Security Bulletin for MiCollab AWV SECURITY BULLETIN ID: 15-0004-004 RELEASE VERSION: V1.1 DATE: 2015-09-25 SECURITY BULLETIN 15-0004-004 V1.1 OVERVIEW This security bulletin provides product-specific details on the vulnerability described in Mitel Security Advisory 15-0004. Visit http://www.mitel.com/security-advisories for more details. Note: This bulletin, and updates to Security Advisory 15-0004, have been published following the discovery of new investigation. According to the findings published on https://weakdh.org, websites, mail servers, and other TLS-dependent services that use Diffie-Hellman Ephemeral (DHE) and allow for DHE_EXPORT to use 512-bit DH keys are affected. This vulnerability is commonly known as Logjam. APPLICABLE PRODUCTS This security bulletin provides information on affected products: PRODUCT NAME AWV VERSION(S) AFFECTED AWV 5.0.5.5 and earlier SOLUTION(S) AVAILABLE AWV 5.0.5.7 AWV is included in the following products: PRODUCT NAME MiCollab VERSION(S) AFFECTED MiCollab 6.0 SP2 (6.0.205.0) and earlier SOLUTION(S) AVAILABLE MiCollab 6.0 SP2 PR1 (6.0.206.0) MiVoice Business Express MiVoice Business Express 6.0 SP2 (6.0.205.0) and earlier MiVoice Business Express 6.0 SP2 PR1 (6.0.206.0) RISK / EXPOSURE Successful exploitation of the vulnerability could allow an attacker to gain access to sensitive information and allow for the manipulation of data. CVSS V2.0 OVERALL SCORE: 4.4 CVSS V2.0 VECTOR: AV:N/AC:H/AU:N/C:P/I:P/A:P CVSS BASE SCORE: 5.1 CVSS TEMPORAL SCORE: 4.4 CVSS ENVIRONMENTAL SCORE: OVERALL RISK LEVEL: Not defined Low © Copyright 2015, Mitel Networks Corporation. All Rights Reserved. The Mitel word and logo are trademarks of Mitel Networks Corporation. Any reference to third party trademarks are for reference only and Mitel makes no representation of the ownership of these marks. SECURITY BULLETIN 15-0004-004 V1.1 MITIGATION / WORKAROUNDS Mitel is recommending customers update their AWV version that is known to remove the use of ciphers employing the weak Diffie-Hellman sizes. PATCH INFORMATION Changes to disable weak Diffie-Hellman keys were introduced in the following releases: AWV 5.0 v5.0.5.7 Customers unable to update to newer versions are advised to contact support for additional workarounds. Customers should contact their authorized support provider to obtain the latest software versions. Visit www.mitel.com for additional contact information. © Copyright 2015, Mitel Networks Corporation. All Rights Reserved. The Mitel word and logo are trademarks of Mitel Networks Corporation. Any reference to third party trademarks are for reference only and Mitel makes no representation of the ownership of these marks.