Security Bulletin for MiCollab AWV SECURITY BULLETIN ID: 15-0013-002 RELEASE VERSION: 1.0 DATE: 2016-02-01 SECURITY BULLETIN 15-0013-002 V1.0 OVERVIEW This security bulletin provides product-specific details on the vulnerability described in Mitel Security Advisory 15-0013 Visit http://www.mitel.com/security-advisories for more details. A Java deserialization vulnerability was deteced in the Java frameworks, which, if exploited, could allow an attacker to execute arbitrary code on the remote. MiCollab Audio, Web and Video conferencing (AWV) has been identified as using the affected framework. APPLICABLE PRODUCTS This security bulletin provides information on the following products: PRODUCT NAME VERSION(S) AFFECTED SOLUTION(S) AVAILABLE MiCollab AWV AWV 6.0 (MiCollab 7.0) Yes RISK / EXPOSURE This vulnerability provides an attacker with the ability to execute malicious code and take complete control of an affected system with the privileges of the user running the application. Such unauthorized could allow an attacker to attempt to elevate their privileges. From MiCollab 7.0 (AWV 6.0) onwards AWV’s Connection Point process, utilize JMX technology for exposing a RMI interface to remotely monitor health statistics. While this service should be firewalled, there is a potential risk in enviroments where this service is accessible from untrusted hosts or networks. CVSS V2.0 OVERALL SCORE: 4.8 CVSS V2.0 VECTOR: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:ND/RL:W/RC:C CVSS BASE SCORE: 5 CVSS TEMPORAL SCORE: CVSS ENVIRONMENTAL SCORE: OVERALL RISK LEVEL: 4.8 Not Defined Low MITIGATION / WORKAROUNDS A remediation bulletin, providing the steps for a manual workaround, is available from Mitel Product Support. Refer to Technical Bulletin 15-1263-00137 PATCH INFORMATION No patch is currently available. Customers This issue is scheduled to be corrected in MiCollab 7.1. © Copyright 2016, Mitel Networks Corporation. All Rights Reserved. The Mitel word and logo are trademarks of Mitel Networks Corporation. Any reference to third party trademarks are for reference only and Mitel makes no representation of the ownership of these marks.