16-0011-003

Security Bulletin for MiCollab NPM
SECURITY BULLETIN ID: 16-0011-003
RELEASE VERSION: 1.0
DATE: 2016-06-03
SECURITY BULLETIN 16-0011-003 V1.0
OVERVIEW
This security bulletin provides product-specific details on the vulnerability described in Mitel Security Advisory 16-0011.
Visit http://www.mitel.com/security-advisories for more details.
Multiple ImageMagick vulnerabilities have been identified. MiCollab NPM uses ImageMagick for the conversion of
images in the fax module, and thus is vulnerable.
This security bulletin provides details and recommended solutions to address
APPLICABLE PRODUCTS
This security bulletin provides information on the following products:
PRODUCT NAME
MiCollab 6.0
VERSION(S) AFFECTED
MiCollab 6.0.205.0
NPM 7 SP2 (17.2.0.3)
MiCollab 7.1.0.55
NPM 8 SP1 (18.1.0.23)
MiCollab 7.1
SOLUTION(S) AVAILABLE
Upgrade to MSL 10.1.50.0 or higher
Upgrade to MSL 10.4.15.0 or higher
RISK / EXPOSURE
There are multiple vulnerabilities in ImageMagick, a package commonly used by web services to process images. One
of the vulnerabilities can lead to remote code execution (RCE) through the processing of user-submitted images.
The risk assciated with these vulnerabilities varies from low to high, with CVSS scores ranging from 4.3 to 10.
Below is the CVSS risk assessment for CVE-2016-3714, the highest risk of these vulnerabilities.
CVSS V2.0 OVERALL SCORE:
9
CVSS V2.0 VECTOR:
AV:N/AC:L/Au:s/C:C/I:C/A:C
CVSS BASE SCORE:
9
CVSS TEMPORAL SCORE:
Not defined
CVSS ENVIRONMENTAL SCORE:
Not defined
OVERALL RISK LEVEL:
High
MITIGATION / WORKAROUNDS
No workarounds to mitigate these vulnerabilities are available for MiCollab NPM.
SOLUTION INFORMATION
New releases of MSL (10.1.50.0, 10.4.15.0) are available with the fixes for all the vulnerabilities identified in the security
advisory. Customers should upgrade to the appropriate MSL version based on the MiCollab version in use.
© Copyright 2016, Mitel Networks Corporation. All Rights Reserved.
The Mitel word and logo are trademarks of Mitel Networks Corporation.
Any reference to third party trademarks are for reference only and Mitel makes no representation of the ownership of
these marks.