Avaya Support Forums  

Go Back   Avaya Support Forums > Avaya Aura & Unified Communications

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 01-28-2015, 09:03 AM
jmunfo jmunfo is offline
Member
 
Join Date: Jan 2015
Posts: 2
jmunfo has 11 reputation points
Default CVE-2015-0235 GHOST vulnerability

Is anyone aware of the impact that CVE-2015-0235 GHOST vulnerability has on Avaya CM products?

As you may have already heard, a high severity vulnerability affecting Linux GNU C Library (glibc) was announced this morning. The vulnerability known as GHOST (CVE-2015-0235) affects many systems built on Linux starting with glibc-2.2 as well as Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7 and Ubuntu 12.04, and allows attackers to remotely take control of an entire system without having any prior knowledge of system credentials.

We are recommending all Qualys customers take immediate action by scanning with the Qualys Vulnerability Management (VM) cloud solution as QID 123191. You can get reports detailing enterprise-wide exposure during your next scanning cycle to get visibility into the impact within your organization and efficiently track the remediation progress of this serious vulnerability. If you think you may be affected, patches are available from all of the Linux vendors starting today.

For more information on GHOST, follow the conversation on our Laws of Vulnerabilities blog.

Reply With Quote
  #2  
Old 01-28-2015, 11:28 AM
mlombardi1's Avatar
mlombardi1 mlombardi1 is offline
Legend
 
Join Date: Sep 2010
Location: New York
Posts: 406
mlombardi1 has 25 to 49 reputation pointsmlombardi1 has 25 to 49 reputation pointsmlombardi1 has 25 to 49 reputation points
Default

Most enterprise Avaya products run on a modified RHEL or CentOS load, so I'd wager Avaya is highly vulnerable. Let's see how quickly we see remediation released.
Reply With Quote
  #3  
Old 01-29-2015, 08:13 AM
willamsj willamsj is offline
Member
 
Join Date: Oct 2011
Posts: 5
willamsj has 10 reputation points
Default

https://downloads.avaya.com/css/P8/documents/101006648

Apparently Avaya's "final" advisory status is that there are no RHEL Avaya products, therefore no vulnerability.

I opened a case with Avaya support to get attention to this and seek clarification.
__________________
NNCSE CS1000, NNCSE NES SCCS/CC, NNCSS Callpilot

Last edited by willamsj; 01-29-2015 at 08:18 AM. Reason: Added signature
Reply With Quote
  #4  
Old 01-29-2015, 11:28 AM
walmsls's Avatar
walmsls walmsls is offline
Member
 
Join Date: Feb 2014
Location: Phoenix, AZ
Posts: 4
walmsls has 11 reputation points
Default

Thank you for the link to the ASA. I too opened a Support Request with Avaya for validation because a zdnet article (link below) list's several linux distros as affected, CentOS included which Avaya uses as the OS.

http://www.zdnet.com/article/critica...ty-hole-found/
Reply With Quote
  #5  
Old 01-29-2015, 11:50 AM
willamsj willamsj is offline
Member
 
Join Date: Oct 2011
Posts: 5
willamsj has 10 reputation points
Default

Here's what I've found so far-- still waiting for a response from the BBE who took the case-- he indicated that he needs to research.

Checking 7.6 and 7.5 Linux servers, the RHEL OS release is 5.3. According to RedHat's publication, that release is not listed as affected.

What is uncertain in my mind is whether this is because the release is no longer supported by RH and therefore they didn't even test for the vulnerability, or if it was tested and has been verified as not affected (perhaps because the earlier release of the library does not contain the vulnerability.)
__________________
NNCSE CS1000, NNCSE NES SCCS/CC, NNCSS Callpilot
Reply With Quote
  #6  
Old 01-29-2015, 12:19 PM
willamsj willamsj is offline
Member
 
Join Date: Oct 2011
Posts: 5
willamsj has 10 reputation points
Default

https://access.redhat.com/articles/1332213
This indicates that all releases of RHEL are affected, however there are no fixes listed from RH for release 5.3.

I've passed this information on to Avaya.
__________________
NNCSE CS1000, NNCSE NES SCCS/CC, NNCSS Callpilot
Reply With Quote
  #7  
Old 01-29-2015, 12:41 PM
willamsj willamsj is offline
Member
 
Join Date: Oct 2011
Posts: 5
willamsj has 10 reputation points
Default

FYI

CS1K 7.5 and 7.65 both use RHEL 5.3
According to a ZDNET article, all glibc release from 2.2 through 2.17 are affected by this vulnerability.
7.65 uses glibc 2.5.

