Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.2108
nss and nspr security, bug fix, and enhancement update (RHSA-2014-1246)
11 November 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Avaya Aura Session Manager
Publisher: Avaya Inc.
Operating System: Red Hat
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2014-1545 CVE-2014-1492 CVE-2014-1491
CVE-2014-1490 CVE-2013-1740
Reference: ASB-2014.0121
ASB-2014.0077
ESB-2014.1689
ESB-2014.1605
ESB-2014.1409
ESB-2014.1284
ESB-2014.1260
Original Bulletin:
https://downloads.avaya.com/css/P8/documents/101003209
- --------------------------BEGIN INCLUDED TEXT--------------------
nss and nspr security, bug fix, and enhancement update (RHSA-2014-1246)
Original Release Date: November 5, 2014
Last Revised: November 5, 2014
Number: ASA-2014-395
Risk Level: Low
Advisory Version: 1.0
Advisory Status: Interim
1. Overview:
Network Security Services (NSS) is a set of libraries designed to support the
cross-platform development of security-enabled client and server applications.
A flaw was found in the way TLS False Start was implemented in NSS. An
attacker could use this flaw to potentially return unencrypted information
from the server. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CVE-2013-1740 to this issue.
A race condition was found in the way NSS implemented session ticket handling
as specified by RFC 5077. An attacker could use this flaw to crash an
application using NSS or, in rare cases, execute arbitrary code with the
privileges of the user running that application. The Common Vulnerabilities
and Exposures project (cve.mitre.org) has assigned the name CVE-2014-1490 to
this issue.
It was found that NSS accepted weak Diffie-Hellman Key exchange (DHKE)
parameters. This could possibly lead to weak encryption being used in
communication between the client and the server. The Common Vulnerabilities
and Exposures project (cve.mitre.org) has assigned the name CVE-2014-1491 to
this issue.
An out-of-bounds write flaw was found in NSPR. A remote attacker could
potentially use this flaw to crash an application using NSPR or, possibly,
execute arbitrary code with the privileges of the user running that
application. This NSPR flaw was not exposed to web content in any shipped
version of Firefox. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CVE-2014-1545 to this issue.
It was found that the implementation of Internationalizing Domain Names in
Applications (IDNA) hostname matching in NSS did not follow the RFC 6125
recommendations. This could lead to certain invalid certificates with
international characters to be accepted as valid. The Common Vulnerabilities
and Exposures project (cve.mitre.org) has assigned the name CVE-2014-1492 to
this issue.
More information about these vulnerabilities can be found in the security
advisory issued by Red Hat:
https://rhn.redhat.com/errata/RHSA-2014-1246.html
2. Avaya System Products using a modified version of RHEL5 with affected
packages installed:
Product: Affected Version(s): Risk Level: Actions:
Avaya Aura Application Enablement Services 5.x, 6.x Low See recommended actions below. This issue will be
addressed in accordance with section five of
Avaya's Product Security Vulnerability Response Policy[1]
Avaya Aura Application Server 5300: 2.x, 3.x Low See recommended actions below. This issue will be
SIP Core addressed in accordance with section five of
Avaya's Product Security Vulnerability Response Policy
Avaya IQ 5.x Low See recommended actions below. This issue will be
addressed in accordance with section five of
Avaya's Product Security Vulnerability Response Policy
Avaya Aura Communication Manager 6.x Low See recommended actions below. This issue will be
addressed in accordance with section five of
Avaya's Product Security Vulnerability Response Policy
Avaya Communication Server 1000: 6.x, 7.x Low See recommended actions and Mitigating Factors table below.
CS1000E This advisory will not be addressed as no further releases
CS1000M are planned.
CS1000E/CS1000M Signaling Server
Avaya Aura Conferencing 7.x, 8.x Low See recommended actions below. This issue will be
addressed in accordance with section five of
Avaya's Product Security Vulnerability Response Policy
Avaya Aura Conferencing Standard Edition 6.x Low See recommended actions and Mitigating Factors table below.
This advisory will not be addressed as no further releases
are planned. It is recommended that customers migrate to one
of Avaya's conferencing solutions including Aura Conferencing
7.0 or later.
