16-0011-002

Security Bulletin for NuPoint
SECURITY BULLETIN ID: 16-0011-002
RELEASE VERSION: 1.0
DATE: 2016-06-03
SECURITY BULLETIN 16-0011-002 V1.0
OVERVIEW
This security bulletin provides product-specific details on the vulnerability described in Mitel Security Advisory 16-0011.
Visit http://www.mitel.com/security-advisories for more details.
Multiple ImageMagick vulnerabilities have been identified. NuPoint uses ImageMagick for the conversion of images in
the fax module, and thus is vulnerable.
This security bulletin provides details and recommended solutions to address
APPLICABLE PRODUCTS
This security bulletin provides information on the following products:
PRODUCT NAME
VERSION(S) AFFECTED
SOLUTION(S) AVAILABLE
NPM
NPM 7 SP2 (17.2.0.3)
Upgrade to MSL 10.1.50.0 or higher
NPM
NPM 8 SP1 (18.1.0.23)
Upgrade to MSL 10.4.15.0 or higher
RISK / EXPOSURE
There are multiple vulnerabilities in ImageMagick, a package commonly used by web services to process images. One
of the vulnerabilities can lead to remote code execution (RCE) through the processing of user-submitted images.
The risk assciated with these vulnerabilities varies from low to high, with CVSS scores ranging from 4.3 to 10.
Below is the CVSS risk assessment for CVE-2016-3714, the highest risk of these vulnerabilities.
CVSS V2.0 OVERALL SCORE:
9
CVSS V2.0 VECTOR:
AV:N/AC:L/Au:s/C:C/I:C/A:C
CVSS BASE SCORE:
9
CVSS TEMPORAL SCORE:
Not defined
CVSS ENVIRONMENTAL SCORE:
Not defined
OVERALL RISK LEVEL:
High
MITIGATION / WORKAROUNDS
No workarounds to mitigate these vulnerabilities are available for NuPoint.
SOLUTION INFORMATION
New releases of MSL (10.1.50.0, 10.4.15.0) are available with the fixes for all the vulnerabilities identified in the security
advisory. Customers should upgrade to the appropriate MSL version based on the NuPoint version in use.
© Copyright 2016, Mitel Networks Corporation. All Rights Reserved.
The Mitel word and logo are trademarks of Mitel Networks Corporation.
Any reference to third party trademarks are for reference only and Mitel makes no representation of the ownership of
these marks.
Similar pages