Mitel Product Security Advisory 21-0010

Mitel Product Security Advisory 21-0010

Vulnerability in Apache Log4j Libraries Affecting Mitel Products

Advisory ID: 21-0010

Publish Date: 2021-12-13

Last Updated: 2022-11-16

Revision: 16.0

Summary

In December 2021, the following vulnerabilities in the Apache Log4j 2.x Java logging library were disclosed:

  • CVE-2021-44228: Apache Log4j 2.x JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints with potential for code execution.
  • CVE-2021-45046: Apache Log4j 2.x Thread Context Message Pattern and Context Lookup Pattern is vulnerable to potential information leak and code execution.
  • CVE-2021-45105: Apache Log4j 2.x is vulnerable to uncontrolled recursion from self-referential lookups, leading to denial-of-service conditions.
  • CVE-2021-44832: Apache Log4j 2.x is vulnerable to code execution when configured to use JDBCAppender or the attacker has write access to the Log4j configuration.

A description of these vulnerabilities can be found on the Apache Log4j 2.x Security Vulnerabilities page.

Additionally, in December 2021 and January 2022, the following vulnerabilities in the Apache Log4j 1.x Java logging library were disclosed:

  • CVE-2021-4104: Apache Log4j 1.x is vulnerable to deserialization of untrusted data when configured to use JMSAppender or the attacker has write access to the Log4j configuration with potential for remote code execution.
  • CVE-2022-23302: Apache Log4j 1.x is vulnerable to deserialization of untrusted data when configured to use JMSSink to perform JNDI requests or when the attacker has write access to the Log4j configuration with potential for remote code execution.
  • CVE-2022-23305: Apache Log4j 1.x when configured to use JDBCAppender is vulnerable to malicious crafted SQL strings allowing unintended SQL queries to be executed.
  • CVE-2022-23307: Apache Log4j 1.x is vulnerable to deserialization of the contents of certain log entries when the chainsaw component is run with potential for code execution.

A description of these vulnerabilities can be found on the Apache Log4j 1.2 Security Vulnerabilities page. Based on the available information, these vulnerabilities in Log4j 1.x may only be exploited if the vulnerable component is configured for use, and/or the attacker has sufficient privileges to start the service or change the configuration on the host. These vulnerabilities require a more complex attack vector, resulting in lower severity of these vulnerabilities relative to the log4j 2.x JNDI exposure.

Affected Products

Mitel is investigating its products to determine which products may be affected by these vulnerabilities. Mitel will update this advisory as the details become available.

This is an ongoing investigation, as such be aware that products that are currently considered not vulnerable may subsequently be considered vulnerable as additional information becomes available.

Vulnerable Products

The following products have been determined to be affected by one or more of these vulnerabilities. This section will be updated as Mitel’s investigation continues.

Product NameProduct VersionSecurity BulletinLast Updated
Mitel Interaction Recording (MIR)6.5 to 6.721-0010-0012021-12-22
Mitel MiCollab7.1 to 9.4 SP121-0010-002
Additional Info
2021-12-24
MiVoice MX-ONE7.4 only21-0010-0032021-12-17
MiVoice Business EX and MiConfig Wizard9.2 only21-0010-004
 
2021-12-22
MiVoice Business Express7.1 to 8.121-0010-005
Additional Info
2021-12-20
MiCloud Management Portal6.2 to 6.2 SP121-0010-006
Additional Info
2021-12-17
Mitel Performance Analytics Server and Probe3.1.0 to R3.2.121-0010-0072021-12-17
Open Integration Gateway (OIG)R4.1 SP5 to 4.221-0010-008 
Additional Info
2022-01-31
MiContact Center Speech with Nuance Speech Suite
Nuance ASR (Speech Recognizer)
Nuance TTS (Text to Speech/Vocalizer)
R11.0.6 to R11.0.821-0010-0092021-12-22
MiContact Center Enterprise with Nuance Speech SuiteR11.0.6 to R11.0.821-0010-0102021-12-22
MiCollab Advanced Messaging XM FAXR8.0 to R9.021-0010-0112021-03-22
Mitel Virtual ReceptionPrior to and 8.5 SP321-0010-0122022-02-23
MiCollab Advanced MessagingPrior to and R9.221-0010-0132022-03-22
Mitel CMG SuitePrior to and R8.5 SP321-0010-0142022-06-08
Mitel InAttendPrior to and R2.6 SP321-0010-0152022-06-08
MiVoice Connect (including earlier versions 14.2)Prior to and R19.2 SP321-0010-0162022-06-08
MiVoice Connect Contact Center (including earlier versions 14.2)Prior to and R19.2 SP221-0010-0172022-06-08
MiVoice Business ConsolePrior to and R9.1.1.2921-0010-0182022-06-08
MiVoice Office 400 Open Interface PlatformPrior to and 8.9.1.1921-0010-0192022-06-08
MiContact Center BusinessR8.1.0.0 to R9.3.5.021-0010-0202022-06-08
Mitel Alarm ServerPrior to and R4.121-0010-0212022-11-16
Mitel SIP DECTPrior to and R8.3 SP321-0010-0222022-11-16
MiContact Center Business and MiContact Center Enterprise with Neverfail High AvailabilityPrior to and Neverfail v9 update 221-0010-0232022-11-16

Product Assessments

The following table provides the status of Mitel products which may be affected by the vulnerabilities listed in the Summary section above.

