Avaya Orchestration Designer 8.1.2

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • avc880818262214
    Hot Shot
    • Jan 2025
    • 11
    #1

    Avaya Orchestration Designer 8.1.2

    [email protected]We are using Avaya Orchestration Designer (OD) 8.1.2 for our IVR application. During a vercode scanner for security scan of the deployed application , we identified a security hotspot reported in the Avaya OD runtime library. attached the report, we need your help to fix the issues
    Last edited by avc880818262214; 03-27-2026, 12:58 AM.
    Tags: None
  • avc880818262214
    Hot Shot
    • Jan 2025
    • 11
    #2
    Error Descriptions
    Description


    A call uses reflection in an unsafe manner. An attacker can specify the class name to be instantiated, which may create unexpected control flow paths through the application. Depending on how reflection is being used, the attack vector may allow the attacker to bypass security checks or otherwise cause the application to behave in an unexpected manner. Even if the object does not implement the specified interface and a ClassCastException is thrown, the constructor of the untrusted class name will have already executed. Recommendations


    Validate the class name against a combination of white and black lists to ensure that only expected behavior is produced. Instances found via Static Scan
    25 EG-Sphynx_IVR.war/scert-08.12.11.01.jar com/.../internal/ClassFinder.java 30 Likely 2/23/26
    29 EG-Sphynx_IVR.war/avdbop-rt-08.12.11.01.jar com/.../runtime/ccxml/DbProxy.java 89 Likely 2/23/26
    32 EG-Sphynx_IVR.war/scert-08.12.11.01.jar com/.../OutputGenerator.java 97 Likely 2/23/26
    28 EG-Sphynx_IVR.war/avrest-rt-08.12.11.01.jar com/.../ccxml/Ws2Proxy.java 58 Likely 2/23/26

    2 - Implementation error. Fix is approx. 6-50 lines of code. 1 day to fix. Description


    Standard random number generators do not provide a sufficient amount of entropy when used for security purposes. Attackers can brute force the output of pseudorandom number generators such as rand(). Recommendations


    If this random number is used where security is a concern, such as generating a session identifier or cryptographic key, use a trusted cryptographic random number generator instead. Instances found via Static Scan
    35 EG-Sphynx_IVR.war/scert-08.12.11.01.jar com/.../runtime/GrammarRule.java 41 Unlikely 2/23/26
    26 EG-Sphynx_IVR.war/scert-08.12.11.01.jar com/.../html/OutputGenerator.java 1152 Unlikely 2/23/26
    Description


    A function call contains an HTTP response splitting flaw. Writing untrusted input into an HTTP header allows an attacker to manipulate the HTTP response rendered by the browser, leading to cache poisoning and cross-site scripting attacks. Recommendations


    Remove unexpected carriage returns and line feeds from untrusted data used to construct an HTTP response. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. Instances found via Static Scan
    33 EG-Sphynx_IVR.war/scert-08.12.11.01.jar com/.../OutputGenerator.java 362 Likely 2/23/26
    34 EG-Sphynx_IVR.war/scert-08.12.11.01.jar com/.../OutputGenerator.java 364 Likely 2/23/26
    31 EG-Sphynx_IVR.war/scert-08.12.11.01.jar com/.../runtime/SCEServlet.java 1499 Likely 2/23/26

    Comment

    Previous template Next
    Loading