16-0004-003

Security Bulletin for MiVoice Business
SECURITY BULLETIN ID: 16-0004-003
RELEASE VERSION: 1.0
DATE: 2016-03-07
SECURITY BULLETIN 16-0004-003 V1.0
OVERVIEW
This security bulletin provides product-specific details on the vulnerability described in Mitel Security Advisory 16-0004.
Visit http://www.mitel.com/security-advisories for more details.
MiVoice Business is affected by a “ntpd” vulnerability in the software provided by Mitel Standard Linux (MSL) and
distributed by RedHat Linux 6.3. (CVE-2015-8138).
It was discovered that ntpd as a client did not correctly check the originate timestamp in received packets. A remote
attacker could use this flaw to send a crafted packet to an ntpd client that would effectively disable synchronization
with the server, or push arbitrary offset/delay measurements to modify the time on the client.
APPLICABLE PRODUCTS
This security bulletin provides information on the following products:
PRODUCT NAME
VERSION(S)
AFFECTED
SOLUTION(S) AVAILABLE
6.0 and later
MSL Update
MiVoice Business for Stratus
All versions using
RedHat Linux 6.3 *
Vendor update (See Solution Information)
MiVoice Business for Multi-instance
platform - Server Manager
1.2 and later
MSL Update
MiVoice Business for:
Industry Standard Server,
VMware Virtual Appliance
* MiVB on Stratus supports RedHat Linux version 5.4 and 6.3. Version 5.4 is not affected by this vulnerability
RISK / EXPOSURE
The vulnerabiltiy is rated as having moderate risk.
CVSS V2.0 OVERALL SCORE:
6.4
CVSS V2.0 VECTOR:
AV:N/AC:L/Au:N/C:N/I:P/A:P
CVSS BASE SCORE:
6.4
CVSS TEMPORAL SCORE:
n/a
CVSS ENVIRONMENTAL SCORE:
n/a
OVERALL RISK LEVEL:
Moderate
© Copyright 2016, Mitel Networks Corporation. All Rights Reserved.
The Mitel word and logo are trademarks of Mitel Networks Corporation.
Any reference to third party trademarks are for reference only and Mitel makes no representation of the ownership of
these marks.
SECURITY BULLETIN 16-0004-003 V1.0
MITIGATION / WORKAROUNDS
Please refer to Mitel Standard Linux’s advisory or Redhat web site.
SOLUTION INFORMATION
New releases of MSL (10.1.48.0 and 10.3.38.0) are available providing fixes for the reported vulnerability. Customers
should upgrade to MSL 10.1.48.0 and 10.3.38.0 as applicable. Please contact Product Support for more information.
For sytems allowing the ability to update RedHat packages directly, please refer to the solution provided by Redhat
(https://access.redhat.com/security/cve/cve-2015-8138) for RedHat 6.3.
Please contact Product Support for more information.
© Copyright 2016, Mitel Networks Corporation. All Rights Reserved.
The Mitel word and logo are trademarks of Mitel Networks Corporation.
Any reference to third party trademarks are for reference only and Mitel makes no representation of the ownership of
these marks.
Similar pages