Mitel Product Security Advisory 21-0010
Mitel Product Security Advisory 21-0010
Vulnerability in Apache Log4j Libraries Affecting Mitel Products
Advisory ID: 21-0010
Publish Date: 2021-12-13
Last Updated: 2022-11-16
Revision: 16.0
Summary
In December 2021, the following vulnerabilities in the Apache Log4j 2.x Java logging library were disclosed:
- CVE-2021-44228: Apache Log4j 2.x JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints with potential for code execution.
- CVE-2021-45046: Apache Log4j 2.x Thread Context Message Pattern and Context Lookup Pattern is vulnerable to potential information leak and code execution.
- CVE-2021-45105: Apache Log4j 2.x is vulnerable to uncontrolled recursion from self-referential lookups, leading to denial-of-service conditions.
- CVE-2021-44832: Apache Log4j 2.x is vulnerable to code execution when configured to use JDBCAppender or the attacker has write access to the Log4j configuration.
A description of these vulnerabilities can be found on the Apache Log4j 2.x Security Vulnerabilities page.
Additionally, in December 2021 and January 2022, the following vulnerabilities in the Apache Log4j 1.x Java logging library were disclosed:
- CVE-2021-4104: Apache Log4j 1.x is vulnerable to deserialization of untrusted data when configured to use JMSAppender or the attacker has write access to the Log4j configuration with potential for remote code execution.
- CVE-2022-23302: Apache Log4j 1.x is vulnerable to deserialization of untrusted data when configured to use JMSSink to perform JNDI requests or when the attacker has write access to the Log4j configuration with potential for remote code execution.
- CVE-2022-23305: Apache Log4j 1.x when configured to use JDBCAppender is vulnerable to malicious crafted SQL strings allowing unintended SQL queries to be executed.
- CVE-2022-23307: Apache Log4j 1.x is vulnerable to deserialization of the contents of certain log entries when the chainsaw component is run with potential for code execution.
A description of these vulnerabilities can be found on the Apache Log4j 1.2 Security Vulnerabilities page. Based on the available information, these vulnerabilities in Log4j 1.x may only be exploited if the vulnerable component is configured for use, and/or the attacker has sufficient privileges to start the service or change the configuration on the host. These vulnerabilities require a more complex attack vector, resulting in lower severity of these vulnerabilities relative to the log4j 2.x JNDI exposure.
Affected Products
Mitel is investigating its products to determine which products may be affected by these vulnerabilities. Mitel will update this advisory as the details become available.
This is an ongoing investigation, as such be aware that products that are currently considered not vulnerable may subsequently be considered vulnerable as additional information becomes available.
Vulnerable Products
The following products have been determined to be affected by one or more of these vulnerabilities. This section will be updated as Mitel’s investigation continues.
| Product Name | Product Version | Security Bulletin | Last Updated |
|---|---|---|---|
| Mitel Interaction Recording (MIR) | 6.5 to 6.7 | 21-0010-001 | 2021-12-22 |
| Mitel MiCollab | 7.1 to 9.4 SP1 | 21-0010-002 Additional Info | 2021-12-24 |
| MiVoice MX-ONE | 7.4 only | 21-0010-003 | 2021-12-17 |
| MiVoice Business EX and MiConfig Wizard | 9.2 only | 21-0010-004 | 2021-12-22 |
| MiVoice Business Express | 7.1 to 8.1 | 21-0010-005 Additional Info | 2021-12-20 |
| MiCloud Management Portal | 6.2 to 6.2 SP1 | 21-0010-006 Additional Info | 2021-12-17 |
| Mitel Performance Analytics Server and Probe | 3.1.0 to R3.2.1 | 21-0010-007 | 2021-12-17 |
| Open Integration Gateway (OIG) | R4.1 SP5 to 4.2 | 21-0010-008 Additional Info | 2022-01-31 |
| MiContact Center Speech with Nuance Speech Suite Nuance ASR (Speech Recognizer) Nuance TTS (Text to Speech/Vocalizer) | R11.0.6 to R11.0.8 | 21-0010-009 | 2021-12-22 |
| MiContact Center Enterprise with Nuance Speech Suite | R11.0.6 to R11.0.8 | 21-0010-010 | 2021-12-22 |
| MiCollab Advanced Messaging XM FAX | R8.0 to R9.0 | 21-0010-011 | 2021-03-22 |
| Mitel Virtual Reception | Prior to and 8.5 SP3 | 21-0010-012 | 2022-02-23 |
| MiCollab Advanced Messaging | Prior to and R9.2 | 21-0010-013 | 2022-03-22 |
| Mitel CMG Suite | Prior to and R8.5 SP3 | 21-0010-014 | 2022-06-08 |
| Mitel InAttend | Prior to and R2.6 SP3 | 21-0010-015 | 2022-06-08 |
| MiVoice Connect (including earlier versions 14.2) | Prior to and R19.2 SP3 | 21-0010-016 | 2022-06-08 |
| MiVoice Connect Contact Center (including earlier versions 14.2) | Prior to and R19.2 SP2 | 21-0010-017 | 2022-06-08 |
| MiVoice Business Console | Prior to and R9.1.1.29 | 21-0010-018 | 2022-06-08 |
| MiVoice Office 400 Open Interface Platform | Prior to and 8.9.1.19 | 21-0010-019 | 2022-06-08 |
| MiContact Center Business | R8.1.0.0 to R9.3.5.0 | 21-0010-020 | 2022-06-08 |
| Mitel Alarm Server | Prior to and R4.1 | 21-0010-021 | 2022-11-16 |
| Mitel SIP DECT | Prior to and R8.3 SP3 | 21-0010-022 | 2022-11-16 |
| MiContact Center Business and MiContact Center Enterprise with Neverfail High Availability | Prior to and Neverfail v9 update 2 | 21-0010-023 | 2022-11-16 |
Product Assessments
The following table provides the status of Mitel products which may be affected by the vulnerabilities listed in the Summary section above.
