Cisco fixes a critical patch on its software license manager

This week, Cisco said it patched a “critical” patch for its Prime License Manager (PLM) software that would allow attackers to run random SQL queries.

Cisco Prime License Manager provides enterprise-wide, user-based license management, including license fulfillment.

Released in November, the first version of the Prime License Manager patch caused its own “functional” issues that Cisco was later forced to fix. This patch, called ciscocm.CSCvk30822_v1.0.k3.cop.sgn, fixed the SQL vulnerability but caused backup, upgrade and restore issues, and should no longer be used, Cisco said.

Cisco wrote that “customers who have already installed the ciscocm. Patch CSCvk30822_v1.0.k3.cop.sgn should be upgraded to patch ciscocm.CSCvk30822_v2.0.k3.cop.sgn to resolve functional issues. Installing the v2.0 patch will first roll back the v1.0 patch and then install the v2.0 patch.

As for the vulnerability that triggered this process, Cisco claims that it “is due to a lack of proper validation of user-supplied input in SQL queries. An attacker could exploit this vulnerability by sending specially crafted HTTP POST requests containing malicious SQL statements to an affected application. A successful exploit could allow the attacker to modify and delete arbitrary data in the PLM database or gain shell access with postgres privileges [SQL] user.”

The vulnerability affects Cisco Prime License Manager versions 11.0.1 and later.

Join the Network World communities on Facebook and LinkedIn to comment on the topics that matter to you.

Copyright © 2018 IDG Communications, Inc.