This vulnerability exists in the mod proxy module of Apache HTTP Server (httpd). It could allow an unauthenticated, remote attacker to make the httpd server forward requests to an arbitrary server.
A successful exploit could allow the attacker to get, modify, or delete resources on other services that may be inaccessible otherwise.
The products which are impacted by this vulnerability are:
- Cisco Expressway Series (Expressway-E)
- Cisco TelePresence Video Communication Server (VCS) (VCS-E).
Full description of the vulnerability impacting all Cisco products is available on the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-2.4.49-VWL69sWQ
What do you need to do:
1. Confirm whether you are running either of the impacted products:
- Cisco Expressway Series (Expressway-E)
- Cisco TelePresence Video Communication Server (VCS) (VCS-E).
2. The vulnerability exists if you are running the above mentioned products on version X14.0.3 or older and you have WebRTC solution configured and active.
3. In this scenario either:
- apply the ‘Workaround’ description in Cisco’s bug case CSCwa01545 ‘Customer reporting vulnerability of CVE-2021-40438 on Expressway X14.PA10’
- download the version X14.0.4.
If WebRTC is not active, you are not subject to this vulnerability.
4. If you do not take any action, your products will remain vulnerable to the attacks described in the ‘Overview’ section of this communication.
We would like to keep you informed of any future service notifications. Please help us by bookmarking this website and by registering your details here.