Mitel Product Security Advisory OBSO-2407-3

Mitel Product Security Advisory OBSO-2407-03

Unify OpenScape 4000 Assistant and Unify OpenScape 4000 Manager Command Injection Vulnerability

Advisory ID: OBSO-2407-03

Publish Date: 2024-07-17

Last Updated: 2024-07-17

Revision: 1.0

Summary

A command injection vulnerability in the Unify OpenScape 4000 Assistant and Unify OpenScape 4000 Manager, could allow an unauthenticated attacker to conduct a command injection attack due to insufficient parameter sanitization. A successful exploit of this vulnerability could allow an attacker to execute arbitrary commands within the container of the impacted component, with a potential impact on the confidentiality, integrity, and availability of the system.

The vulnerability severity is rated as critical.

Credit and thanks are extended to Dr. Oliver Matula, Tim Kornhuber and Andreas Wagner of DB Systel GmbH for highlighting this issue and bringing it to our attention.

Affected Products

Product statements are related only to supported product versions. Products which have reached End of Support (M44) status are not considered.

Products confirmed affected

Product Name

Product Version

Available Solution(s)

Unify OpenScape 4000 Assistant

V11 R0.22 and earlier

For version V10 R1.42 upgrade to fixed version OS4K Assistant Hotfix V10 R1.42.8 or later
For version V11 R0.22 upgrade to fixed version OS4K Assistant Hotfix V11 R0.22.2 or later

Unify OpenScape 4000 Manager

V11 R0.22 and earlier

For version V10 R1.42 upgrade to fixed version OS4K Manager Hotfix V10 R1.42.8 or later
For version V11 R0.22 upgrade to fixed version OS4K Manager Hotfix V11 R0.22.2 or later

Risk Assessment

CVSS3.1 Base score: 9.8 (Critical)

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Mitigation / Recommended Action

Customers with affected product versions are advised to update the systems with the available fixes

Revision History

Version	Date	Description
1.0	2024-07-17	Initial release

Advisory: OBSO-2407-03, status: general release
Security Advisories are released as part of Mitel Unify's Vulnerability Intelligence Process. For more information see https://www.mitel.com/support/security-advisories.

Contact and Disclaimer

Mitel Product Security Office
[email protected]
© Unify Software and Solutions GmbH & Co. KG 2024
Otto-Hahn-Ring 6
D-81739 München
www.mitel.com

The information provided in this document contains merely general descriptions or characteristics of performance which in case of actual use do not always apply as described or which may change as a result of further development of the products. An obligation to provide the respective characteristics shall only exist if expressly agreed in the terms of contract. Availability and technical specifications are subject to change without notice.
Unify, OpenScape, OpenStage and HiPath are registered trademarks of Unify Software and Solutions GmbH & Co. KG.

All other company, brand, product, and service names are trademarks or registered trademarks of their respective holders

First Name

Last Name

Email Address

Relationship to Mitel

By providing the above information, you agree that we may process your personal data in accordance with our Privacy Policy.

Do you agree to the terms and conditions of using our services?