Security Bulletin for MiVoice Business SECURITY BULLETIN ID: 15-0013-001 RELEASE VERSION: 1.0 DATE: 2016-02-01 SECURITY BULLETIN 15-0013-001 V1.0 OVERVIEW This security bulletin provides product-specific details on the vulnerability described in Mitel Security Advisory 15-0013. Visit http://www.mitel.com/security-advisories for more details. Mitel is aware of deserialization vulnerability in the Apache Commons Collections (ACC) Java library, which impacts MiVB’s proprietary Scheduler Java application. APPLICABLE PRODUCTS This security bulletin provides information on the following products: PRODUCT NAME MiVB VERSION(S) AFFECTED 7.2 and earlier SOLUTION(S) AVAILABLE Update to v7.2 SP1 MiVoice Business for Industry Standard Server, Stratus, VMware Virtual Appliance, Multi-instance platform (tenants only) 7.2 and earlier Update to v7.2 SP1 RISK / EXPOSURE The vulnerabiltiy is rated as having moderate risk. CVSS V2.0 OVERALL SCORE: 6.0 CVSS V2.0 VECTOR: AV:N/AC:M/Au:S/C:P/I:P/A:P CVSS BASE SCORE: 6.0 CVSS TEMPORAL SCORE: n/a CVSS ENVIRONMENTAL SCORE: n/a OVERALL RISK LEVEL: Medium In practice, the risk is anticipated to be much lower as the exposure is limited to an administrative function and administrator credentials are required to exploit the vulnerability. MITIGATION / WORKAROUNDS No mitigation / workarounds are available. PATCH INFORMATION Customers are advised to update to MiVB v7.2 SP1. Please contact Mitel Product Support for additional informatoin. © Copyright 2016, Mitel Networks Corporation. All Rights Reserved. The Mitel word and logo are trademarks of Mitel Networks Corporation. Any reference to third party trademarks are for reference only and Mitel makes no representation of the ownership of these marks.