Mitel Product Security Advisory 15-0013

Java Deserialization Vulnerability

Advisory ID: 15-0013
Publish Date: 2015-12-04
Revision: v1.2 (updated 2016-05-03)

Summary

This security advisory has been published in response to recent publications regarding a Java Deserialization Vulnerability.

Detailed Description

Following a review of the article noted in the External Links section, Mitel has identified the vulnerability is associated with the Apache's common-collection library, specifically the InvokerTransformer functions. As such, the vulnerability is not specific to Java serialization, but with the common-collection library having a vulnerable mechanism that could allow for arbitrary code to be run.

The Apache Commons Collection is used by components and frameworks such as WebLogic, WebSphere, JBoss, Jenkins and OpenNMS. In cases where the vulnerable version of Apache Commons Collection is in use, these components are also potentially vulnerable.

Affected Products

Only products using Java, and those using the vulnerable InvokerTransformer functions, are potentially vulnerable. The following product have been identified as affected: (updated 2016-05-03)

Product Name Product Versions Security Bulletin Last Updated
MiCollab (AWV) MiCollab 7.0 (AWV 6.0) 15-0013-002 2016-02-01
Mitel Alarm Server 3.0 15-0013-003 2016-02-01
MiVoice Business - MCD (PPC) 7.2 and earlier 15-0013-001 2016-02-01
MiVoice Business - MCD for ISS 7.2 and earlier 15-0013-001 2016-02-01
MiVoice Business - MCD on Stratus 7.2 and earlier 15-0013-001 2016-02-01
MiVoice Business - MXe Server 7.2 and earlier 15-0013-001 2016-02-01
Virtual MiVoice Communications Directors
(vMCD)
7.2 and earlier 15-0013-001 2016-02-01

This section will be updated with Security Bulletins to identify affected products and solutions throughout the investigation.

Products Under Investigation

The following products are being evaluated to determine potential exposure and risk (updated 2016-05-03).

Product Name

BluStar Client (PC)

BluStar Server

Centergy Virtual Contact Center

Clearspan (AudioCodes eSBC / Gateway)

Clearspan (Broadworks Platform)

MiCollab with Voice (vUCC) (MiVoice BusinessExpress)

MiContact Center Office

MiVoice 5602/5603/5604/5606/5607 (DT390, DT690, DT692, DT292, DT590) IP DECT phones (Ascom OEM)

MiVoice 5624 WiFi Phone (Ascom OEM)

MiVoice IP DECT Base Station (IPBS 433/434/430/440) (Ascom OEM)

OpEasy

TA7102i, TA7104i

WSM, WSM-3 (CPDM 3) (Ascom OEM)

This section will be updated with Security Bulletins to identify affected products and solutions throughout the investigation.

Products Not Affected

The following products have been evaluated as not being affected: (updated 2016-05-03)

Product Name

Versions

340w and 342w

All

5000 Call Manager

All

5000 Compact

All

5000 Gateway

All

5300 Series digital

All

5550 IP Console

All

6700i, 6800i (Praxis) Series SIP Phones

All

74XXip (H323 terminal family)

All

9000i Series (9480i, 9143i, 9133i, 9112i) SIP Phones

All

A1023i

All

Aastra 1560ip, 2380ip, 5300ip

All

AM7450 Management Center

All

BluStar 8000i

All

BluStar Android / iOS

All

Clearspan (Acme Packet Core SBC)

All

Clearspan (Edgewater eSBC)

All

CMG

All

Comdasys Convergence 4675 / 6719

All

Comdasys MC Client Android / iOS

All

CPU2 / CPU2-S on Mitel 470 Controller

All

CT Gateway

All

D.N.A. Application Suite

All

DECToverIP (Mitel 100 | OpenCom 100)

All

DECToverIP (OC1000)

All

Dialog 5446ip, 4XXXip (H323 terminal family)

All

ER Adviser

All

FMC Controller (Comdasys MC Controller, Mitel Mobile Client Controller)

All

FMC Controller for Intelligate

All

InAttend

All

MiCollab (MAS) / (SAS) / vMAs

All

MiCollab (MCA)

All

MiCollab Advanced Messaging

All

MiCollab Client (Desktop/Web)

All

MiCollab Client (Standalone)

All

MiCollab Mobile Client (Android / iOS)

All

MiCollab NuPoint (Speech Auto Attendant, Unified Messaging)

All

MiContact Center Business / Enterprise

All

MiContact Center for Microsoft Lync

All

MiContact Center Live

All

MiContact Center Outbound

All

Mitel 700

All

Mitel 800

All

Mitel MMC Android / iOS

All

Mitel100/OpenComX320

All

MiVoice 5610 DECT Handset and IP DECT Stand

All

MiVoice Border Gateway (MBG)

All

MiVoice Business Console

All

MiVoice Business Dashboard

All

MiVoice Call Accounting

All

MiVoice Call Recording

All

MiVoice Conference Unit (UC360)

All

MiVoice Digital Phones 8528, 8568

All

MiVoice for Lync

All

MiVoice IP Phones 53xx, 5540

All

MiVoice IP Phones 5560, 5505

All

MiVoice MX-ONE

All

MiVoice Office 250 (Mitel 5000)

All

MiVoice Office 400

All

MiXML Server

All

Multi-Instance Communications Director (MiCD)

All

MX-ONE  Manager (System Performance)

All

MX-ONE Manager (Provisioning)

All

MX-ONE Manager (Telephony System)

All

MX-ONE Manager Availability

All

MX-ONE Media Gateway Unit

All

MX-ONE Telephony Server

All

NuPoint UM (Standalone)

All

Oaisys Talkument

All

Oaisys Tracer

All

OIG

All

Open Interfaces Platform (OIP, OIP WebAdmin)

All

OpenCom 1000 family

All

OpenPhone 7x IP

All

Oria

All

PointSpan

All

Redirection and Configuration Service (RCS)

All

S850i (Revolabs OEM)

All

Secure IP Remote Management SRM

All

SIP-DECT

All

SIP-DECT Open Mobility Manager

All

SIP-DECT with Cloud-ID

All

Solidus eCare

All

SX-200IP ICP

All

Telephony Switch (TSW)

All

Telepo

All

Risk Assessment

The potential risk associated with this vulnerability is considered high.

Refer to product specific Security Bulletins for mitigation and recommendations.

Mitigation / Recommended Action

Refer to the product specific Security Bulletins for mitigation and recommendations.

External References

http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/