Mitel Product Security Advisory 21-0010

Vulnerability in Apache Log4j Libraries Affecting Mitel Products

Advisory ID: 21-0010

Publish Date: 2021-12-13

Last Updated: 2021-12-24

Revision: 11.0

 

Summary

On December 9, 2021, the following vulnerability in the Apache Log4j Java logging library affecting all Log4j v2 versions prior to 2.15.0 was disclosed:

CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints.

Mitel is also aware of recently identified Apache Log4j vulnerability:

  • CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to information leak and potential code execution.

  • CVE-2021-45105: Apache Log4j2 Allows uncontrolled recursion from self-referential lookups, leading to denial-of-service conditions.

Mitel is investigating any potential product exposure related to this vulnerability.

A description of this vulnerability can be found on the Apache Log4j Security Vulnerabilities page.

 

Affected Products

Security Bulletins are being issued for the following products:

Mitel is investigating its products to determine which products may be affected by this vulnerability. Mitel will update this advisory as the details become available.

Any product not listed in the Products Under Investigation or Vulnerable Products section of this advisory are to be considered not vulnerable. This is an ongoing investigation, as such be aware that products that are currently considered not vulnerable may subsequently be considered vulnerable as additional information becomes available.



Products Confirmed Not Vulnerable

The following products have been determined not to be affected by this vulnerability. This section will be updated as Mitel's investigation continues.

 

Risk Assessment

The risk for this vulnerability is rated as Critical. Refer to the product Security Bulletins for additional statements regarding risk.

 

Mitigation / Recommended Action

N/A

 

External References

This vulnerability was publicly disclosed by the Apache Log4j Security Vulnerabilities announcement on December 9, 2021.

 

Related CVEs / CWEs / Advisories

CVE-2021-44228

 

Revision History

Version Date Description
1.0 2021-12-13 Initial Version
2.0 2021-12-14 Updated product assessments
3.0 2021-12-14 Updated product assessments
4.0 2021-12-15 Updated product assessments
5.0 2021-12-15 Updated product assessments
6.0 2021-12-16 Updated product assessments
7.0 2021-12-17 Updated product assessments
8.0 2021-12-20 Updated product assessments
9.0 2021-12-21 Updated product bulletin for MiVB EX
10.0 2021-12-22 Added product bulletins for MiContact Center Nuance Speech Suite and related Nuance products; added product bulletin for MiCollab Advanced messaging XM FAX; updated bulletins for Mitel Interaction Recording, MiCollab, and MiVB EX, updated product assessments
11.0 2021-12-24
Ready to talk to sales? Contact us.