It is possible to mitigate the administration interface file access
vulnerability (IronPort Bug 65921) by using the IP address restriction feature
of the administration interface to limit access to trusted hosts. Access to the
administration interface is not restricted by default. To configure access
limits, an administrator should navigate to Configuration -> Web
Services -> Admin -> Console Security area in the Cisco IronPort
Encryption Appliance administration interface.
It is possible to workaround the remote code execution vulnerability
(IronPort Bug 65923) by disabling HTTP Invoker in the Cisco IronPort Encryption
Appliance configuration files. To disable the HTTP Invoker, an administrator
must delete several files in the PostX application home directory and remove a
directive from the web server configuration. The following files must be
deleted:
jboss/server/postx/deploy/http-invoker.sar
jboss/server/postx/deploy/jms/jbossmq-httpil.sar
The following directive must be removed from the
jboss/server/postx/conf/jboss-service.xml web server
configuration file.
The JMXConsole and WebConsole should be removed as well. This is done by carrying out the following commands as an administrator:
cd /usr/local/postx/server/jboss/server/postx/deploy
mv jmx-console.war jmx-console-disabled.war
cd management
mv web-console.war web-console-disabled.war
After deleting the files and removing the directive from the
configuration file, the PostX application service must be restarted.
Additional mitigation techniques that can be deployed on Cisco devices
within the network are available in the Cisco Applied Mitigation Bulletin
companion document for this advisory:
http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20100210-ironport["http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20100210-ironport"]