Two Cisco security advisories have been published: Multiple Vulnerabilities in Cisco Unified Communications Manager and Cisco Wireless LAN Controllers Denial of Service Vulnerability


The details below have been taken from the Cisco's advisories:


Cisco Security Advisory: Multiple Vulnerabilities in Cisco Unified Communications Manager

Document ID: 112878

Advisory ID: cisco-sa-20110427-cucm

Revision 1.0

For Public Release 2011 April 27 1600 UTC (GMT)

+---------------------------------------------------------------------

Summary
=======

Cisco Unified Communications Manager (previously known as Cisco CallManager) contains the following vulnerabilities:

 * Three (3) denial of service (DoS) vulnerabilities that affect Session Initiation Protocol (SIP) services
 * Directory transversal vulnerability
 * Two (2) SQL injection vulnerabilities

Cisco has released free software updates for affected Cisco Unified Communications Manager versions to address the vulnerabilities. A workaround exists only for the SIP DoS vulnerabilities.

This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20110427-cucm.shtml
 

Affected Products
=================

Vulnerable Products
+------------------

The following products are affected by at least one of the vulnerabilities that are described in this advisory:

 * Cisco Unified Communications Manager 6.x
 * Cisco Unified Communications Manager 7.x
 * Cisco Unified Communications Manager 8.x

Note: Cisco Unified Communications Manager version 5.1 reached end of software maintenance on February 13, 2010. Customers who are using Cisco Unified Communications Manager 5.x versions should contact your Cisco support team for assistance in upgrading to a supported version of Cisco Unified Communications Manager.

Products Confirmed Not Vulnerable
+--------------------------------

Cisco Unified Communications Manager version 4.x is not affected by these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities.



Cisco Security Advisory: Cisco Wireless LAN Controllers Denial of Service Vulnerability

Document ID: 112916

Advisory ID: cisco-sa-20110427-wlc

Revision 1.0

For Public Release 2011 April 27 1600 UTC (GMT)

+---------------------------------------------------------------------

Summary
=======

The Cisco Wireless LAN Controller (WLC) product family is affected by a denial of service (DoS) vulnerability where an unauthenticated
attacker could cause a device reload by sending a series of ICMP packets.

Cisco has released free software updates that address this vulnerability.

There are no available workarounds to mitigate this vulnerability.

This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20110427-wlc.shtml
 


Affected Products
=================

Vulnerable Products
+------------------

This vulnerability affects Cisco WLC software versions 6.0 and later. The following products are affected by the vulnerability described in
this Security Advisory:

 * Cisco 2100 Series Wireless LAN Controllers
 * Cisco WLC526 Mobility Express Controller (AIR-WLC526-K9)
 * Cisco NME-AIR-WLC Modules for Integrated Services Routers (ISRs)
 * Cisco NM-AIR-WLC Modules for Integrated Services Routers (ISRs)

   Note: The Cisco NM-AIR-WLC have reached End-of-Life and End-of-Software Maintenance. Please refer to the following
   document for more information:

   http://www.cisco.com/en/US/prod/collateral/modules/ps2797/prod_end-of-life_notice0900aecd806aeb34.html
 

Chris Mohan --- Internet Storm Center Handler on Duty