Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.2108 nss and nspr security, bug fix, and enhancement update (RHSA-2014-1246) 11 November 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Avaya Aura Session Manager Publisher: Avaya Inc. Operating System: Red Hat Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-1545 CVE-2014-1492 CVE-2014-1491 CVE-2014-1490 CVE-2013-1740 Reference: ASB-2014.0121 ASB-2014.0077 ESB-2014.1689 ESB-2014.1605 ESB-2014.1409 ESB-2014.1284 ESB-2014.1260 Original Bulletin: https://downloads.avaya.com/css/P8/documents/101003209 - --------------------------BEGIN INCLUDED TEXT-------------------- nss and nspr security, bug fix, and enhancement update (RHSA-2014-1246) Original Release Date: November 5, 2014 Last Revised: November 5, 2014 Number: ASA-2014-395 Risk Level: Low Advisory Version: 1.0 Advisory Status: Interim 1. Overview: Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. A flaw was found in the way TLS False Start was implemented in NSS. An attacker could use this flaw to potentially return unencrypted information from the server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-1740 to this issue. A race condition was found in the way NSS implemented session ticket handling as specified by RFC 5077. An attacker could use this flaw to crash an application using NSS or, in rare cases, execute arbitrary code with the privileges of the user running that application. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-1490 to this issue. It was found that NSS accepted weak Diffie-Hellman Key exchange (DHKE) parameters. This could possibly lead to weak encryption being used in communication between the client and the server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-1491 to this issue. An out-of-bounds write flaw was found in NSPR. A remote attacker could potentially use this flaw to crash an application using NSPR or, possibly, execute arbitrary code with the privileges of the user running that application. This NSPR flaw was not exposed to web content in any shipped version of Firefox. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-1545 to this issue. It was found that the implementation of Internationalizing Domain Names in Applications (IDNA) hostname matching in NSS did not follow the RFC 6125 recommendations. This could lead to certain invalid certificates with international characters to be accepted as valid. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-1492 to this issue. More information about these vulnerabilities can be found in the security advisory issued by Red Hat: https://rhn.redhat.com/errata/RHSA-2014-1246.html 2. Avaya System Products using a modified version of RHEL5 with affected packages installed: Product: Affected Version(s): Risk Level: Actions: Avaya Aura Application Enablement Services 5.x, 6.x Low See recommended actions below. This issue will be addressed in accordance with section five of Avaya's Product Security Vulnerability Response Policy[1] Avaya Aura Application Server 5300: 2.x, 3.x Low See recommended actions below. This issue will be SIP Core addressed in accordance with section five of Avaya's Product Security Vulnerability Response Policy Avaya IQ 5.x Low See recommended actions below. This issue will be addressed in accordance with section five of Avaya's Product Security Vulnerability Response Policy Avaya Aura Communication Manager 6.x Low See recommended actions below. This issue will be addressed in accordance with section five of Avaya's Product Security Vulnerability Response Policy Avaya Communication Server 1000: 6.x, 7.x Low See recommended actions and Mitigating Factors table below. CS1000E This advisory will not be addressed as no further releases CS1000M are planned. CS1000E/CS1000M Signaling Server Avaya Aura Conferencing 7.x, 8.x Low See recommended actions below. This issue will be addressed in accordance with section five of Avaya's Product Security Vulnerability Response Policy Avaya Aura Conferencing Standard Edition 6.x Low See recommended actions and Mitigating Factors table below. This advisory will not be addressed as no further releases are planned. It is recommended that customers migrate to one of Avaya's conferencing solutions including Aura Conferencing 7.0 or later. Avaya IP Office Application Server 8.x Low See recommended actions below. This issue will be addressed in accordance with section five of Avaya's Product Security Vulnerability Response Policy Avaya Meeting Exchange 6.x Low See recommended actions below. This issue will be addressed in accordance with section five of Avaya's Product Security Vulnerability Response Policy Avaya Message Networking 6.x Low See recommended actions below. This issue will be addressed in accordance with section five of Avaya's Product Security Vulnerability Response Policy Avaya Aura Messaging 6.x Low See recommended actions below. This issue will be addressed in accordance with section five of Avaya's Product Security Vulnerability Response Policy Avaya one-X Client Enablement Services 6.1.x Low See recommended actions below. This issue will be addressed in accordance with section five of Avaya's Product Security Vulnerability Response Policy Avaya Aura Presence Services 6.x Low See recommended actions below. This issue will be addressed in accordance with section five of Avaya's Product Security Vulnerability Response Policy Avaya Proactive Contact 5.x Low See recommended actions below. This issue will be addressed in accordance with section five of Avaya's Product Security Vulnerability Response Policy Avaya Aura Session Manager 5.x thru 6.2.9 Low Upgrade to 6.3.10 or later. Avaya Aura System Manager 5.x, 6.x Low See recommended actions below. This issue will be addressed in accordance with section five of Avaya's Product Security Vulnerability Response Policy Avaya Aura System Platform 1.x, 6.x Low See recommended actions below. This issue will be addressed in accordance with section five of Avaya's Product Security Vulnerability Response