Vulnerabilities Weekly Summary Ending October 28
By Jerry Adams on October 27, 2016
Cisco Security Advisories focusing on WebEx and Email Security Appliance
Cisco has once again announced a lot of security advisories, below are the ones deemed most critical. Once again WebEx Meeting is one of Cisco’s products that has a critical vulnerability being addressed. As noted before, web conferencing is an attractive target to some attackers, so WebEx free of vulnerabilities is probably a priority for Cisco. Also note that there are nine vulnerabilities addressed for Cisco’s Email Security Appliance (ESA). The ESA is a critical security appliance that provides defense against incoming email delivered threats such as phising, spam and sandboxing analysis and also encrypts outbound email. Obviously if vulnerabilities to this critical appliance were exploited an attacker can cause disruptions to the protected network systems, so Cisco is quick to fix any flaws to it.
CVE-2016-1464 – “A vulnerability in Cisco WebEx Meetings Player could allow an unauthenticated, remote attacker to execute arbitrary code. The vulnerability is due to improper handling of user-supplied files. An attacker could exploit this vulnerability by persuading a user to open a malicious WRF file by using the affected software. A successful exploit could allow the attacker to execute arbitrary code on the system with the privileges of the user” (2016 Oct. 26, “Cisco WebEx Meetings Player Arbitrary Code Execution Vulnerability”).
CVE-2016-6453 – “A vulnerability in the web framework code of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary SQL commands on the database. The vulnerability is due to insufficient controls on Structured Query Language (SQL) statements. An attacker could exploit this vulnerability by sending crafted URLs that contain malicious SQL statements to the affected system. An exploit could allow the attacker to determine the presence of certain values in the database.” (2016 Oct. 26, “Cisco Identity Services Engine SQL Injection Vulnerability“).
CVE-2016-5195 – “vulnerability related to a race condition in the memory manager of the Linux Kernel was disclosed. This vulnerability could allow unprivileged, local users to gain write access to otherwise read-only memory mappings to increase their privileges on the system ” (2016 Oct. 26, “Vulnerability in Linux Kernel Affecting Cisco Products: October 2016“).
CVE-2016-1481 – ” vulnerability in the email message filtering feature of Cisco AsyncOS Software for Cisco Email Security Appliances could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.” (2016 Oct. 26, “Cisco Email Security Appliance Malformed DGN File Attachment Denial of Service Vulnerability”).
See US-CERT’s posting for the complete listing of Cisco’s security advisories for this week (2016 Oct. 26,”Cisco Releases Security Updates for Multiple Products“).
Adobe Flash Security Bulletin for critical vulnerability
Adobe released a bulletin to fix a critical vulnerability. It is being reported that this vulnerability exists in the wild and is being exploited, albeit in limited attacks on the Windows platform. The update that fixes this vulnerability is for Windows, macOS and Linux platforms.
CVE-2016-7855 – “use-after-free vulnerability that could lead to code execution” (2016 Oct. 26, “Security updates available for Adobe Flash Player”).
References:
(2016 Oct. 26). “Cisco WebEx Meetings Player Arbitrary Code Execution Vulnerability“. Cisco Systems. Retrieved from https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160831-meetings-player
(2016 Oct. 26). “Cisco Identity Services Engine SQL Injection Vulnerability“. Cisco Systems. Retrieved from https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161026-ise
(2016 Oct. 26). “Vulnerability in Linux Kernel Affecting Cisco Products: October 2016“. Cisco Systems. Retrieved from https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161026-linux
(2016 Oct. 26). “Cisco Email Security Appliance Malformed DGN File Attachment Denial of Service Vulnerability”. Cisco Systems. Retrieved from https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161026-esa1
(2016 Oct. 26). “Security updates available for Adobe Flash Player“. Adobe Systems Inc. Retrieved from https://helpx.adobe.com/security/products/flash-player/apsb16-36.html
(2016 Oct. 26). “Cisco Releases Security Updates for Multiple Products“. US-CERT. https://www.us-cert.gov/ncas/current-activity/2016/10/26/Cisco-Releases-Security-Updates-Multiple-Products
CVE.MITRE.org. CVE International in scope and free for public use in accordance with terms of use, CVE is a dictionary of publicly known information security vulnerabilities and exposure
-
CrushFTP CVE-2025-31161 Vulnerability
CrushFTP CVE-2025-31161 Vulnerability
4/11/2025 -
Active Exploitation of Apache Tomcat CVE-2025-24813 Vulnerability
Active Exploitation of Apache Tomcat CVE-2025-24813 Vulnerability
4/4/2025 -
Next.js Middleware CVE-2025-29927 Vulnerability
Next.js Middleware CVE-2025-29927 Vulnerability
4/4/2025