SB2017101909 - Information disclosure in Cisco Jabber

Description

This security bulletin contains information about 2 vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2017-12286)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The disclosed vulnerability allows a local attacker to obtain potentially sensitive information.

The vulnerability exists in the web interface of Cisco Jabber due to a lack of input and validation checks. A local attacker can issue specific commands and view all profile information for a user instead of only certain Jabber parameters that should be visible.

Successful exploitation of the vulnerability results in information disclosure.

2) Information disclosure (CVE-ID: CVE-2017-12284)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The disclosed vulnerability allows a local attacker to obtain potentially sensitive information.

The vulnerability exists in the web interface of Cisco Jabber for Windows Client due to a lack of input and validation checks. A local attacker can issue specific commands and view profile information where only certain parameters should be visible.

Successful exploitation of the vulnerability results in information disclosure.

Remediation

Install update from vendor's website.

References

• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171018-wmc1
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171018-jab