Details of VAR-201612-0484

ID

VAR-201612-0484

CVE

CVE-2016-9223

TITLE

Cisco CloudCenter Orchestrator of Docker Engine Have high authority in Docker Vulnerability to install containers

Trust: 0.8

sources: JVNDB: JVNDB-2016-006515

DESCRIPTION

A vulnerability in the Docker Engine configuration of Cisco CloudCenter Orchestrator (CCO; formerly CliQr) could allow an unauthenticated, remote attacker to install Docker containers with high privileges on the affected system. Affected Products: This vulnerability affect all releases of Cisco CloudCenter Orchestrator (CCO) deployments where the Docker Engine TCP port 2375 is open on the system and bound to local address 0.0.0.0 (any interface). Cisco CloudCenter Orchestrator is prone to a privilege-escalation vulnerability. An attacker may exploit this issue to gain root privileges on the affected device; this can also result in the attacker gaining complete control of the affected system. Cisco CloudCenter is a set of hybrid cloud management platform solutions from Cisco. The solution supports application migration, DevOps automation across multiple cloud environments, and dynamic expansion within or between clouds. Orchestrator is an orchestrator component used in it. Docker Engine is one of the container engine extensions. The vulnerability is caused by the incorrect configuration file of the program

Trust: 2.07

sources: NVD: CVE-2016-9223 // JVNDB: JVNDB-2016-006515 // BID: 95024 // VULHUB: VHN-98043 // VULMON: CVE-2016-9223

AFFECTED PRODUCTS

vendor:	cisco	model:	cloudcenter orchestrator	scope:	eq	version:	4.5.0	Trust: 1.6
vendor:	cisco	model:	cloudcenter orchestrator	scope:	eq	version:	4.6.1	Trust: 1.6
vendor:	cisco	model:	cloudcenter orchestrator	scope:	eq	version:	4.6.0	Trust: 1.6
vendor:	cisco	model:	cloudcenter orchestrator	scope:	eq	version:	4.4.0	Trust: 1.6
vendor:	cisco	model:	cloudcenter orchestrator	scope:	eq	version:	all releases	Trust: 0.8
vendor:	cisco	model:	cloudcenter orchestrator	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	cloudcenter orchestrator	scope:	ne	version:	4.6.2	Trust: 0.3

sources: BID: 95024 // JVNDB: JVNDB-2016-006515 // CNNVD: CNNVD-201612-622 // NVD: CVE-2016-9223

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-9223
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2016-9223
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-201612-622
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-98043
value:	HIGH
Trust: 0.1
VULMON:	CVE-2016-9223
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2016-9223
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-98043
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2016-9223
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-98043 // VULMON: CVE-2016-9223 // JVNDB: JVNDB-2016-006515 // CNNVD: CNNVD-201612-622 // NVD: CVE-2016-9223

PROBLEMTYPE DATA

problemtype:

CWE-264

Trust: 1.9

sources: VULHUB: VHN-98043 // JVNDB: JVNDB-2016-006515 // NVD: CVE-2016-9223

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201612-622

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201612-622

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-006515

PATCH

title:	cisco-sa-20161221-cco	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161221-cco	Trust: 0.8
title:	Cisco CloudCenter Orchestrator Docker Engine Fixing security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=66644	Trust: 0.6
title:	Threatpost	url:	https://threatpost.com/cisco-critical-update-phishing-webex/154585/	Trust: 0.1

sources: VULMON: CVE-2016-9223 // JVNDB: JVNDB-2016-006515 // CNNVD: CNNVD-201612-622

EXTERNAL IDS

db:	NVD	id:	CVE-2016-9223	Trust: 2.9
db:	BID	id:	95024	Trust: 2.1
db:	JVNDB	id:	JVNDB-2016-006515	Trust: 0.8
db:	CNNVD	id:	CNNVD-201612-622	Trust: 0.7
db:	VULHUB	id:	VHN-98043	Trust: 0.1
db:	VULMON	id:	CVE-2016-9223	Trust: 0.1

sources: VULHUB: VHN-98043 // VULMON: CVE-2016-9223 // BID: 95024 // JVNDB: JVNDB-2016-006515 // CNNVD: CNNVD-201612-622 // NVD: CVE-2016-9223

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20161221-cco	Trust: 2.1
url:	http://www.securityfocus.com/bid/95024	Trust: 1.9
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-9223	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-9223	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/264.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://threatpost.com/cisco-critical-update-phishing-webex/154585/	Trust: 0.1

sources: VULHUB: VHN-98043 // VULMON: CVE-2016-9223 // BID: 95024 // JVNDB: JVNDB-2016-006515 // CNNVD: CNNVD-201612-622 // NVD: CVE-2016-9223

CREDITS

Cisco

Trust: 0.9

sources: BID: 95024 // CNNVD: CNNVD-201612-622

SOURCES

db:	VULHUB	id:	VHN-98043
db:	VULMON	id:	CVE-2016-9223
db:	BID	id:	95024
db:	JVNDB	id:	JVNDB-2016-006515
db:	CNNVD	id:	CNNVD-201612-622
db:	NVD	id:	CVE-2016-9223

LAST UPDATE DATE

2025-04-13T23:21:03.708000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-98043	date:	2017-01-03T00:00:00
db:	VULMON	id:	CVE-2016-9223	date:	2017-01-03T00:00:00
db:	BID	id:	95024	date:	2017-01-12T00:04:00
db:	JVNDB	id:	JVNDB-2016-006515	date:	2017-01-06T00:00:00
db:	CNNVD	id:	CNNVD-201612-622	date:	2017-01-04T00:00:00
db:	NVD	id:	CVE-2016-9223	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-98043	date:	2016-12-26T00:00:00
db:	VULMON	id:	CVE-2016-9223	date:	2016-12-26T00:00:00
db:	BID	id:	95024	date:	2016-12-21T00:00:00
db:	JVNDB	id:	JVNDB-2016-006515	date:	2017-01-06T00:00:00
db:	CNNVD	id:	CNNVD-201612-622	date:	2016-12-22T00:00:00
db:	NVD	id:	CVE-2016-9223	date:	2016-12-26T08:59:00.207