CVE-2019-1867: Cisco Elastic Services Controller REST API Authentication Bypass Vulnerability Alert

Cisco released an announcement to fix a REST API Authentication Bypass Vulnerability in Cisco Elastic Services Controller (ESC) (CVE-2019-1867). The vulnerability is caused by incorrect validation of API requests. An attacker could exploit the vulnerability by sending a well-designed request to the REST API.

CVE-2019-1867

A successful attack allows an unauthenticated remote attacker to perform arbitrary operations on the affected system as an administrator through the REST API.

Affected version

  • Cisco Elastic Services Controller Releases 4.1, 2, 4.3, 4.4, and the REST API is enabled.
  • The REST API is disabled by default.

Unaffected version

  • Cisco Elastic Services Controller Release < 4.1
  • Cisco Elastic Services Controller Release 4.5

Solution

Cisco released the Cisco Elastic Services Controller version 4.5 to fix this vulnerability, and the affected users should upgrade to the unaffected version as soon as possible.