Avaya IP Office Application Server 8.x Low See recommended actions below. This issue will be addressed
in accordance with section five of Avaya's Product Security
Vulnerability Response Policy
Avaya Meeting Exchange 6.x Low See recommended actions below. This issue will be addressed
in accordance with section five of Avaya's Product Security
Vulnerability Response Policy
Avaya Message Networking 6.x Low See recommended actions below. This issue will be addressed
in accordance with section five of Avaya's Product Security
Vulnerability Response Policy
Avaya Aura Messaging 6.x Low See recommended actions below. This issue will be addressed
in accordance with section five of Avaya's Product Security
Vulnerability Response Policy
Avaya one-X Client Enablement Services 6.1.x Low See recommended actions below. This issue will be addressed
in accordance with section five of Avaya's Product Security
Vulnerability Response Policy
Avaya Aura Presence Services 6.x Low See recommended actions below. This issue will be addressed
in accordance with section five of Avaya's Product Security
Vulnerability Response Policy
Avaya Proactive Contact 5.x Low See recommended actions below. This issue will be addressed
in accordance with section five of Avaya's Product Security
Vulnerability Response Policy
Avaya Aura Session Manager 5.x thru 6.2.9 Low Upgrade to 6.3.10 or later.
Avaya Aura System Manager 5.x, 6.x Low See recommended actions below. This issue will be addressed
in accordance with section five of Avaya's Product Security
Vulnerability Response Policy
Avaya Aura System Platform 1.x, 6.x Low See recommended actions below. This issue will be addressed
in accordance with section five of Avaya's Product Security
Vulnerability Response Policy
Avaya Aura Communication Manager 6.x Low See recommended actions below. This issue will be addressed
Utility Services in accordance with section five of Avaya's Product Security
Vulnerability Response Policy
Recommended Actions for System Products:
Avaya strongly recommends following networking and security best practices by
implementing firewalls, ACLs, physical security or other appropriate access
restrictions. Though Avaya believes such restrictions should always be in
place, risk to Avaya products and the surrounding network from this potential
vulnerability may be mitigated by ensuring these practices are implemented
until such time as an Avaya provided product update or the recommended Avaya
action is applied. Further restrictions as deemed necessary based on the
customer's security policies may be required during this interim period, but
the System Product operating system or application should not be modified
unless the change is approved by Avaya. Making changes that are not approved
may void the Avaya product service contract.
Mitigating Factors:
When determining risk, Avaya takes into account many factors as outlined by
Avaya's Security Vulnerability Classification Policy. The following table
describes factors that mitigate the risk of specific vulnerabilities for
affected Avaya products:
Vulnerability Mitigating Factors
CVE-2013-1740
CVE-2014-1490
CVE-2014-1491 These are a Low risk as either the packages are installed but not used, or the
CVE-2014-1492 affected functionality is not used.
CVE-2014-1545
3. Avaya Software-Only Products:
Avaya software-only products operate on general-purpose operating systems.
Occasionally vulnerabilities may be discovered in the underlying operating
system or applications that come with the operating system. These
vulnerabilities often do not impact the software-only product directly but may
threaten the integrity of the underlying platform.
In the case of this advisory Avaya software-only products are not affected by
the vulnerability directly but the underlying Linux platform may be. Customers
should determine on which Linux operating system the product was installed and
then follow that vendor's guidance.
Product: Actions:
Avaya Aura Application Enablement Services Depending on the Operating System
installed, the affected package may be
installed on the underlying Operating
System supporting the AES application.
Avaya IQ Depending on the Operating System
installed, the affected package may be
installed on the underlying Operating
System supporting the Avaya IQ application.
CVLAN Depending on the Operating System
installed, the affected package may be
installed on the underlying Operating
System supporting the CVLAN application.
Avaya Aura Experience Portal Depending on the Operating System
installed, the affected package may be
installed on the underlying Operating
System supporting the EP application.
Avaya Integrated Management Suite (IMS) Depending on the Operating System
installed, the affected package may be
installed on the underlying Operating
System supporting the IMS application.
