Cisco has shipped mounted software program for a vital bug in its Expressway Sequence and TelePresence Video Communication Server (VCS) merchandise, 9 months after being first disclosed.
The bugs, within the APIs and web-based administration consoles of the 2 merchandise, have been partially mounted final July.
CVE-2022-20812 is the API bug which allowed an authenticated distant administrator to overwrite working system information as root.
CVE-2022-20813 allowed an unauthenticated distant man-in-the-middle assault to intercept site visitors between units, after which use a crafted certificates to impersonate an endpoint.
“A profitable exploit may enable the attacker to view the intercepted site visitors in clear textual content or alter the contents of the site visitors”, Cisco’s advisory said.
That advisory has been up to date to advise prospects that model 14.0.7 of the software program, released last Julyoffered “a partial repair” to the issue.
“For full protection, prospects ought to improve to Launch 14.three or larger,” the advisory acknowledged, including that the absolutely patched model will ship later this month.
