Communication Manager: Modular Messaging: Logjam TLS security vulnerability CVE-2015-4000

Doc ID    SOLN273090
Version:    5.0
Status:    Published
Published date:    01 Aug 2018
Created Date:    06 Aug 2015
Author:   
Gina Reda
 

Details

 

Avaya Communication Manager 5.x, 6.x and 7.x (port 25 & 465)

Avaya System platform cdom for Modular Messaging 5.2 (port 443)

Avaya Systems Vulnerabilities

 

Problem Clarification

Customer is requesting Logjam TLS security vulnerability information on Modular Messaging and Communication Manager

Cause

security vulnerability

Solution

Modular Messaging:

 

Modular Messaging components are not affected.

Messaging Application Server uses Microsoft Server 2003, no publically released security notification.

Message Storage Server uses RHEL4 and port 443 does not accept export grade ciphers.

 

Communication Manager:  

 

This issue affects the openssl version used in Communication Manager.   However, the issue is the DHE_EXPORT ciphers used with the affected openssl version.        Avaya products in general and Communication Manager in particular, do not enable DHE_EXPORT ciphers by default, so Communication Manager is NOT vulnerable to CVE-2015-4000.

 

 

The openssl version will still be updated in the next Communication Manager 6.3 service pack to avoid security scanners from reporting as vulnerability.

 

If the Product is supported software for example CM 6.3 the fixes for any new CVE’s between now and the time the Product House closes the SSP (Security Service Pack) for any new MR’s will be in the next Security Pack.    This can change depending on testing, release dates changing, etc.  

 

If the Product Software is End of Support for example CM 6.0.1 there will be no fixes released and the software will need to be upgraded to CM 6.3 in order to receive the security fix or any future updates.    Since CM is not impacted the recommendation for End of Support software is to mark the vulnerability as a false positive on the security scan, in the future if the CM product is impacted you will need to upgrade to CM 6.3 or higher.

Update:

RHEL 5

https://downloads.avaya.com/css/P8/documents/101013879 

Avaya System Products using a modified version of RHEL5 with affected packages installed:

Product: Affected Version(s): Risk Level: Actions:
Avaya Aura® Communication Manager 6.x Low Upgrade to 6.3 SSP7 or later, or to 7.0 SSP1 or later.

CM6.3 Security service pack 7:

https://support.avaya.com/downloads/download-details.action?contentId=C20138580257440_7&productId=P0001&releaseId=6.3.x

 

 

 

 

RHEL 6

https://downloads.avaya.com/css/P8/documents/101012338

Avaya System Products using a modified version of RHEL6 with affected packages installed:

Product: Affected Version(s): Risk Level: Actions:
Avaya Aura® Communication Manager 7.0 Low Install 7.0 Security Service Pack 1 or later.

CM7 security service packs:

https://support.avaya.com/downloads/download-details.action?contentId=C2015916221467650_8&productId=P0001&releaseId=7.0.x

 

 

 

 


Avaya -- Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy