Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2012.0654 Avaya ASA-2012-289 - PostgreSQL Security Updates 9.1.4, 9.0.8, 8.4.12 and 8.3.19 (6/12) 10 July 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Avaya Aura Application Enablement Services Avaya Aura Experience Portal Avaya Meeting Exchange Avaya Aura Presence Services Avaya Aura Session Manager Avaya Aura System Manager Avaya Voice Portal Publisher: Avaya Operating System: Network Appliance Impact/Access: Reduced Security -- Remote/Unauthenticated Denial of Service -- Existing Account Resolution: Mitigation CVE Names: CVE-2012-2655 CVE-2012-2143 Reference: ESB-2012.0619 ESB-2012.0615 ESB-2012.0527 ESB-2012.0507 Original Bulletin: https://downloads.avaya.com/css/P8/documents/100164390 Comment: While there are no patches available to correct these issues, to mitigate these issues, Avaya recommends that "...customers follow networking and security best practices by implementing firewalls, ACLs, physical security or other appropriate access restrictions." - --------------------------BEGIN INCLUDED TEXT-------------------- PostgreSQL Security Updates 9.1.4, 9.0.8, 8.4.12 and 8.3.19 (6/12) Original Release Date: July 6, 2012 Last Revised: July 6, 2012 Number: ASA-2012-289 Risk Level: Low Advisory Version: 1.0 Advisory Status: Interim 1. Overview: PostgreSQL is an advanced Object-Relational database management system (DBMS). The PostgreSQL Global Development Group has released security updates for all active branches of the PostgreSQL database system, including versions 9.1.4, 9.0.8, 8.4.12 and 8.3.19. This update includes security fixes for the following issues: * A security flaw was found in the way the DES and extended DES based crypt() password encryption functions performed encryption of certain keys, when the key to be encrypted was provided in the Unicode encoding (certain keys were truncated before being DES digested). When the resulting ciphertext for such a previously shortened key was used as a pattern in a password protected resource, intended to be matched against subsequently encrypted value of the password field, retrieved from the user authentication dialog, it could lead to authentication bypass. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-2143 to this issue. * A security flaw was found in the way PostgreSQL performed inclusion of additional procedural language plug-ins support into PostgreSQL server. Previously, database administrators were allowed to install trusted procedural languages into their databases and the owner of such procedural language function were allowed to execute ALTER FUNCTION statement. If a procedural language plug-in was enabled on the particular database, an authenticated database administrator could use this flaw to cause denial of service (PostgreSQL server crash) by adding SECURITY DEFINER or SET attributes to such a handler function. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-2655 to this issue. The information about these vulnerabilities may be found in the release notes issued by PostgreSQL: PostgreSQL Security Update 2012-06-04 release-9.1.4 release-9.0.8 release-8.4.12 release-8.3.19 Note: This advisory targets only Avaya products with postgresql packages provided by postgresql.org. Products with postgresql packages provided by Red Hat will be covered by advisories associated with Red Hat Security Advisories (RHSA). 