Cisco Collaboration Server ServletExec allows elevated privileges

ccs-servletexec-gain-privileges (16553) The risk level is classified as HighHigh Risk

Description:

Cisco Collaboration Server (CCS) could allow a remote attacker to upload any file to the server. New Atlanta Communications (formerly Unify eWave) ServletExec is a Web application server and servlet engine that implements Java Servlet APIs and JavaServer Pages (JSP). A remote attacker could exploit this vulnerability to gain administrative privileges on the system.


Consequences:

Gain Privileges

Remedy:

Upgrade to Cisco Collaboration Server version 5.x shipped with ServletExec 4.1, as listed in Cisco Security Advisory dated 2004 June 30 1600 UTC (GMT). See References.

— OR —

Apply the appropriate patch for versions 4.x, as listed in Cisco Security Advisory dated 2004 June 30 1600 UTC (GMT). See References.

— OR —

Apply the workaround, as listed in Cisco Security Advisory dated 2004 June 30 1600 UTC (GMT). See References.

References:

Platforms Affected:

  • New Atlanta Communications ServletExec 2.2
  • New Atlanta Communications ServletExec 3.0

Reported:

Jun 30, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page