Mitel Product Security Advisory 15-0012

Multiple Oracle Java Vulnerabilities

Advisory ID: 15-0012
Publish Date: 2015-12-04
Revision: v1.3 (updated 2016-05-02)

Summary

Specific versions of Java were identified as being vulnerable to multiple vulnerabilities of varied risk. This Security Advisory will provide additional details on these vulnerabilities in the event Mitel products are confirmed to be affected.

Detailed Description

25 different CVEs were identified as applicable to multiple versions of Java. Attack vectors, deployment considerations and severity vary for each CVE. As some Mitel products use Java, an investigation was launched to identify any Mitel products that might be affected, and deliver solutions as might be required.

The following CVEs were identified as applicable to Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51:

CVE-2015-4734, CVE-2015-4803, CVE-2015-4805, CVE-2015-4806, CVE-2015-4835, CVE-2015-4840, CVE-2015-4842, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4872, CVE-2015-4881, CVE-2015-4882, CVE-2015-4883, CVE-2015-4893, CVE-2015-4903, CVE-2015-4911

The following CVEs were identified as applicable to Oracle Java SE 6u95, 7u80, and 8u45:

CVE-2015-4760, CVE-2015-2628, CVE-2015-4731, CVE-2015-2590, CVE-2015-4732, CVE-2015-4733, CVE-2015-4748, CVE-2015-2601

Affected Products

The following products have been identified as being affected (updated 2016-05-02): 

Product Name

Product Versions

Security Bulletin

Last Updated

Oria

Oria 4.0, 4.0 SP1
(4.0.39.0, 4.0.112.0)

15-0012-008

2016-05-02

CMG

CMG 8.2 SP1 and earlier

15-0012-006

2016-02-01

InAttend

InAttend 2.2 and earlier

15-0012-006

2016-02-01

MiCollab Client Server

MAS 6.0 SP1 (UCA 6.0 SP4)
MAS 6.0 SP2 (UCA 6.0 SP5)

15-0012-002 2016-03-07

MiCollab MCA

MAS 6.0 SP2 (AWV 5.0 SP5)
MAS 6.0 SP1 (AWV 5.0 SP4)

15-0012-001

2016-02-01

MiCollab with Voice (vUCC)

(MiVoice Business Express)

MiCV 6.0 SP1 & SP2

(6.0.123.0, 6.0.205.0, 6.0.207.0)

15-0012-004

2016-02-01

MiCollab NuPoint UM / NuPoint UM Standalone

17.2.0.3, 17.1.0.11

15-0012-003

2016-02-01

Mitel Alarm Server

3.0

15-0012-005

2016-02-01

MiVoice MX-ONE / Express / SAAS

- MX-ONE Provisioning Manager

- MX-ONE Service Node Manager

6.0 SP2 and earlier

(SLES 11 SP3/SP4)

15-0012-007

2016-02-01

MX-ONE Telephony System / Mitel 700

- MX-ONE Manager Provisioning

- MX-ONE Manager Telephony System

5.0 SP7 and earlier

(SLES 10 SP4)

15-0012-007

2016-02-01

Products Under Investigation

The following products are being evaluated to determine potential exposure and risk (updated 2016-05-02).

Product Name

BluStar Server

Centergy Virtual Contact Center

Clearspan (Acme Packet Core SBC)

Clearspan (AudioCodes eSBC / Gateway)

Clearspan (Broadworks Platform)

Clearspan (Edgewater eSBC)

D.N.A. Application Suite

MiContact Center Office

MiVoice 5602/5603/5604/5606/5607 (DT390, DT690, DT692, DT292, DT590) IP DECT phones (Ascom OEM)

MiVoice 5624 WiFi Phone (Ascom OEM)

MiVoice Business - MCD for ISS

MiVoice Business - MXe Server

MiVoice Call Recording

MiVoice Conference Unit (UC360)

MiVoice IP DECT Base Station (IPBS 433/434/430/440) (Ascom OEM)

MiVoice MX-ONE

Multi-Instance Communications Director (MiCD)

Oaisys Talkument

Oaisys Tracer

OpEasy

TA7102i, TA7104i

Virtual MiVoice Communications Director (vMCD)

WSM, WSM-3 (CPDM 3) (Ascom OEM)


This list will be updated with additional information as it becomes available.