2. Avaya System Products with affected version(s) of PostgreSQL installed: Product: Affected Version(s): Risk Level: Avaya Aura Application Enablement Services 5.x, 6.x Low Avaya Aura Experience Portal 6.0.x Low Avaya Meeting Exchange 5.x Low Avaya Aura Presence Services 6.x Low Avaya Aura Session Manager 1.1, 5.x, 6.x Low Avaya Aura System Manager 5.x, 6.x Low Avaya Voice Portal 5.x Low Actions: See recommended actions below. This issue will be addressed in accordance with section five of Avaya's Product Security Vulnerability Response Policy Recommended Actions for System Products: Avaya strongly recommends that customers follow networking and security best practices by implementing firewalls, ACLs, physical security or other appropriate access restrictions. Though Avaya believes such restrictions should always be in place, risk to Avaya products and the surrounding network from this potential vulnerability may be mitigated by ensuring these practices are implemented until such time as an Avaya provided product update or the recommended Avaya action is applied. Further restrictions as deemed necessary based on the customer's security policies may be required during this interim period, but customers should not modify the System Product operating system or application unless the change is approved by Avaya. Making changes that are not approved may void the Avaya product service contract. Mitigating Factors: When determining risk, Avaya takes into account many factors as outlined by Avaya's Security Vulnerability Classification Policy. The following table describes factors that mitigate the risk of specific vulnerabilities for affected Avaya products: Vulnerability Mitigating Factors CVE-2012-2143 There is no Risk for Presence Services, Session Manager and Voice Portal since the crypt encryption function is not used. This is a Low Risk for Application Enablement Services, Experience Portal, Meeting Exchange and System Manager because access is restricted to local system administrators only. CVE-2012-2655 This is a Low Risk for all products because only local adminstrators could perform this attack, and doing so would not give them any additional privileges than they already have. 3. Additional Information: Additional information may also be available via the Avaya support website and through your Avaya account representative. Please contact your Avaya product support representative, or dial 1-800-242-2121, with any questions. 4. Disclaimer: ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF PUBLICATION AND IS PROVIDED "AS IS". AVAYA INC., ON BEHALF ITSELF AND ITS SUBSIDIARIES AND AFFILIATES (HEREINAFTER COLLECTIVELY REFERRED TO AS "AVAYA"), DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND FURTHERMORE, AVAYA MAKES NO REPRESENTATIONS OR WARRANTIES THAT THE STEPS RECOMMENDED WILL ELIMINATE SECURITY OR VIRUS THREATS TO CUSTOMERS' SYSTEMS. IN NO EVENT SHALL AVAYA BE LIABLE FOR ANY DAMAGES WHATSOEVER ARISING OUT OF OR IN CONNECTION WITH THE INFORMATION OR RECOMMENDED ACTIONS PROVIDED HEREIN, INCLUDING DIRECT, INDIRECT, INCIDENTAL, STATUTORY, CONSEQUENTIAL DAMAGES, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF AVAYA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE INFORMATION PROVIDED HERE DOES NOT AFFECT THE SUPPORT AGREEMENTS IN PLACE FOR AVAYA PRODUCTS. SUPPORT FOR AVAYA PRODUCTS CONTINUES TO BE EXECUTED AS PER EXISTING AGREEMENTS WITH AVAYA. 5. Revision History: V 1.0 - July 6, 2012 - Initial Statement issued. Send information regarding any discovered security problems with Avaya products to either the contact noted in the product's documentation or securityalerts@avaya.com. (c) 2012 Avaya Inc. All Rights Reserved. All trademarks identifying Avaya products by the or are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBT/uREu4yVqjM2NGpAQLmdw//WnlUm1zSCNIww5CLkDtwilmY4P8LZoss e1oy9maykQU8wB5GX9nXMM9d7TpJCKrOMA3ca69xXZ0y40xuzYNdF169Bryxl8Eu QZqmej5f5BHpN5LxgedgwVchF6TdDyHkpbj9uRkLVASFLTG4V2zZsZOc46CKTxG8 gv/r1soriz+qtV2DV2uOTolg+UzjM1ZdUkWWoij3A3F9kg8Vu/Reu3806ZsFFcds xAocMDU3CyuUR7eFg/inED9o9G90Oo7OnfZakB2H0LNKOGoOeBebxsIis3+p8BUS a+ahLsoS1TBcpHFZcj/nd4Scaq1APwZYD1BXilSW/0/2brZnEHzgn8oGbsbpSzsC VzUwe7+oAumYX/LL9XUuMHJ5msgYYF/RB9LoB9X7dSZVI8vg9+orAawlasTF7Ev2 XmNIrAS/55JyT3AFOlvU+eoip6T4X0pI8mCgp+3gah/Bdj3mDiNbMlopsAoheygR 2yzvoQvuhnVV1eMdoJTDl43tA/7UrldM/tKCIiupqEMM7DSFt0SUpdF4SSvSdKID 9irwit5xXEy1KnDxiA7qFQr2KsbO420ndAzBt0CWom+yXTOCQ1SYq0T/DhFpDdkK FuRTTUcZXOC9xjMhAgVz/Xy572iyy6JIXP/CSF3zHNy5dwkStEMBlV8PNs4Xqlvi rzR8NjC/kvA= =Kqir -----END PGP SIGNATURE-----