Advisory ID: 16-0013
Publish Date: 2016-07-05
Multiple vulnerabilities have been identified in specific versions of OpenSSL.
The following CVEs have been issued against specific versions of the OpenSSL 1.0.1 and 1.0.2 cryptographic libraries:
Four of these vulnerabilities are noted by the CVE as being of moderate or high risk:
The fmtstr function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g improperly calculates string lengths, which allows remote attackers to cause a denial of service (overflow and out-of-bounds read) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-2842.
The ASN.1 implementation in OpenSSL before 1.0.1o and 1.0.2 before 1.0.2c allows remote attackers to execute arbitrary code or cause a denial of service (buffer underflow and memory corruption) via an ANY field in crafted serialized data, aka the "negative zero" issue.
The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in the ASN.1 BIO implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (memory consumption) via a short invalid encoding.
The doapr_outch function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not verify that a certain memory allocation succeeds, which allows remote attackers to cause a denial of service (out-of-bounds write or memory consumption) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-0799.
Mitel is not aware of any specific products being vulnerable. However, all Linux and MSL-based products that include the OpenSSL library are potentially affected.
Security Bulletins are being issued for the following products:
|Product Name||Product Versions||Security Bulletin||Last Updated|
|MiCollab AWV||AWV 6.1 (126.96.36.199)
AWV 6.0 (188.8.131.52)
AWV 5.0 (184.108.40.206)
6.0 and earlier
|MiCollab NPM||NPM 8 SP1 (220.127.116.11)
NPM 8 (18.104.22.168)
NPM 7 SP2 (22.214.171.124)
|Mitel Standard Linux||10.5.50.0 and earlier
10.4.15.0 and earlier
10.3.39.0 and earlier
10.1.50.0 and earlier
|MiVoice Business for Industry Standard
VMware Virtual Appliance,
|MiVoice Business for Stratus||All||16-0013-002||2016-07-05|
|Server Manager for MiVoice Business for
Industry Standard Server, VMware Virtual
Appliance, Multi-instance platform
This list will be updated as additional Security Bulletins are published.
Products Under Investigation
All Enterprise products are being evaluated for these vulnerabilities. This advisory will be updated with additional information as it becomes available.
Products not Affected
OpenSSL is not included in Mitel products for use on Microsoft Windows.
The noted vulnerabilities carry varied levels of risk, ranging from low to high. Please refer to the product specific Security Bulletins for additional statements of risk.
Mitigation / Recommended Action
Newer product releases introduce security fixes for these and other identified issues. Customers are advised to update their Mitel products to newer releases when available. Please refer to the product-specific Security Bulletins for product-specific details.For Operating System platforms not provided or managed by Mitel, customers are advised to contact their Operating System vendor for further guidance.