Americas
Oceania
Sélectionnez la région / le pays / la langue
Advisory ID: 15-0013
Publish Date: 2015-12-04
Revision: v1.2 (updated 2016-05-03)
Summary
Specific versions of Java were identified as being vulnerable to multiple vulnerabilities of varied risk. This Security Advisory will provide additional details on these vulnerabilities in the event Mitel products are confirmed to be affected.
Detailed Description
25 different CVEs were identified as applicable to multiple versions of Java. Attack vectors, deployment considerations and severity vary for each CVE. As some Mitel products use Java, an investigation was launched to identify any Mitel products that might be affected, and deliver solutions as might be required.
The following CVEs were identified as applicable to Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51:
CVE-2015-4734, CVE-2015-4803, CVE-2015-4805, CVE-2015-4806, CVE-2015-4835, CVE-2015-4840, CVE-2015-4842, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4872, CVE-2015-4881, CVE-2015-4882, CVE-2015-4883, CVE-2015-4893, CVE-2015-4903, CVE-2015-4911
The following CVEs were identified as applicable to Oracle Java SE 6u95, 7u80, and 8u45:
CVE-2015-4760, CVE-2015-2628, CVE-2015-4731, CVE-2015-2590, CVE-2015-4732, CVE-2015-4733, CVE-2015-4748, CVE-2015-2601
Affected Products
The following products have been identified as being affected (updated 2016-05-02):
Product Name | Product Versions | Security Bulletin | Last Updated |
Oria | Oria 4.0, 4.0 SP1 (4.0.39.0, 4.0.112.0) |
15-0012-008 |
2016-05-02 |
CMG | CMG 8.2 SP1 and earlier |
15-0012-006 |
2016-02-01 |
InAttend | InAttend 2.2 and earlier |
15-0012-006 |
2016-02-01 |
MiCollab Client Server | MAS 6.0 SP1 (UCA 6.0 SP4) MAS 6.0 SP2 (UCA 6.0 SP5) |
15-0012-002 | 2016-03-07 |
MiCollab MCA |
MAS 6.0 SP2 (AWV 5.0 SP5) MAS 6.0 SP1 (AWV 5.0 SP4) |
15-0012-001 | 2016-02-01 |
MiCollab with Voice (vUCC) | MiCV 6.0 SP1 & SP2 |
15-0012-004 |
2016-02-01 |
MiVoice Business Express) |
(6.0.123.0, 6.0.205.0, 6.0.207.0) | ||
MiCollab NuPoint UM / NuPoint UM Standalone | 17.2.0.3, 17.1.0.11 | 15-0012-003 |
2016-02-01 |
Mitel Alarm Server |
3.0 | 15-0012-005 |
2016-02-01 |
MiVoice MX-ONE / Express / SAAS - MX-ONE Service Node Manager |
6.0 SP2 and earlier (SLES 11 SP3/SP4) |
15-0012-007 |
2016-02-01 |
MX-ONE Telephony System / Mitel 700 - MX-ONE Manager Provisioning |
5.0 SP7 and earlier (SLES 10 SP4) |
15-0012-007 |
2016-02-01 |
This section will be updated with Security Bulletins to identify affected products and solutions throughout the investigation.
Products Under Investigation
The following products are being evaluated to determine potential exposure and risk (updated 2016-05-02)..
Product Name
BluStar Client (PC)
BluStar Server
Centergy Virtual Contact Center
Clearspan (AudioCodes eSBC / Gateway)
Clearspan (Broadworks Platform)
MiCollab with Voice (vUCC) (MiVoice BusinessExpress)
MiContact Center Office
MiVoice 5602/5603/5604/5606/5607 (DT390, DT690, DT692, DT292, DT590) IP DECT phones (Ascom OEM)
MiVoice 5624 WiFi Phone (Ascom OEM)
MiVoice IP DECT Base Station (IPBS 433/434/430/440) (Ascom OEM)
OpEasy
TA7102i, TA7104i
WSM, WSM-3 (CPDM 3) (Ascom OEM)
This section will be updated with Security Bulletins to identify affected products and solutions throughout the investigation.
