What happened:

On October 27, 2023, a critical vulnerability in the Apache ActiveMQ components was disclosed: \u00A0

\u00A0\u00A0\u00A0 CVE-2023-46604\u00A0- Unbounded deserialization causes ActiveMQ to be vulnerable to a remote code execution (RCE) attack.

For a description of this vulnerability, affected components and versions of ActiveMQ, please see the\u00A0Apache ActiveMQ Security Vulnerabilities\u00A0page.

\u00A0

Are my Avaya products affected?

Avaya is investigating its product line to determine which products may be affected by this vulnerability. \u00A0Avaya will provide status updates through Service Requests that are created by our customers or through Product Support Notices / Product Correction Notices (PSNs/PCNs) as appropriate.\u00A0 \u00A0

\u00A0

End of Manufacturer\u2019s Support:\u00A0

Avaya is prioritizing our GA products in a phased approach based on risk level and expected impact.\u00A0 Products/versions\u00A0designated EoMS are not being scanned at this time and customers are encouraged to upgrade to a supported\u00A0product/version.

\u00A0

Recommended Actions for Products:\u00A0

Avaya strongly recommends following networking and security best practices by implementing firewalls, ACLs, physical security, or other appropriate access restrictions. Though Avaya believes such restrictions should always be in place, risk to Avaya products and the surrounding network from this potential vulnerability may be mitigated by ensuring these practices are implemented until such time as an Avaya provided product update or the recommended Avaya action is applied. Further restrictions as deemed necessary based on the customer's security policies may be required during this interim period, but the System Product operating system or application should not be modified unless the change is approved by Avaya. Making changes that are not approved may void the Avaya product service contract.

\u00A0

What should I do next?

You may create a Service Request (only one is required for all products) if you require additional information.\u00A0 Alternatively, we will publish Product Support Notice (PSN) updates as details become available.\u00A0\u00A0

\u00A0To create a Service Request:

1.\u00A0\u00A0Log on to\u00A0https://support.avaya.com\u00A0by using your\u00A0Avaya\u00A0credentials.

2.\u00A0\u00A0Under\u00A0Service/Parts Request, click\u00A0Create Service Request.

3.\u00A0\u00A0On the Create a Service Request page, provide the required details including the application name and the version.

Avaya is aware that some customers are not able to immediately migrate EoMS product to a supported release. In those cases, Avaya recommends the customer protect the EoMS product behind an application-aware firewall appliance and/or a cloud service.

Customers are encouraged to subscribe to\u00A0e-notifications\u00A0to be notified of\u00A0the latest PSN updates\u00A0for their affected products.