Mitel Product Security Advisory 17-0008

OpenSSL Vulnerabilities in MiCollab Desktop Applications

Advisory ID: 17-0008
Publish Date: 2017-06-05
Revision: 1.0

Summary

Vulnerabilities related to older versions of OpenSSL have been identified in certain MiCollab Applications running for use on the Microsoft Windows platform.

Detailed Description

MiCollab Desktop client, MiVoice for Lync and MiVoice for Skype for Business SIP softphone use a 3rd party OpenSSL library to provide cryptographic services for secured communications. Security scans may report that the SIP services of these products are vulnerable to OpenSSL vulnerabilities, including Heartbleed (CVE-2014-0160) and SWEET32 (CVE-2016-2183) are present in the affected products.

Affected Products

Security Bulletins are being issued for the following products:

Product Name Product Versions Security Bulletin Last Updated
MiCollab Desktop client MiCollab 6.0 17-0008-001 2017-06-05
MiCollab Desktop client MiCollab 7.0, 7.1, 7.2, 7.3, 7.3.0.104    
MiVoice for Lync 1.1.2.5    
MiVoice for Skype For Business 1.1.3.3, 1.2.0.11, 1.3.2.2, 1.4.0.102    

Risk Assessment

The risk associated with these vulnerabilities in the noted products is considered low-to-moderate. 

Refer to product Security Bulletins for additional statements regarding risk.

Mitigation / Recommended Action

Mitel has issued new releases of the affected software applications.  Customers are advised to update their software to the latest versions. 

Refer to the Security Bulletin for more information.

External References

https://sweet32.info
https://www.openssl.org/blog/blog/2016/08/24/sweet32/
http://heartbleed.com

Related CVEs / CWEs / Advisories

CVE-2016-2183
CVE-2014-0160