16-0007-007

Security Bulletin for NuPoint
SECURITY BULLETIN ID: 16-0007-007
RELEASE VERSION: 1.0
DATE: 2016-03-07
SECURITY BULLETIN 16-0007-007 V1.0
OVERVIEW
This security bulletin provides product-specific details on the vulnerability described in Mitel Security Advisory 16-0007.
Visit http://www.mitel.com/security-advisories for more details.
NPM has been confirmed as being affected by a DNS libresolv vulnerability in glibc (CVE-2015-7547).
Multiple stack-based buffer overflows in the (1) send_dg and (2) send_vc functions in the libresolv library in the GNU C
Library (aka glibc or libc6) before 2.23 allow remote attackers to cause a denial of service (crash) or possibly execute
arbitrary code via a crafted DNS response that triggers a call to the getaddrinfo function with the AF_UNSPEC or
AF_INET6 address family, related to performing "dual A/AAAA DNS queries" and the libnss_dns.so.2 NSS module.
APPLICABLE PRODUCTS
This security bulletin provides information on the following products:
PRODUCT NAME
VERSION(S) AFFECTED
SOLUTION(S) AVAILABLE
NPM
NPM 7 SP1 (17.1.0.11)
Upgrade to MSL 10.1.49.0 or higher
NPM
NPM 7 SP2 (17.2.0.3)
Upgrade to MSL 10.1.49.0 or higher
NPM
NPM 8 (18.0.0.49)
Upgrade to MSL 10.3.38.0 or higher
RISK / EXPOSURE
Below are the CVSS scores as published by the vendor:
CVSS V2.0 OVERALL SCORE:
6.8
CVSS V2.0 VECTOR:
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS BASE SCORE:
6.8
CVSS TEMPORAL SCORE:
n/a
CVSS ENVIRONMENTAL SCORE:
n/a
OVERALL RISK LEVEL:
Moderate
MITIGATION / WORKAROUNDS
There is no specific mitigation for the vulnerabilities apart from updating the glibc version on the MSL platform.
SOLUTION INFORMATION
© Copyright 2016, Mitel Networks Corporation. All Rights Reserved.
The Mitel word and logo are trademarks of Mitel Networks Corporation.
Any reference to third party trademarks are for reference only and Mitel makes no representation of the ownership of
these marks.
SECURITY BULLETIN 16-0007-007 V1.0
New releases of MSL (10.1.49.0 and 10.3.38.0) are available with the updated glibc package, providing fixes for the
reported vulnerability. Customers should upgrade to MSL 10.1.49.0 and 10.3.38.0 as applicable. Please contact
Product Support for more information.
© Copyright 2016, Mitel Networks Corporation. All Rights Reserved.
The Mitel word and logo are trademarks of Mitel Networks Corporation.
Any reference to third party trademarks are for reference only and Mitel makes no representation of the ownership of
these marks.