Multiple Oracle Java Vulnerabilities

Advisory ID: 15-0013
Publish Date: 2015-12-04
Revision: v1.2 (updated 2016-05-03)

Summary

Specific versions of Java were identified as being vulnerable to multiple vulnerabilities of varied risk. This Security Advisory will provide additional details on these vulnerabilities in the event Mitel products are confirmed to be affected.

Detailed Description

25 different CVEs were identified as applicable to multiple versions of Java. Attack vectors, deployment considerations and severity vary for each CVE. As some Mitel products use Java, an investigation was launched to identify any Mitel products that might be affected, and deliver solutions as might be required.

The following CVEs were identified as applicable to Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51:

CVE-2015-4734, CVE-2015-4803, CVE-2015-4805, CVE-2015-4806, CVE-2015-4835, CVE-2015-4840, CVE-2015-4842, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4872, CVE-2015-4881, CVE-2015-4882, CVE-2015-4883, CVE-2015-4893, CVE-2015-4903, CVE-2015-4911

The following CVEs were identified as applicable to Oracle Java SE 6u95, 7u80, and 8u45:

CVE-2015-4760, CVE-2015-2628, CVE-2015-4731, CVE-2015-2590, CVE-2015-4732, CVE-2015-4733, CVE-2015-4748, CVE-2015-2601

Affected Products

The following products have been identified as being affected (updated 2016-05-02):

Product Name    Product Versions Security Bulletin  Last Updated 
Oria Oria 4.0, 4.0 SP1
(4.0.39.0, 4.0.112.0)
 15-0012-008
 2016-05-02
CMG CMG 8.2 SP1 and earlier
 15-0012-006
 2016-02-01
InAttend  InAttend 2.2 and earlier
 15-0012-006
 2016-02-01
MiCollab Client Server  MAS 6.0 SP1 (UCA 6.0 SP4)
MAS 6.0 SP2 (UCA 6.0 SP5)
15-0012-002  2016-03-07
MiCollab MCA
MAS 6.0 SP2 (AWV 5.0 SP5)
MAS 6.0 SP1 (AWV 5.0 SP4) 
15-0012-001   2016-02-01
MiCollab with Voice (vUCC)  MiCV 6.0 SP1 & SP2
 15-0012-004
 2016-02-01
MiVoice Business Express)
(6.0.123.0, 6.0.205.0, 6.0.207.0)     
MiCollab NuPoint UM / NuPoint UM Standalone  17.2.0.3, 17.1.0.11   15-0012-003
 2016-02-01
Mitel Alarm Server
 3.0  15-0012-005
2016-02-01

MiVoice MX-ONE / Express / SAAS
- MX-ONE Provisioning Manager

- MX-ONE Service Node Manager

6.0 SP2 and earlier

(SLES 11 SP3/SP4)

 15-0012-007
2016-02-01 

 MX-ONE Telephony System / Mitel 700

- MX-ONE Manager Provisioning

- MX-ONE Manager Telephony System

5.0 SP7 and earlier

(SLES 10 SP4)
 15-0012-007
 2016-02-01

 

This section will be updated with Security Bulletins to identify affected products and solutions throughout the investigation.

Products Under Investigation

The following products are being evaluated to determine potential exposure and risk (updated 2016-05-02)..

Product Name

BluStar Client (PC)

BluStar Server

Centergy Virtual Contact Center

Clearspan (AudioCodes eSBC / Gateway)

Clearspan (Broadworks Platform)

MiCollab with Voice (vUCC) (MiVoice BusinessExpress)

MiContact Center Office

MiVoice 5602/5603/5604/5606/5607 (DT390, DT690, DT692, DT292, DT590) IP DECT phones (Ascom OEM)

MiVoice 5624 WiFi Phone (Ascom OEM)

MiVoice IP DECT Base Station (IPBS 433/434/430/440) (Ascom OEM)

OpEasy

TA7102i, TA7104i

WSM, WSM-3 (CPDM 3) (Ascom OEM)

This section will be updated with Security Bulletins to identify affected products and solutions throughout the investigation.