Therefore the CS1K Linux systems are likely vulnerable.

However, Avaya has not completed their analysis and they have indicated that the bulletin that has been released does not cover this CS1K products (therefore there is no security advisory available for CS1K products, not even a preliminary one.)

Additionally, it is unlikely that the CM product has been evaluated either.
__________________
NNCSE CS1000, NNCSE NES SCCS/CC, NNCSS Callpilot

Last edited by willamsj; 01-29-2015 at 12:43 PM. Reason: added CM reference to make it more relevant to the OP
Reply With Quote
  #8  
Old 01-30-2015, 06:52 AM
mlombardi1's Avatar
mlombardi1 mlombardi1 is offline
Legend
 
Join Date: Sep 2010
Location: New York
Posts: 406
mlombardi1 has 25 to 49 reputation pointsmlombardi1 has 25 to 49 reputation pointsmlombardi1 has 25 to 49 reputation points
Default

Checked the OS and library versions on the following products. Looks like everything is vulnerable except SBC-E 6.2.

SAL 2.2 SP1 on VMware:
CentOS release 5.8 (Final)
glibc-2.5-81.el5_8.7
glibc-2.5-81.el5_8.7


CM 6.3 SP7:
Red Hat Enterprise Linux Server release 5.3 (Tikanga)
glibc-2.5-107.el5_9.4.AV1

System Manager 6.3 SP6:
CentOS release 5.6 (Final)
glibc-2.5-118.el5_10.2
glibc-2.5-118.el5_10.2


Session Manager 6.3 SP6:
Enterprise Linux Server release 6.2 (Feb 07 11:23:30 MST 2013)
glibc-2.12-1.80.el6_3.5.x86_64
glibc-2.12-1.80.el6_3.5.i686


AES 6.3.1:
Red Hat Enterprise Linux Server release 5.8 (Tikanga)
glibc-2.5-81.el5_8.7

Utility Server 6.3.3.0.20:
CentOS release 5.7 (Final)
glibc-2.5-118

WebLM 6.3.2 on VMware:
CentOS release 5.6 (Final)
glibc-2.5-107.el5_9.4
glibc-2.5-107.el5_9.4


CMS R17 on VMware:
Red Hat Enterprise Linux Server release 6.3 (Santiago)
glibc-2.12-1.80.el6.x86_64
glibc-2.12-1.80.el6.i686


SBC-E 6.2.1.Q18:
MontaVista 4.2.0-16.0.25.0801283 2008-06-17
package glibc is not installed

System Platform 6.3.1:
CentOS release 5.9 (Final)
glibc-2.5-107.el5_9.5.x86_64
glibc-2.5-107.el5_9.5.i686


Aura Messaging 6.3.1 SP0:
Red Hat Enterprise Linux Server release 5.3 (Tikanga)
glibc-2.5-81.el5_8.7.AV1
Reply With Quote
  #9  
Old 02-02-2015, 02:13 AM
jmunfo jmunfo is offline
Member
 
Join Date: Jan 2015
Posts: 2
jmunfo has 11 reputation points
Default glibc security update (RHSA-2015-0099)

Avaya have feedback the following:

glibc security update (RHSA-2015-0099)

Original Release Date: January 28, 2015
Last Revised: January 28, 2015
Number: ASA-2015-047
Risk Level: None
Advisory Version: 1.0
Advisory Status: Final

1. Overview:

The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the Name Server Caching Daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.
A heap-based buffer overflow was found in glibc's __nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2015-0235 to this issue.
No Avaya system products are vulnerable, as the affected RHEL AUS, EUS and LL Operating Systems are not installed by default.
More information about these vulnerabilities can be found in the security advisory issued by Red Hat:
2. Avaya System Products using a RHEL AUS, EUS or LL Operating System: None