Mitel is investigating these products to determine if they are affected by log4j 1.x vulnerabilities. The products listed here with status investigating have been confirmed NOT to be affected by the listed log4j 2.x vulnerabilities.
This section will be updated as Mitel’s investigation continues.
| Product Name | Product Version | Status |
|---|---|---|
| Mitel Standard Linux (MSL) | All | Not vulnerable |
| MiVoice Business (excluding MiVoice Business EX and MiConfig Wizard noted above in Vulnerable Products) | All | Not vulnerable |
| MiVoice Business Multi-Instance | All | Not vulnerable |
| MiVoice 5000 | All | Not vulnerable |
| MiVoice Office 400 | All | Not vulnerable |
| MiVoice Office 250 | All | Not vulnerable |
| Mitel 100 series | All | Not vulnerable |
| Mitel Mobility Router (including earlier versions 14.2) | All | Not vulnerable |
| MiVoice Border Gateway | All | Not vulnerable |
| Mitel Management Gateway | All | Not vulnerable |
| Mitel 6900 series, 6800 series, 5300 series, IP400 series, IP Phones | All | Not vulnerable |
| Mitel 5624 and 5634 WiFI Handsets | All | Not vulnerable |
| Mitel IP-DECT | All | Not vulnerable |
| Mitel IP Phone SW Server | All | Not vulnerable |
| MiVoice Office 250 Application Suite | All | Not vulnerable |
| MiVoice Office Web Application | All | Not vulnerable |
| MiVoice Office Mobile Application | All | Not vulnerable |
| Mitel One Web Application | All | Not vulnerable |
| Mitel One Mobile Application | All | Not vulnerable |
| MiTeam Meetings Web Application | All | Not vulnerable |
| MiTeam Meetings Desktop Application | All | Not vulnerable |
| MiContact Center Enterprise (excluding Nuance Speech Suite noted above in vulnerable products) | All | Not vulnerable |
| Mitel 5000 Contact Center | V3.3 A10 SP1 and above | Not vulnerable |
| MiContact Center Outbound | All | Not vulnerable |
| Mitel WorkForce Management | All | Not vulnerable |
| MiVoice Call Recording | All | Not vulnerable |
| Mitel Business Analytics | All | Not vulnerable |
| Mitel Mass Notification | All | Not vulnerable |
| Mitel Open Count | All | Not vulnerable |
| Mitel Companion | All | Not vulnerable |
| Connected Guests iCharge, iLink, InnLine | All | Not vulnerable |
| Mitel Business CTI Enterprise | All | Not vulnerable |
| Mitel MetaDirectory | All | Not vulnerable |
| Mitel TAPI-Link | All | Not vulnerable |
| Mitel Revolution | All | Not vulnerable |
Risk Assessment
The risk for CVE-2021-44228 vulnerability is rated as Critical. The additional vulnerabilities are rated as high to moderate. Refer to the product Security Bulletins for additional statements regarding risk.
Mitigation / Recommended Action
N/A
External References
These vulnerabilities were publicly disclosed by the Apache Log4j Security Vulnerabilities announcements.
Related CVEs / CWEs / Advisories
CVE-2021-44228 CVE-2021-45046 CVE-2021-45105 CVE-2021-44832 CVE-2021-4104 CVE-2022-23302 CVE-2022-23305 CVE-2022-23307
Revision History
| Version | Date | Description |
|---|---|---|
| 1.0 | 2021-12-13 | Initial Version |
| 2.0 | 2021-12-14 | Updated product assessments |
| 3.0 | 2021-12-14 | Updated product assessments |
| 4.0 | 2021-12-15 | Updated product assessments |
| 5.0 | 2021-12-15 | Updated product assessments |
| 6.0 | 2021-12-16 | Updated product assessments |
| 7.0 | 2021-12-17 | Updated product assessments |
| 8.0 | 2021-12-20 | Updated product assessments |
| 9.0 | 2021-12-21 | Updated product bulletin for MiVB EX |
| 10.0 | 2021-12-22 | Added product bulletins for MiContact Center Nuance Speech Suite and related Nuance products; added product bulletin for MiCollab Advanced messaging XM FAX; updated bulletins for Mitel Interaction Recording, MiCollab, and MiVB EX, updated product assessments |
| 11.0 | 2021-12-24 | Updated bulletin and additional info for MiCollab |
| 12.0 | 2022-01-31 | Updated bulletin for Open Integration Gateway (OIG) |
| 13.0 | 2022-02-23 | Added product bulletin for Virtual Reception; updated product assessment status for log4j 1.x vulnerabilities |
| 14.0 | 2022-03-22 | Updated product assessments; added bulletin updates for log4j 1.x vulnerabilities |
| 15.0 | 2022-06-08 | Updated product assessments and bulletins for log4j 1.x vulnerabilities |
| 16.0 | 2022-11-16 | Updated product assessments and bulletins for log4j 1.x vulnerabilities |