Mitel is investigating these products to determine if they are affected by log4j 1.x vulnerabilities. The products listed here with status investigating have been confirmed NOT to be affected by the listed log4j 2.x vulnerabilities.

This section will be updated as Mitel’s investigation continues.

Product NameProduct VersionStatus
Mitel Standard Linux (MSL)AllNot vulnerable
MiVoice Business (excluding MiVoice Business EX and MiConfig Wizard noted above in Vulnerable Products)AllNot vulnerable
MiVoice Business Multi-InstanceAllNot vulnerable
MiVoice 5000AllNot vulnerable
MiVoice Office 400AllNot vulnerable
MiVoice Office 250AllNot vulnerable
Mitel 100 seriesAllNot vulnerable
Mitel Mobility Router (including earlier versions 14.2)AllNot vulnerable
MiVoice Border GatewayAllNot vulnerable
Mitel Management GatewayAllNot vulnerable
Mitel 6900 series, 6800 series, 5300 series, IP400 series, IP PhonesAllNot vulnerable
Mitel 5624 and 5634 WiFI HandsetsAllNot vulnerable
Mitel IP-DECTAllNot vulnerable
Mitel IP Phone SW ServerAllNot vulnerable
MiVoice Office 250 Application SuiteAllNot vulnerable
MiVoice Office Web ApplicationAllNot vulnerable
MiVoice Office Mobile ApplicationAllNot vulnerable
Mitel One Web ApplicationAllNot vulnerable
Mitel One Mobile ApplicationAllNot vulnerable
MiTeam Meetings Web ApplicationAllNot vulnerable
MiTeam Meetings Desktop ApplicationAllNot vulnerable
MiContact Center Enterprise (excluding Nuance Speech Suite noted above in vulnerable products)AllNot vulnerable
Mitel 5000 Contact CenterV3.3 A10 SP1 and aboveNot vulnerable
MiContact Center OutboundAllNot vulnerable
Mitel WorkForce ManagementAllNot vulnerable
MiVoice Call RecordingAllNot vulnerable
Mitel Business AnalyticsAllNot vulnerable
Mitel Mass NotificationAllNot vulnerable
Mitel Open CountAllNot vulnerable
Mitel CompanionAllNot vulnerable
Connected Guests iCharge, iLink, InnLineAllNot vulnerable
Mitel Business CTI EnterpriseAllNot vulnerable
Mitel MetaDirectoryAllNot vulnerable
Mitel TAPI-LinkAllNot vulnerable
Mitel RevolutionAllNot vulnerable

Risk Assessment

The risk for CVE-2021-44228 vulnerability is rated as Critical. The additional vulnerabilities are rated as high to moderate. Refer to the product Security Bulletins for additional statements regarding risk.

Mitigation / Recommended Action

N/A

External References

These vulnerabilities were publicly disclosed by the Apache Log4j Security Vulnerabilities announcements.

Related CVEs / CWEs / Advisories

CVE-2021-44228 CVE-2021-45046 CVE-2021-45105 CVE-2021-44832 CVE-2021-4104 CVE-2022-23302 CVE-2022-23305 CVE-2022-23307

Revision History

VersionDateDescription
1.02021-12-13Initial Version
2.02021-12-14Updated product assessments
3.02021-12-14Updated product assessments
4.02021-12-15Updated product assessments
5.02021-12-15Updated product assessments
6.02021-12-16Updated product assessments
7.02021-12-17Updated product assessments
8.02021-12-20Updated product assessments
9.02021-12-21Updated product bulletin for MiVB EX
10.02021-12-22Added product bulletins for MiContact Center Nuance Speech Suite and related Nuance products; added product bulletin for MiCollab Advanced messaging XM FAX; updated bulletins for Mitel Interaction Recording, MiCollab, and MiVB EX, updated product assessments
11.02021-12-24Updated bulletin and additional info for MiCollab
12.02022-01-31Updated bulletin for Open Integration Gateway (OIG)
13.02022-02-23Added product bulletin for Virtual Reception; updated product assessment status for log4j 1.x vulnerabilities
14.02022-03-22Updated product assessments; added bulletin updates for log4j 1.x vulnerabilities
15.02022-06-08Updated product assessments and bulletins for log4j 1.x vulnerabilities
16.02022-11-16Updated product assessments and bulletins for log4j 1.x vulnerabilities

Stay One Step Ahead Get notifications of the latest security advisories sent right to your inbox every week!