Avaya Support Forums

Avaya Support Forums (http://support.avaya.com/forums/index.php)
-   Avaya Aura & Unified Communications (http://support.avaya.com/forums/forumdisplay.php?f=2)
-   -   CVE-2015-0235 GHOST vulnerability (http://support.avaya.com/forums/showthread.php?t=5958)

walmsls 02-19-2015 03:45 PM

I finally got a reply from the backbone engineer working on my support request. Here is their reply.

Below are the links for the Avaya Security Announcements that have been released in regards to CVE-2015-0235 glibc vulnerability (“street name” of GHOST).

RHEL4: ASA-2015-072 – https://downloads.avaya.com/css/P8/documents/101006705
RHEL5 ASA-2015-070 - https://downloads.avaya.com/css/P8/documents/101006702
RHEL6 ASA-2015-071 - https://downloads.avaya.com/css/P8/documents/101006704

Depending on the products that you are currently using if they are at a supported software for example CM 6.3 the fixes are due in the next Security Pack which is expected by the end of March. This can change depending on testing, release dates changing, etc.

If the Product Software is End of Support there will be no fixes released and the software will need to be upgraded in order to receive the security fix.

Vulnerability for CVE-2015-0235 = MEDIUM

The risk is rated Medium for all listed products because the exploit would require local account access. Remote attack may not be possible, because either the DNS server is not running or the products sanitize the input and provide name resolution to trusted hosts only within the enterprise. Additionally, the known affected programs or utilities are not used and additional protection mechanisms are in place to protect the products from remote exploit.

So, it looks like wait for the end of March for a security patch...

All times are GMT -7. The time now is 01:35 PM.