Policy Avaya Aura Communication Manager 6.x Low See recommended actions below. This issue will be addressed Utility Services in accordance with section five of Avaya's Product Security Vulnerability Response Policy Recommended Actions for System Products: Avaya strongly recommends following networking and security best practices by implementing firewalls, ACLs, physical security or other appropriate access restrictions. Though Avaya believes such restrictions should always be in place, risk to Avaya products and the surrounding network from this potential vulnerability may be mitigated by ensuring these practices are implemented until such time as an Avaya provided product update or the recommended Avaya action is applied. Further restrictions as deemed necessary based on the customer's security policies may be required during this interim period, but the System Product operating system or application should not be modified unless the change is approved by Avaya. Making changes that are not approved may void the Avaya product service contract. Mitigating Factors: When determining risk, Avaya takes into account many factors as outlined by Avaya's Security Vulnerability Classification Policy. The following table describes factors that mitigate the risk of specific vulnerabilities for affected Avaya products: Vulnerability Mitigating Factors CVE-2013-1740 CVE-2014-1490 CVE-2014-1491 These are a Low risk as either the packages are installed but not used, or the CVE-2014-1492 affected functionality is not used. CVE-2014-1545 3. Avaya Software-Only Products: Avaya software-only products operate on general-purpose operating systems. Occasionally vulnerabilities may be discovered in the underlying operating system or applications that come with the operating system. These vulnerabilities often do not impact the software-only product directly but may threaten the integrity of the underlying platform. In the case of this advisory Avaya software-only products are not affected by the vulnerability directly but the underlying Linux platform may be. Customers should determine on which Linux operating system the product was installed and then follow that vendor's guidance. Product: Actions: Avaya Aura Application Enablement Services Depending on the Operating System installed, the affected package may be installed on the underlying Operating System supporting the AES application. Avaya IQ Depending on the Operating System installed, the affected package may be installed on the underlying Operating System supporting the Avaya IQ application. CVLAN Depending on the Operating System installed, the affected package may be installed on the underlying Operating System supporting the CVLAN application. Avaya Aura Experience Portal Depending on the Operating System installed, the affected package may be installed on the underlying Operating System supporting the EP application. Avaya Integrated Management Suite (IMS) Depending on the Operating System installed, the affected package may be installed on the underlying Operating System supporting the IMS application. Avaya Aura Presence Services Depending on the Operating System installed, the affected package may be installed on the underlying Operating System supporting the PS application. Recommended Actions for Software-Only Products: In the event that the affected package is installed, Avaya recommends following recommended actions supplied by Red Hat regarding their Enterprise Linux. 4. Additional Information: Additional information may also be available via the Avaya support website and through your Avaya account representative. Please contact your Avaya product support representative, or dial 1-800-242-2121, with any questions. 5. Disclaimer: ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF PUBLICATION AND IS PROVIDED "AS IS". AVAYA INC., ON BEHALF ITSELF AND ITS SUBSIDIARIES AND AFFILIATES (HEREINAFTER COLLECTIVELY REFERRED TO AS "AVAYA"), DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND FURTHERMORE, AVAYA MAKES NO REPRESENTATIONS OR WARRANTIES THAT THE STEPS RECOMMENDED WILL ELIMINATE SECURITY OR VIRUS THREATS TO CUSTOMERS' SYSTEMS. IN NO EVENT SHALL AVAYA BE LIABLE FOR ANY DAMAGES WHATSOEVER ARISING OUT OF OR IN CONNECTION WITH THE INFORMATION OR RECOMMENDED ACTIONS PROVIDED HEREIN, INCLUDING DIRECT, INDIRECT, INCIDENTAL, STATUTORY, CONSEQUENTIAL DAMAGES, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF AVAYA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE INFORMATION PROVIDED HERE DOES NOT AFFECT THE SUPPORT AGREEMENTS IN PLACE FOR AVAYA PRODUCTS. SUPPORT FOR AVAYA PRODUCTS CONTINUES TO BE EXECUTED AS PER EXISTING AGREEMENTS WITH AVAYA. 6. Revision History: V 1.0 - November 5, 2014 - Initial Statement issued. Avaya customers or Business Partners should report any security issues found with Avaya products via the standard support process. Independent security researchers can contact Avaya at securityalerts@avaya.com. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. 2014 Avaya Inc. All Rights Reserved. All trademarks identifying Avaya products by the or are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners. 1. https://downloads.avaya.com/css/P8/documents/100045520 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVGF6zRLndAQH1ShLAQJ0OQ//VbGakQHS0gyzGeR7UYUtSld6ZWLumi78 VgVONvjt3YRUTtqPFRFT9g5SoJLedk+0jtVDxySVu0aR3OOul9cX/vXGETwYwkpP j+fCp/bOGQWRJPZoUzucKel3e2TlWsIyQ0K16LroBkenWvBU56ibk9nCVNMcHWns g7Ei8QX/gbsAAXOXooWgp/9Do/twROewsR8PjVFdmjSSondwbUvPQ4hGpUfCFFu0 ny6rLRseUojB7+KAg647TFAz+LHG0O0noKe6K1ZxCOlQcbbfNX0kRWQV8YW8rVcz SZVxEqM4uVlAZo8R6St24o55kn6OpEAMe0ydVw8lCeu2JX9PdkL5JYy/QT9VadrO 1o2U2UkqEBEJCkVm8+KWZEAUDtTbX8eOW8JuvN7/3b9VUF7IOp7Ct/BqsYQ6Sets ukwau9qZcJgPF1PG86kyVRXlWHPsUrpPbHSi2TKJiz+1tcS1o8bG7hANE88O98WV J+oO35TF9KZzopJas/hSP8be6t1+KZh8AK/8K3p1mjbyl3ckQvzHHDugBX6gNhi/ uUyHbbQjsaO34sWAu5JtyBSA4f+FDRF+KRIQQEFxqwW5hxCfvwG8xynhYaMnWIUD B5L5oVIbonXJ8Jhi7ptjw1QMGhG1AXTyNtNyzSEjK7o9AQQYdxBexm0RficVSBzt sv5ERZNXgsw= =HGuR -----END PGP SIGNATURE-----