Products not Affected

Only Java enabled products using Oracle Java are potentially affected.  The following products have been identified as not being affected as they do not use Java, Oracle Java, or the affected versions of Oracle Java (updated 2016-03-07):

Product Name

Versions

3250

All

340w and 342w

All

5000 Call Manager

All

5000 Compact

All

5000 Gateway

All

5300 series digital

All

5550 IP Console

All

6700i, 6800i (Praxis) Series SIP Phones

All

74XXip (H323 terminal family)

All

9000i Series (9480i, 9143i, 9133i, 9112i) SIP Phones

All

A1023i

All

Aastra 1560ip / 2380ip / 5300ip

All

AM7450 Management Center

All

BluStar 8000i

All

BluStar Android / iOS

All

BluStar Client (PC)

All

Comdasys MC Client Android / iOS

All

Comdasys Convergence 4675

All

Comdasys Convergence 6719

All

CPU2 / CPU2-S on Mitel 470 Controller

All

CT Gateway

All

D.N.A. Application Suite

All

DECToverIP (Mitel 100 | OpenCom 100)

All

DECToverIP (OC1000)

All

Dialog 5446ip, 4XXXip (H323 terminal family)

All

ER Adviser

All

FMC Controller (Comdasys MC Controller, Mitel Mobile Client Controller)

All

FMC Controller for Intelligate

All

MiCollab (MAS) / (SAS) / vMAs

All

MiCollab Mobile Client (iOS)

All

MiContact Center Business / Enterprise

All

MiContact Center Live

All

MiCollab Client (Desktop/Web)

All

MiCollab Mobile Client (Android)

All

MiContact Center for Microsoft Lync

All

MiContact Center Outbound

All

Mitel 800

All

Mitel MMC Android / iOS

All

Mitel100/OpenComX320

All

MiVoice 5610 DECT Handset and IP DECT Stand

All

MiVoice Border Gateway (MBG)

All

MiVoice Business - MCD (PPC)

All

MiVoice Business - MCD on Stratus

All

MiVoice Business Console

All

MiVoice Business Dashboard (CSM)

All

MiVoice Call Accounting

All

MiVoice Digital Phones 8528, 8568

All

MiVoice IP Phones 53xx, 5540

All

MiVoice IP Phones 5560, 5505

All

MiVoice Office 250 (Mitel 5000)

All

MiVoice for Lync

All

MiVoice Office 400

All

MiXML server

All

OIG

All

OneBox FaxMail

All

OneBox VoiceMail

All

Open Interfaces Platform (OIP, OIP WebAdmin)

All

OpenCom 1000 family

All

OpenPhone 7x IP

All

PointSpan

All

Redirection and Configuration Service (RCS)

All

S850i (Revolabs OEM)

All

Secure IP Remote Management SRM

All

SIP-DECT

All

SIP-DECT Open Mobility Manager

All

SIP-DECT with Cloud-ID

All

Solidus eCare

All

SX-200IP ICP

All

Telephony Switch (TSW)

All

Telepo

All

This list will be updated with additional information as it becomes available.

Risk Assessment

The vendor of the affected Java versions has assigned varied levels of risk for each of the individual CVEs. The level of risk will be assessed individually for Mitel products should the vulnerable versions of Java be confirmed to be in use. Please refer to the product specific Security Bulletins for additional statements of risk.

Please refer to the product specific Security Bulletins for additional statements of risk.

Mitigation / Recommended Action

Please refer to the product-specific Security Bulletins for mitigation and recommendations.

As a best practice, it is recommended to keep Java installations up to date on open client workstations and servers, where the system is the responsibility of the environment. For more information, please refer to the links provided below for additional information.

External References

CVE-2015-4731
CVE-2015-4732
CVE-2015-4733
CVE-2015-4734
CVE-2015-4748
CVE-2015-4760
CVE-2015-4803
CVE-2015-4805
CVE-2015-4806
CVE-2015-4835
CVE-2015-4840
CVE-2015-4842
CVE-2015-4843
CVE-2015-4844
CVE-2015-4860
CVE-2015-4872
CVE-2015-4881
CVE-2015-4882
CVE-2015-4883
CVE-2015-4893
CVE-2015-4903
CVE-2015-4911