAF,
it is an address of its client, which in many cases is a load balancer.
The Internal IP address is included in the message-handling
errors response if AXG or WAF was not able to find a matching handler for the
There is currently no workaround for this vulnerability.
Further Problem Description
System software version 6.1 is expected to be available in