Products Not Affected

The following products have been evaluated as not being affected: (updated 2016-05-03)

Product Name

BluStar Server

Centergy Virtual Contact Center

Clearspan (Acme Packet Core SBC)

Clearspan (AudioCodes eSBC / Gateway)

Clearspan (Broadworks Platform)

Clearspan (Edgewater eSBC)

D.N.A. Application Suite

MiContact Center Office

MiVoice 5602/5603/5604/5606/5607 (DT390, DT690, DT692, DT292, DT590) IP DECT phones (Ascom OEM)

MiVoice 5624 WiFi Phone (Ascom OEM)

MiVoice Business - MCD for ISS

MiVoice Business - MXe Server

MiVoice Call Recording

MiVoice Conference Unit (UC360)

MiVoice IP DECT Base Station (IPBS 433/434/430/440) (Ascom OEM)

MiVoice MX-ONE

Multi-Instance Communications Director (MiCD)

Oaisys Talkument

Oaisys Tracer

OpEasy

TA7102i, TA7104i

Virtual MiVoice Communications Director (vMCD)

WSM, WSM-3 (CPDM 3) (Ascom OEM)

This list will be updated with additional information as it becomes available.

Products not Affected

Only Java enabled products using Oracle Java are potentially affected. The following products have been identified as not being affected as they do not use Java, Oracle Java, or the affected versions of Oracle Java (updated 2016-03-07):

Product Name

3250
340w and 342w
5000 Call Manager
5000 Compact
5000 Gateway
5300 series digital
5550 IP Console
6700i, 6800i (Praxis) Series SIP Phones
74XXip (H323 terminal family)
9000i Series (9480i, 9143i, 9133i, 9112i) SIP Phones
A1023i
Aastra 1560ip / 2380ip / 5300ip
AM7450 Management Center
BluStar 8000i
BluStar Android / iOS
BluStar Client (PC)
Comdasys MC Client Android / iOS
Comdasys Convergence 4675
Comdasys Convergence 6719
CPU2 / CPU2-S on Mitel 470 Controller
CT Gateway
D.N.A. Application Suite
DECToverIP (Mitel 100 | OpenCom 100)
DECToverIP (OC1000)
Dialog 5446ip, 4XXXip (H323 terminal family)
ER Adviser
FMC Controller (Comdasys MC Controller, Mitel Mobile Client Controller)
FMC Controller for Intelligate
MiCollab (MAS) / (SAS) / vMAs
MiCollab Mobile Client (iOS)
MiContact Center Business / Enterprise
MiContact Center Live
MiCollab Client (Desktop/Web)
MiCollab Mobile Client (Android)
MiContact Center for Microsoft Lync
MiContact Center Outbound
Mitel 800
Mitel MMC Android / iOS
Mitel100/OpenComX320
MiVoice 5610 DECT Handset and IP DECT Stand
MiVoice Border Gateway (MBG)
MiVoice Business - MCD (PPC)
MiVoice Business - MCD on Stratus
MiVoice Business Console
MiVoice Business Dashboard (CSM)
MiVoice Call Accounting
MiVoice Digital Phones 8528, 8568
MiVoice IP Phones 53xx, 5540
MiVoice IP Phones 5560, 5505
MiVoice Office 250 (Mitel 5000)
MiVoice for Lync
MiVoice Office 400
MiXML server
OIG
OneBox FaxMail
OneBox VoiceMail
Open Interfaces Platform (OIP, OIP WebAdmin)
OpenCom 1000 family
OpenPhone 7x IP
PointSpan
Redirection and Configuration Service (RCS)
S850i (Revolabs OEM)
Secure IP Remote Management SRM
SIP-DECT
SIP-DECT Open Mobility Manager
SIP-DECT with Cloud-ID
Solidus eCare
SX-200IP ICP
Telephony Switch (TSW)
Telepo

This list will be updated with additional information as it becomes available.

Risk Assessment

The vendor of the affected Java versions has assigned varied levels of risk for each of the individual CVEs. The level of risk will be assessed individually for Mitel products should the vulnerable versions of Java be confirmed to be in use. Please refer to the product specific Security Bulletins for additional statements of risk.

Please refer to the product specific Security Bulletins for additional statements of risk.

Mitigation / Recommended Action

Please refer to the product-specific Security Bulletins for mitigation and recommendations.

As a best practice, it is recommended to keep Java installations up to date on open client workstations and servers, where the system is the responsibility of the environment. For more information, please refer to the links provided below for additional information.

External References
CVE-2015-4731
CVE-2015-4732
CVE-2015-4733
CVE-2015-4734
CVE-2015-4748
CVE-2015-4760
CVE-2015-4803
CVE-2015-4805
CVE-2015-4806
CVE-2015-4835
CVE-2015-4840
CVE-2015-4842
CVE-2015-4843
CVE-2015-4844
CVE-2015-4860
CVE-2015-4872
CVE-2015-4881
CVE-2015-4882
CVE-2015-4883
CVE-2015-4893
CVE-2015-4903
CVE-2015-4911






Ready to talk to sales? Contact us.