AV:N/AC:L/Au:N/C:P/I:P/A:C/E:F/RL:OF/RC:C
-
Cisco Unified MeetingPlace Web Conferencing servers may contain an authentication bypass vulnerability that could allow an unauthenticated user to gain administrative access to the MeetingPlace application. Cisco has released software updates that address this vulnerability.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090225-mtgplace.
-
Cisco Unified MeetingPlace conferencing solution provides functionality that allows organizations to host integrated voice, video, and web conferencing. The solution is deployed on-network, behind the firewall and integrated directly into an organization's private voice/data networks and enterprise applications. Cisco Unified MeetingPlace servers can be deployed so that the server is accessible from the Internet, allowing external parties to participate in meetings.
Vulnerable Products
Cisco Unified MeetingPlace Web Conferencing servers running software versions 6.0 and 7.0 may be affected by this vulnerability.
Products Confirmed Not Vulnerable
Cisco Unified MeetingPlace Web Conferencing servers not running 6.0 or 7.0 software are not affected by this vulnerability.
Cisco Unified MeetingPlace Express is not affected by this vulnerability.
No other Cisco products are currently known to be affected by this vulnerability.
-
The Cisco Unified MeetingPlace Web Conferencing server may contain a vulnerability that could allow an unauthenticated user to use a crafted URL to bypass the authentication mechanisms of the server. If successful, the user could gain full administrative access to the Cisco Unified MeetingPlace application.
This vulnerability is documented in Cisco Bug ID CSCsv65815 ( registered customers only) and has been assigned Common Vulnerability and Exposures (CVE) ID CVE-2009-0614.
-
There are no workarounds for this vulnerability.
-
This vulnerability is fixed in Cisco Unified MeetingPlace Web Conferencing software version 6.0(517.0) also known as Maintenance Release 4 (MR4) for the 6.0 release, and version 7.0(2) also known as Maintenance Release 1 (MR1) for the 7.0 release.
The latest versions of Cisco MeetingPlace software can be downloaded from https://sec.cloudapps.cisco.com/support/downloads/go/Redirect.x?mdfid=278875240 ( registered customers only) .
The Cisco Unified MeetingPlace Web Server software is available at: https://sec.cloudapps.cisco.com/support/downloads/go/Model.x?mdfid=278816725&mdfLevel=Software%20Version/Option&treeName=Voice%20and%20Unified%20Communications&modelName=Cisco%20Unified%20MeetingPlace%20Web%20Conferencing&treeMdfId=278875240 ( registered customers only) .
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.
-
This vulnerability was reported to Cisco by National Australia Bank's Security Assurance team.
Cisco would like to thank the National Australia Bank's Security Assurance team for the discovery and reporting of the vulnerability.
The Cisco PSIRT is not aware of any malicious use of the vulnerability described in this advisory.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.0
2008-February-25
Initial public release
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.