A security issue first reported in July 2010 as a vulnerability in Apache Struts 2 which would allow an attacker to execute arbitrary code on an affected system just underwent patching by Cisco.
The problem occurred because of improper sanitization of the input in the XWorks component in Apache Struts 2. An attacker could use malcrafted Object-Graph Navigation Language (OGNL) expression to compromise a vulnerable system.
As noted in the original report on the issue, identified as CVE-2010-1870, the OGNL expression evaluation relies on a whitelist that does not restrict modification of server-side context objects and circumvent the available “#” protection mechanism in the ParameterInterceptors directive.
The list of Cisco products affected by the security issue comprises Cisco Business Edition 3000 Series, Cisco Identity Services Engine (ISE), Cisco Media Experience Engine (MXE) 3500 Series, and Cisco Unified Contact Center Enterprise (Cisco Unified CCE).
The company said there are free updates mitigating the problem, except for the Cisco Business Edition 3000 Series. Customers who use this product should “contact their Cisco representative for available options.”
Where possible, updating to the latest version of the product is the only solution , as Cisco provided no workarounds for mitigating the risks caused by this vulnerability.