Security News > 2020 > December > Cisco Reissues Patches for Critical Bugs in Jabber Video Conferencing Software
Cisco has once again fixed four previously disclosed critical bugs in its Jabber video conferencing and messaging app that were inadequately addressed, leaving its users susceptible to remote attacks.
The new flaws, which were uncovered after one of its clients requested a verification audit of the patch, affects all currently supported versions of the Cisco Jabber client.
CallCppFunction, which is designed to open files sent by other Cisco Jabber users.
The third and final vulnerability is a command injection flaw concerning protocol handlers, which are used to inform the operating system to open specific URLs in Jabber, making it possible for an attacker to insert arbitrary command-line flags by simply including a space the URL. Given the self-replicating nature of the attacks, it's advised that Jabber users update to the latest version of the software to mitigate the risk.
Watchcom also recommends that organizations consider disabling communication with external entities through Cisco Jabber until all employees have installed the update.
News URL
Related news
- Cisco Fixes Critical Privilege Escalation Flaw in Meeting Management (CVSS 9.9) (source)
- Cisco fixes ClamAV vulnerability with available PoC and critical Meeting Management flaw (source)
- Patch now: Cisco fixes critical 9.9-rated, make-me-admin bug in Meeting Management (source)
- Cisco Patches Critical ISE Vulnerabilities Enabling Root CmdExec and PrivEsc (source)
- Critical Cisco ISE bug can let attackers run commands as root (source)