Vulnslist

find the latest Cisco vulnerabilities

Cisco Wide Area Application Services Central Manager Denial of Service Vulnerability

cisco-sa-20161012-waas · Medium · Published · Updated

A vulnerability in the SSL session cache management of Cisco Wide Area Application Services (WAAS) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition due to high consumption of disk space. The user would see a performance degradation.   The vulnerability is due to a lack of file size limitations for SSL system files stored on the disk. An attacker could exploit this vulnerability by sending a continuous stream of SSL traffic to the targeted device. An exploit could allow the attacker to cause a DoS condition due to the adverse impact on device performance. Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161012-waas

Cisco advisory ·CSAF JSON

Workarounds

The SSL cache files can be removed from the disk. This is a temporary workaround that will mitigate the vulnerability until the files again grow in size. The administrator can use the following command sequence to remove the SSL cache files:

#waas> config
#waas(config)> no cms enable
#waas(config)> cms enable
#waas(config)> exit
#waas> service restart rpc_httpd

Contact the Cisco Technical Assistance Center (TAC) for a script to update the configuration of the SSL cache files.

CVEsCVE-2016-6437
Cisco Bug IDsCSCva03095
CVSS ScoreBase 4.3
Base 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C
Product Names From Source
Cisco Wide Area Application Services (WAAS)

Related Products

Product CVE Evidence
Cisco Wide Area Application Services Software CVE-2016-6437 Cisco OpenVuln
Cisco Wide Area Application Services Appliances CVE-2016-6437 Cisco OpenVuln
Cisco RV Series Routers CVE-2016-6437 Cisco OpenVuln
Cisco Nexus Dashboard CVE-2016-6437 Cisco OpenVuln
Cisco Wide Area Application Services (WAAS) CVE-2016-6437 Cisco OpenVuln