Back to list
Cisco Security Advisory: Cisco Web Security Appliance Connection Denial of Service Vulnerability
May 18 2016 04:21PM
Cisco Systems Product Security Incident Response Team (psirt cisco com)
-----BEGIN PGP SIGNED MESSAGE-----
Cisco Web Security Appliance Connection Denial of Service Vulnerability
Advisory ID: cisco-sa-20160518-wsa4
For Public Release 2016 May 18 16:00 UTC (GMT)
A vulnerability in Cisco AsyncOS for the Cisco Web Security Appliance (WSA) when the software handles a specific HTTP response code could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an appliance because the appliance runs out of system memory.
The vulnerability occurs because the software does not free client and server connection memory and system file descriptors when a certain HTTP response code is received in the HTTP request. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. An exploit could allow the attacker to cause a DoS condition because the appliance runs out of system memory. When this happens, the device can no longer accept new incoming connection requests.
Cisco has released software updates that address this vulnerability. A workaround that addresses this vulnerability is also available.
This advisory is available at the following link:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
-----END PGP SIGNATURE-----
[ reply ]
Copyright 2010, SecurityFocus