Products Not Affected
The following products have been evaluated as not being affected: (updated 2016-05-03)
Product Name
BluStar Server
Centergy Virtual Contact Center
Clearspan (Acme Packet Core SBC)
Clearspan (AudioCodes eSBC / Gateway)
Clearspan (Broadworks Platform)
Clearspan (Edgewater eSBC)
D.N.A. Application Suite
MiContact Center Office
MiVoice 5602/5603/5604/5606/5607 (DT390, DT690, DT692, DT292, DT590) IP DECT phones (Ascom OEM)
MiVoice 5624 WiFi Phone (Ascom OEM)
MiVoice Business - MCD for ISS
MiVoice Business - MXe Server
MiVoice Call Recording
MiVoice Conference Unit (UC360)
MiVoice IP DECT Base Station (IPBS 433/434/430/440) (Ascom OEM)
MiVoice MX-ONE
Multi-Instance Communications Director (MiCD)
Oaisys Talkument
Oaisys Tracer
OpEasy
TA7102i, TA7104i
Virtual MiVoice Communications Director (vMCD)
WSM, WSM-3 (CPDM 3) (Ascom OEM)
This list will be updated with additional information as it becomes available.
Products not Affected
Only Java enabled products using Oracle Java are potentially affected. The following products have been identified as not being affected as they do not use Java, Oracle Java, or the affected versions of Oracle Java (updated 2016-03-07):
Product Name
3250
340w and 342w
5000 Call Manager
5000 Compact
5000 Gateway
5300 series digital
5550 IP Console
6700i, 6800i (Praxis) Series SIP Phones
74XXip (H323 terminal family)
9000i Series (9480i, 9143i, 9133i, 9112i) SIP Phones
A1023i
Aastra 1560ip / 2380ip / 5300ip
AM7450 Management Center
BluStar 8000i
BluStar Android / iOS
BluStar Client (PC)
Comdasys MC Client Android / iOS
Comdasys Convergence 4675
Comdasys Convergence 6719
CPU2 / CPU2-S on Mitel 470 Controller
CT Gateway
D.N.A. Application Suite
DECToverIP (Mitel 100 | OpenCom 100)
DECToverIP (OC1000)
Dialog 5446ip, 4XXXip (H323 terminal family)
ER Adviser
FMC Controller (Comdasys MC Controller, Mitel Mobile Client Controller)
FMC Controller for Intelligate
MiCollab (MAS) / (SAS) / vMAs
MiCollab Mobile Client (iOS)
MiContact Center Business / Enterprise
MiContact Center Live
MiCollab Client (Desktop/Web)
MiCollab Mobile Client (Android)
MiContact Center for Microsoft Lync
MiContact Center Outbound
Mitel 800
Mitel MMC Android / iOS
Mitel100/OpenComX320
MiVoice 5610 DECT Handset and IP DECT Stand
MiVoice Border Gateway (MBG)
MiVoice Business - MCD (PPC)
MiVoice Business - MCD on Stratus
MiVoice Business Console
MiVoice Business Dashboard (CSM)
MiVoice Call Accounting
MiVoice Digital Phones 8528, 8568
MiVoice IP Phones 53xx, 5540
MiVoice IP Phones 5560, 5505
MiVoice Office 250 (Mitel 5000)
MiVoice for Lync
MiVoice Office 400
MiXML server
OIG
OneBox FaxMail
OneBox VoiceMail
Open Interfaces Platform (OIP, OIP WebAdmin)
OpenCom 1000 family
OpenPhone 7x IP
PointSpan
Redirection and Configuration Service (RCS)
S850i (Revolabs OEM)
Secure IP Remote Management SRM
SIP-DECT
SIP-DECT Open Mobility Manager
SIP-DECT with Cloud-ID
Solidus eCare
SX-200IP ICP
Telephony Switch (TSW)
Telepo
This list will be updated with additional information as it becomes available.
Risk Assessment
The vendor of the affected Java versions has assigned varied levels of risk for each of the individual CVEs. The level of risk will be assessed individually for Mitel products should the vulnerable versions of Java be confirmed to be in use. Please refer to the product specific Security Bulletins for additional statements of risk.
Please refer to the product specific Security Bulletins for additional statements of risk.
Mitigation / Recommended Action
Please refer to the product-specific Security Bulletins for mitigation and recommendations.
As a best practice, it is recommended to keep Java installations up to date on open client workstations and servers, where the system is the responsibility of the environment. For more information, please refer to the links provided below for additional information.
External References
CVE-2015-4731
CVE-2015-4732
CVE-2015-4733
CVE-2015-4734
CVE-2015-4748
CVE-2015-4760
CVE-2015-4803
CVE-2015-4805
CVE-2015-4806
CVE-2015-4835
CVE-2015-4840
CVE-2015-4842
CVE-2015-4843
CVE-2015-4844
CVE-2015-4860
CVE-2015-4872
CVE-2015-4881
CVE-2015-4882
CVE-2015-4883
CVE-2015-4893
CVE-2015-4903
CVE-2015-4911