16-0004-007

Security Bulletin for MiVoice5000
SECURITY BULLETIN ID: 16-0004-007
RELEASE VERSION: 1.0
DATE: 2016-03-07
SECURITY BULLETIN 16-0004-007 V1.0
OVERVIEW
This security bulletin provides product-specific details on the vulnerability described in Mitel Security Advisory 16-0004.
Visit http://www.mitel.com/security-advisories for more details.
APPLICABLE PRODUCTS
This security bulletin provides information on the following products:
PRODUCT NAME
VERSION(S) AFFECTED
SOLUTION(S) AVAILABLE
MiVoice5000
5.4, 6.1, 6.2
Security patch package
QW467AAXXX6.x.23
Mitel5000 Compact
5.4, 6.1, 6.2
Security patch package
QW467AAXXX6.x.23
MiVoice5000 Manager
2.4, 3.1, 3.2
Security patch package
QW467AAXXX6.x.23
RISK / EXPOSURE
Due to a flaw in an open-source third party library, a remote attacker could disable network timestamp synchronization
on the MiVoice5000, MiVoice5000 Manager and Mitel5000 Compact systems or push arbitrary time measurements to
modify the timestamp on these products.
CVSS V2.0 OVERALL SCORE:
6.4
CVSS V2.0 VECTOR:
AV:N/AC:L/Au:N/C:N/I:P/A:P
CVSS BASE SCORE:
6.4
CVSS TEMPORAL SCORE:
Not defined
CVSS ENVIRONMENTAL SCORE:
Not defined
OVERALL RISK LEVEL:
Moderate
MITIGATION / WORKAROUNDS
Customers using Network Time Protocol (NTP) on MiVoice5000, MiVoice5000 Manager or Mitel5000 Compact
products should ensure that they have configured multiple sources of NTP Servers by specifying a verified NTP server
pool as the time source. Additionally the timestamp on these products may be monitored for any discrepancy.
© Copyright 2016, Mitel Networks Corporation. All Rights Reserved.
The Mitel word and logo are trademarks of Mitel Networks Corporation.
Any reference to third party trademarks are for reference only and Mitel makes no representation of the ownership of
these marks.
SECURITY BULLETIN 16-0004-007 V1.0
SOLUTION INFORMATION
The fix will be included in the new release of security patch package QW467AAXXX6.x.23 available by the end of
March.
By the meantime, the RedHat patch ntp-4.2.6p5-5.el6_7.4.x86_64.rpm can be loaded on our systems MiVoice5000,
MiVoice5000 Manager and Mitel5000 Compact.
Contact product support for additional information.
© Copyright 2016, Mitel Networks Corporation. All Rights Reserved.
The Mitel word and logo are trademarks of Mitel Networks Corporation.
Any reference to third party trademarks are for reference only and Mitel makes no representation of the ownership of
these marks.
Similar pages