Avaya Support Forums  

Go Back   Avaya Support Forums > Avaya Aura & Unified Communications

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 01-28-2015, 08:03 AM
jmunfo jmunfo is offline
Member
 
Join Date: Jan 2015
Posts: 2
jmunfo has 11 reputation points
Default CVE-2015-0235 GHOST vulnerability

Is anyone aware of the impact that CVE-2015-0235 GHOST vulnerability has on Avaya CM products?

As you may have already heard, a high severity vulnerability affecting Linux GNU C Library (glibc) was announced this morning. The vulnerability known as GHOST (CVE-2015-0235) affects many systems built on Linux starting with glibc-2.2 as well as Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7 and Ubuntu 12.04, and allows attackers to remotely take control of an entire system without having any prior knowledge of system credentials.

We are recommending all Qualys customers take immediate action by scanning with the Qualys Vulnerability Management (VM) cloud solution as QID 123191. You can get reports detailing enterprise-wide exposure during your next scanning cycle to get visibility into the impact within your organization and efficiently track the remediation progress of this serious vulnerability. If you think you may be affected, patches are available from all of the Linux vendors starting today.

For more information on GHOST, follow the conversation on our Laws of Vulnerabilities blog.

Reply With Quote
  #2  
Old 01-28-2015, 10:28 AM
mlombardi1's Avatar
mlombardi1 mlombardi1 is offline
Genius
 
Join Date: Sep 2010
Location: New York
Posts: 388
mlombardi1 has 25 to 49 reputation pointsmlombardi1 has 25 to 49 reputation pointsmlombardi1 has 25 to 49 reputation points
Default

Most enterprise Avaya products run on a modified RHEL or CentOS load, so I'd wager Avaya is highly vulnerable. Let's see how quickly we see remediation released.
Reply With Quote
  #3  
Old 01-29-2015, 07:13 AM
willamsj willamsj is offline
Member
 
Join Date: Oct 2011
Posts: 5
willamsj has 10 reputation points
Default

https://downloads.avaya.com/css/P8/documents/101006648

Apparently Avaya's "final" advisory status is that there are no RHEL Avaya products, therefore no vulnerability.

I opened a case with Avaya support to get attention to this and seek clarification.
__________________
NNCSE CS1000, NNCSE NES SCCS/CC, NNCSS Callpilot

Last edited by willamsj; 01-29-2015 at 07:18 AM. Reason: Added signature
Reply With Quote
  #4  
Old 01-29-2015, 10:28 AM
walmsls's Avatar
walmsls walmsls is offline
Member
 
Join Date: Feb 2014
Location: Phoenix, AZ
Posts: 4
walmsls has 11 reputation points
Default

Thank you for the link to the ASA. I too opened a Support Request with Avaya for validation because a zdnet article (link below) list's several linux distros as affected, CentOS included which Avaya uses as the OS.

http://www.zdnet.com/article/critica...ty-hole-found/
Reply With Quote
  #5  
Old 01-29-2015, 10:50 AM
willamsj willamsj is offline
Member
 
Join Date: Oct 2011
Posts: 5
willamsj has 10 reputation points
Default

Here's what I've found so far-- still waiting for a response from the BBE who took the case-- he indicated that he needs to research.

Checking 7.6 and 7.5 Linux servers, the RHEL OS release is 5.3. According to RedHat's publication, that release is not listed as affected.

What is uncertain in my mind is whether this is because the release is no longer supported by RH and therefore they didn't even test for the vulnerability, or if it was tested and has been verified as not affected (perhaps because the earlier release of the library does not contain the vulnerability.)
__________________
NNCSE CS1000, NNCSE NES SCCS/CC, NNCSS Callpilot
Reply With Quote
  #6  
Old 01-29-2015, 11:19 AM
willamsj willamsj is offline
Member
 
Join Date: Oct 2011
Posts: 5
willamsj has 10 reputation points
Default

https://access.redhat.com/articles/1332213
This indicates that all releases of RHEL are affected, however there are no fixes listed from RH for release 5.3.

I've passed this information on to Avaya.
__________________
NNCSE CS1000, NNCSE NES SCCS/CC, NNCSS Callpilot
Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -7. The time now is 08:48 PM.

This Forum is provided solely for the use and convenience of Avaya customers and partners. Use of the Forum is subject to the Terms and Use and Privacy Statement found at www.avaya.com. No other use is permitted. The Forum including all content posted is “AS IS” and Avaya expressly disclaims all warranties and/or guarantees as to its accuracy, reliability, usefulness, quality or non-infringement of intellectual property. Avaya reserves the right to remove any content posted on the Forum at any time and for whatever reason.

Avaya will not be liable for any content posted on this Forum, including, without limitation, any errors or omissions or for any losses or damages of any kind incurred as a result of use or reliance on any content, regardless of its origin.

You expressly understand and agree that you assume all risks associated with use or reliance on this content.