Avaya Aura Presence Services Depending on the Operating System
installed, the affected package may be
installed on the underlying Operating
System supporting the PS application.
Recommended Actions for Software-Only Products:
In the event that the affected package is installed, Avaya recommends
following recommended actions supplied by Red Hat regarding their Enterprise
Linux.
4. Additional Information:
Additional information may also be available via the Avaya support website and
through your Avaya account representative. Please contact your Avaya product
support representative, or dial 1-800-242-2121, with any questions.
5. Disclaimer:
ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF PUBLICATION AND IS
PROVIDED "AS IS". AVAYA INC., ON BEHALF ITSELF AND ITS SUBSIDIARIES AND
AFFILIATES (HEREINAFTER COLLECTIVELY REFERRED TO AS "AVAYA"), DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND
FURTHERMORE, AVAYA MAKES NO REPRESENTATIONS OR WARRANTIES THAT THE STEPS
RECOMMENDED WILL ELIMINATE SECURITY OR VIRUS THREATS TO CUSTOMERS' SYSTEMS. IN
NO EVENT SHALL AVAYA BE LIABLE FOR ANY DAMAGES WHATSOEVER ARISING OUT OF OR IN
CONNECTION WITH THE INFORMATION OR RECOMMENDED ACTIONS PROVIDED HEREIN,
INCLUDING DIRECT, INDIRECT, INCIDENTAL, STATUTORY, CONSEQUENTIAL DAMAGES, LOSS
OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF AVAYA HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
THE INFORMATION PROVIDED HERE DOES NOT AFFECT THE SUPPORT AGREEMENTS IN PLACE
FOR AVAYA PRODUCTS. SUPPORT FOR AVAYA PRODUCTS CONTINUES TO BE EXECUTED AS PER
EXISTING AGREEMENTS WITH AVAYA.
6. Revision History:
V 1.0 - November 5, 2014 - Initial Statement issued.
Avaya customers or Business Partners should report any security issues found
with Avaya products via the standard support process.
Independent security researchers can contact Avaya at
securityalerts@avaya.com.
Linux is the registered trademark of Linus Torvalds in the U.S. and other
countries.
2014 Avaya Inc. All Rights Reserved. All trademarks identifying Avaya
products by the or are registered trademarks or trademarks, respectively, of
Avaya Inc. All other trademarks are the property of their respective owners.
1. https://downloads.avaya.com/css/P8/documents/100045520
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVGF6zRLndAQH1ShLAQJ0OQ//VbGakQHS0gyzGeR7UYUtSld6ZWLumi78
VgVONvjt3YRUTtqPFRFT9g5SoJLedk+0jtVDxySVu0aR3OOul9cX/vXGETwYwkpP
j+fCp/bOGQWRJPZoUzucKel3e2TlWsIyQ0K16LroBkenWvBU56ibk9nCVNMcHWns
g7Ei8QX/gbsAAXOXooWgp/9Do/twROewsR8PjVFdmjSSondwbUvPQ4hGpUfCFFu0
ny6rLRseUojB7+KAg647TFAz+LHG0O0noKe6K1ZxCOlQcbbfNX0kRWQV8YW8rVcz
SZVxEqM4uVlAZo8R6St24o55kn6OpEAMe0ydVw8lCeu2JX9PdkL5JYy/QT9VadrO
1o2U2UkqEBEJCkVm8+KWZEAUDtTbX8eOW8JuvN7/3b9VUF7IOp7Ct/BqsYQ6Sets
ukwau9qZcJgPF1PG86kyVRXlWHPsUrpPbHSi2TKJiz+1tcS1o8bG7hANE88O98WV
J+oO35TF9KZzopJas/hSP8be6t1+KZh8AK/8K3p1mjbyl3ckQvzHHDugBX6gNhi/
uUyHbbQjsaO34sWAu5JtyBSA4f+FDRF+KRIQQEFxqwW5hxCfvwG8xynhYaMnWIUD
B5L5oVIbonXJ8Jhi7ptjw1QMGhG1AXTyNtNyzSEjK7o9AQQYdxBexm0RficVSBzt
sv5ERZNXgsw=
=HGuR
-----END PGP SIGNATURE-----