3. Avaya Software-Only Products:

Avaya software-only products operate on general-purpose operating systems. Occasionally vulnerabilities may be discovered in the underlying operating system or applications that come with the operating system. These vulnerabilities often do not impact the software-only product directly but may threaten the integrity of the underlying platform.
In the case of this advisory Avaya software-only products are not affected by the vulnerability directly but the underlying Linux platform may be. Customers should determine on which Linux operating system the product was installed and then follow that vendor's guidance.
Product: Actions: Avaya Aura® Application Enablement Services Depending on the Operating System installed, the affected package may be installed on the underlying Operating System supporting the AES application. Avaya IQ Depending on the Operating System installed, the affected package may be installed on the underlying Operating System supporting the Avaya IQ application. CVLAN Depending on the Operating System installed, the affected package may be installed on the underlying Operating System supporting the CVLAN application. Avaya Aura® Experience Portal Depending on the Operating System installed, the affected package may be installed on the underlying Operating System supporting the EP application. Avaya Integrated Management Suite (IMS) Depending on the Operating System installed, the affected package may be installed on the underlying Operating System supporting the IMS application. Avaya Aura® Presence Services Depending on the Operating System installed, the affected package may be installed on the underlying Operating System supporting the PS application.
Recommended Actions for Software-Only Products:
In the event that the affected package is installed, Avaya recommends following recommended actions supplied by Red Hat regarding their Enterprise Linux.

4. Additional Information:

Additional information may also be available via the Avaya support website and through your Avaya account representative. Please contact your Avaya product support representative, or dial 1-800-242-2121, with any questions.
5. Disclaimer:

ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF PUBLICATION, IS PROVIDED "AS IS", AND IS APPLICABLE ONLY TO PRODUCT VERSIONS ELIGIBLE FOR MANUFACTURER SUPPORT IN ACCORDANCE WITH AVAYA PRODUCT LIFE CYCLE POLICY. AVAYA INC., ON BEHALF ITSELF AND ITS SUBSIDIARIES AND AFFILIATES (HEREINAFTER COLLECTIVELY REFERRED TO AS "AVAYA"), DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND FURTHERMORE, AVAYA MAKES NO REPRESENTATIONS OR WARRANTIES THAT THE STEPS RECOMMENDED WILL ELIMINATE SECURITY OR VIRUS THREATS TO CUSTOMERS' SYSTEMS. IN NO EVENT SHALL AVAYA BE LIABLE FOR ANY DAMAGES WHATSOEVER ARISING OUT OF OR IN CONNECTION WITH THE INFORMATION OR RECOMMENDED ACTIONS PROVIDED HEREIN, INCLUDING DIRECT, INDIRECT, INCIDENTAL, STATUTORY, CONSEQUENTIAL DAMAGES, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF AVAYA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
THE INFORMATION PROVIDED HERE DOES NOT AFFECT THE SUPPORT AGREEMENTS IN PLACE FOR AVAYA PRODUCTS. SUPPORT FOR AVAYA PRODUCTS CONTINUES TO BE EXECUTED AS PER EXISTING AGREEMENTS WITH AVAYA.
6. Revision History:

V 1.0 - January 28, 2015 - Initial Statement issued.
Avaya customers or Business Partners should report any security issues found with Avaya products via the standard support process.
Independent security researchers can contact Avaya at securityalerts@avaya.com.
Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.
Reply With Quote
  #10  
Old 02-02-2015, 06:09 AM
willamsj willamsj is offline
Member
 
Join Date: Oct 2011
Posts: 5
willamsj has 10 reputation points
Default

Quote:
From: Ananthakrishnan, Ganesh (Ganesh) On Behalf Of Product Security Alerts
Sent: Thursday, January 29, 2015 11:29 AM
To: redacted; Product Security Alerts
Subject: RE: RHSA-2015-0099


Avaya products do not use RHEL AUS, EUS or LL Operating Systems. Avaya uses RHEL and an advisory for RHEL5 and RHEL6 will be published as soon as we finish investigating the impact of this, on our products.

Ganesh
PSST (Product Security Support Team)
10 character minimum
__________________
NNCSE CS1000, NNCSE NES SCCS/CC, NNCSS Callpilot
Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -7. The time now is 04:49 AM.

This Forum is provided solely for the use and convenience of Avaya customers and partners. Use of the Forum is subject to the Terms and Use and Privacy Statement found at www.avaya.com. No other use is permitted. The Forum including all content posted is “AS IS” and Avaya expressly disclaims all warranties and/or guarantees as to its accuracy, reliability, usefulness, quality or non-infringement of intellectual property. Avaya reserves the right to remove any content posted on the Forum at any time and for whatever reason.

Avaya will not be liable for any content posted on this Forum, including, without limitation, any errors or omissions or for any losses or damages of any kind incurred as a result of use or reliance on any content, regardless of its origin.

You expressly understand and agree that you assume all risks associated with use or reliance on this content.