Java Deserialization Vulnerability

Advisory ID: 15-0013
Publish Date: 2015-12-04
Revision: v1.2 (updated 2016-05-03)

Summary

This security advisory has been published in response to recent publications regarding a Java Deserialization Vulnerability.

Detailed Description

Following a review of the article noted in the External Links section, Mitel has identified the vulnerability is associated with the Apache's common-collection library, specifically the InvokerTransformer functions. As such, the vulnerability is not specific to Java serialization, but with the common-collection library having a vulnerable mechanism that could allow for arbitrary code to be run.

The Apache Commons Collection is used by components and frameworks such as WebLogic, WebSphere, JBoss, Jenkins and OpenNMS. In cases where the vulnerable version of Apache Commons Collection is in use, these components are also potentially vulnerable.

Affected Products

Only products using Java, and those using the vulnerable InvokerTransformer functions, are potentially vulnerable. The following product have been identified as affected: (updated 2016-05-03)

This section will be updated with Security Bulletins to identify affected products and solutions throughout the investigation.

Products Under Investigation

The following products are being evaluated to determine potential exposure and risk (updated 2016-05-03).

Product Name

BluStar Client (PC)

BluStar Server

Centergy Virtual Contact Center

Clearspan (AudioCodes eSBC / Gateway)

Clearspan (Broadworks Platform)

MiCollab with Voice (vUCC) (MiVoice BusinessExpress)

MiContact Center Office

MiVoice 5602/5603/5604/5606/5607 (DT390, DT690, DT692, DT292, DT590) IP DECT phones (Ascom OEM)

MiVoice 5624 WiFi Phone (Ascom OEM)

MiVoice IP DECT Base Station (IPBS 433/434/430/440) (Ascom OEM)

OpEasy

TA7102i, TA7104i

WSM, WSM-3 (CPDM 3) (Ascom OEM)

This section will be updated with Security Bulletins to identify affected products and solutions throughout the investigation.

Products Not Affected

The following products have been evaluated as not being affected: (updated 2016-05-03)

Product Name

340w and 342w

5000 Call Manager

5000 Compact

5000 Gateway

5300 Series digital

5550 IP Console

6700i, 6800i (Praxis) Series SIP Phones

74XXip (H323 terminal family)

9000i Series (9480i, 9143i, 9133i, 9112i) SIP Phones

A1023i

Aastra 1560ip, 2380ip, 5300ip

AM7450 Management Center

BluStar 8000i

BluStar Android / iOS

Clearspan (Acme Packet Core SBC)

Clearspan (Edgewater eSBC)

CMG

Comdasys Convergence 4675 / 6719

Comdasys MC Client Android / iOS

CPU2 / CPU2-S on Mitel 470 Controller

CT Gateway

D.N.A. Application Suite

DECToverIP (Mitel 100 | OpenCom 100)

DECToverIP (OC1000)

Dialog 5446ip, 4XXXip (H323 terminal family)

ER Adviser

FMC Controller (Comdasys MC Controller, Mitel Mobile Client Controller)

FMC Controller for Intelligate

InAttend

MiCollab (MAS) / (SAS) / vMAs

MiCollab (MCA)

MiCollab Advanced Messaging

MiCollab Client (Desktop/Web)

MiCollab Client (Standalone)

MiCollab Mobile Client (Android / iOS)

MiCollab NuPoint (Speech Auto Attendant, Unified Messaging)

MiContact Center Business / Enterprise

MiContact Center for Microsoft Lync

MiContact Center Live

MiContact Center Outbound

Mitel 700

Mitel 800

Mitel MMC Android / iOS

Mitel100/OpenComX320

MiVoice 5610 DECT Handset and IP DECT Stand

MiVoice Border Gateway (MBG)

MiVoice Business Console

MiVoice Business Dashboard

MiVoice Call Accounting

MiVoice Call Recording

MiVoice Conference Unit (UC360)

MiVoice Digital Phones 8528, 8568

MiVoice for Lync

MiVoice IP Phones 53xx, 5540

MiVoice IP Phones 5560, 5505

MiVoice MX-ONE

MiVoice Office 250 (Mitel 5000)

MiVoice Office 400

MiXML Server

Multi-Instance Communications Director (MiCD)

MX-ONE  Manager (System Performance)

MX-ONE Manager (Provisioning)

MX-ONE Manager (Telephony System)

MX-ONE Manager Availability

MX-ONE Media Gateway Unit

MX-ONE Telephony Server

NuPoint UM (Standalone)

Oaisys Talkument

Oaisys Tracer

OIG

Open Interfaces Platform (OIP, OIP WebAdmin)

OpenCom 1000 family

OpenPhone 7x IP

Oria

PointSpan

Redirection and Configuration Service (RCS)

S850i (Revolabs OEM)

Secure IP Remote Management SRM

SIP-DECT

SIP-DECT Open Mobility Manager

SIP-DECT with Cloud-ID

Solidus eCare

SX-200IP ICP

Telephony Switch (TSW)

Telepo

Risk Assessment

The potential risk associated with this vulnerability is considered high.

Refer to product specific Security Bulletins for mitigation and recommendations.

Mitigation / Recommended Action

Refer to the product specific Security Bulletins for mitigation and recommendations.

External References
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/