Cisco has revealed a critical vulnerability affecting its license manager product could allow remote attackers to execute arbitrary SQL queries.
Cisco Prime License Manager (PLM) is an enterprise-wide management tool that handles licensing fulfilment, supports allocation and reconciliation of licenses across supported products and offers enterprise-level usage and entitlement reporting.
The vendor said the vulnerability was caused by the lack of proper validation of user-supplied input in SQL queries.
An attacker could exploit the vulnerability by sending crafted HTTP POST requests containing SQL statements to an affected application, allowing them to modify and delete arbitrary data in the PLM database or gain shell access with Postgres user privileges.
The vulnerability affects users running PLM versions 11.0.1 or later, including standalone deployments and installations bundled with Cisco Unified Communications Manager and Cisco Unity Connection.
Cisco Unified Communications Manager and Cisco Unity Connection versions 12.0 are not affected though as PLM is no longer included in those releases. Users with older versions of those products can disable PLM if logged in as an admin user.
The company released a software update on Tuesday to address the issues, saying there was no workaround to avoid the vulnerability, which can be accessed here along with further details about the vulnerability.