Americas
Oceania
Advisory ID: 16-0013
Publish Date: 2016-07-05
Revision: 1.01
Summary
Multiple vulnerabilities have been identified in specific versions of OpenSSL.
Detailed Description
The following CVEs have been issued against specific versions of the OpenSSL 1.0.1 and 1.0.2 cryptographic libraries:
CVE-2016-2105
CVE-2016-2106
CVE-2016-2107
CVE-2016-2108
CVE-2016-2109
CVE-2016-2176
Four of these vulnerabilities are noted by the CVE as being of moderate or high risk:
CVE-2016-0799
The fmtstr function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g improperly calculates string lengths, which allows remote attackers to cause a denial of service (overflow and out-of-bounds read) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-2842.
CVE-2016-2108
The ASN.1 implementation in OpenSSL before 1.0.1o and 1.0.2 before 1.0.2c allows remote attackers to execute arbitrary code or cause a denial of service (buffer underflow and memory corruption) via an ANY field in crafted serialized data, aka the "negative zero" issue.
CVE-2016-2109
The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in the ASN.1 BIO implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (memory consumption) via a short invalid encoding.
CVE-2016-2842
The doapr_outch function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not verify that a certain memory allocation succeeds, which allows remote attackers to cause a denial of service (out-of-bounds write or memory consumption) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-0799.
Affected Products
Mitel is not aware of any specific products being vulnerable. However, all Linux and MSL-based products that include the OpenSSL library are potentially affected.
Security Bulletins are being issued for the following products:
Product Name | Product Versions | Security Bulletin | Last Updated |
MiCollab AWV | AWV 6.1 (6.1.0.28) AWV 6.0 (6.0.0.61) AWV 5.0 (5.0.5.7) |
16-0013-001 | 2016-07-05 |
MiCollab Client | 7.1 7.0 6.0 and earlier |
16-0013-001 | 2016-07-05 |
MiCollab NPM | NPM 8 SP1 (18.1.0.23) NPM 8 (18.0.0.49) NPM 7 SP2 (17.2.0.3) |
16-0013-001 | 2016-07-05 |
Mitel Standard Linux | 10.5.50.0 and earlier 10.4.15.0 and earlier 10.3.39.0 and earlier 10.1.50.0 and earlier |
16-0013-003 | 2016-07-05 |
MiVoice Business for Industry Standard Server, VMware Virtual Appliance, Multi-instance platform, 3300 Controllers |
All | 16-0013-002 | 2016-07-05 |
MiVoice Business for Stratus | All | 16-0013-002 | 2016-07-05 |
Server Manager for MiVoice Business for Industry Standard Server, VMware Virtual Appliance, Multi-instance platform |
All | 16-0013-002 | 2016-07-05 |
This list will be updated as additional Security Bulletins are published.
Products Under Investigation
All Enterprise products are being evaluated for these vulnerabilities. This advisory will be updated with additional information as it becomes available.
Products not Affected
OpenSSL is not included in Mitel products for use on Microsoft Windows.
Risk Assessment
The noted vulnerabilities carry varied levels of risk, ranging from low to high. Please refer to the product specific Security Bulletins for additional statements of risk.
Mitigation / Recommended Action
Newer product releases introduce security fixes for these and other identified issues. Customers are advised to update their Mitel products to newer releases when available. Please refer to the product-specific Security Bulletins for product-specific details.For Operating System platforms not provided or managed by Mitel, customers are advised to contact their Operating System vendor for further guidance.
External References
https://openssl.org/news/secadv/20160503.txt
Related CVEs
CVE-2016-2105
CVE-2016-2106
CVE-2016-2107
CVE-2016-2108
CVE-2016-2109
CVE-2016-2176
CVE-2016-2842