Summary of Avaya BASH ShellShock Responses

Original Release Date: October 1, 2014
Last Revised: October 21, 2014
Number: ASA-2014-373
Advisory Version: 10.0
Advisory Status: Final

1. Overview:

Avaya has published several advisories in response to recent BASH vulnerabilities, CVE-2014-6271 and CVE-2014-7169. This document provides a summary list of the various Avaya Security Advisories (ASA) that have been published since (and including) the original ASA.

2. Document List:

Title: Description: Risk Level:
ASA-2014-369 bash security update (RHSA-2014-1293, RHSA-2014-1294, RHSA-2014-1306, RHSA-2014-1311) Avaya System products using a modified version of RHEL 4, 5 or 6 with bash installed High
ASA-2014-371 Oracle Security Alert for CVE-2014-6271 and CVE-2014-7169 Avaya System Products Using Solaris 10 High
ASA-2014-367 Avaya Networking bash Advisory Avaya Networking products using a modified version of RHEL 5 with bash installed High
ASA-2014-379 Avaya Gateways 16xx/46xx/96x0 Endpoints Response to GNU Bash (shellshock) Vulnerabilities (CVE-2014-6271, CVE-2014-7169) Avaya Gateway, TN Circuit Packs and 16xx/46xx/96x0/B179 Endpoints Advisory None
ASA-2014-377 Avaya Services Support Tools Advisory Avaya Services Support Tools High
ASA-2014-383 Avaya EPT Response to GNU Bash (shellshock) Vulnerabilities (CVE-2014-6271, CVE-2014-7169) Avaya Emerging Products and Technologies Advisory None
ASA-2014-384 Avaya Desktop and Mobile Client Response to GNU Bash (shellshock) Vulnerabilities (CVE-2014-6271, CVE-2014-7169) Avaya Desktop and Mobile Clients Advisory None
ASA-2014-382 Wind River bash Security Update (CVE-2014-6271, CVE-2014-7169) Avaya 96x1 Deskphone Advisory Low
ASA-2014-386 Avaya Scopia (shellshock) Vulnerabilities (CVE-2014-6271, CVE-2014-7169) Avaya Scopia Products Advisory High
ASA-2014-389 Avaya AudioCodes Gateways Response to GNU Bash (shellshock) Vulnerabilities (CVE-2014-6271, CVE-2014-7169) Avaya AudioCodes Products Advisory High
ASA-2014-393 Cygwin (shellshock) Vulnerabilities (CVE-2014-6271, CVE-2014-7169) Avaya System Products Using Cygwin High
ASA-2014-378 BCM (shellshock) Vulnerabilities (CVE-2014-6271, CVE-2014-7169) Avaya Business Communication Manager Products Advisory Low
ASA-ASBCE-bash ASBCE bash security and bug fix update Avaya Session Border Controller Enterprise Advisory Low

3. Additional Information:

Additional information may also be available via the Avaya support website and through your Avaya account representative. Please contact your Avaya product support representative, or dial 1-800-242-2121, with any questions.

4. Disclaimer:

ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF PUBLICATION AND IS PROVIDED "AS IS". AVAYA INC., ON BEHALF ITSELF AND ITS SUBSIDIARIES AND AFFILIATES (HEREINAFTER COLLECTIVELY REFERRED TO AS "AVAYA"), DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND FURTHERMORE, AVAYA MAKES NO REPRESENTATIONS OR WARRANTIES THAT THE STEPS RECOMMENDED WILL ELIMINATE SECURITY OR VIRUS THREATS TO CUSTOMERS' SYSTEMS. IN NO EVENT SHALL AVAYA BE LIABLE FOR ANY DAMAGES WHATSOEVER ARISING OUT OF OR IN CONNECTION WITH THE INFORMATION OR RECOMMENDED ACTIONS PROVIDED HEREIN, INCLUDING DIRECT, INDIRECT, INCIDENTAL, STATUTORY, CONSEQUENTIAL DAMAGES, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF AVAYA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

THE INFORMATION PROVIDED HERE DOES NOT AFFECT THE SUPPORT AGREEMENTS IN PLACE FOR AVAYA PRODUCTS. SUPPORT FOR AVAYA PRODUCTS CONTINUES TO BE EXECUTED AS PER EXISTING AGREEMENTS WITH AVAYA.

6. Revision History:

V 1.0 - October 1, 2014 - Initial issue.
V 2.0 - October 1, 2014 - Added Avaya Gateways and Services Support Tools entries.
V 3.0 - October 3, 2014 - Added entries for Emerging Products and Technologies, Desktop and Mobile Clients, 96x1 deskphones and changed table format.
V 4.0 - October 6, 2014 - Added Scopia products entry.
V 5.0 - October 7, 2014 - Changed risk level for Oracle advisory to High.
V 6.0 - October 9, 2014 - Updated ASA-2014-379 entry to include 16xx/46xx/96x0 endpoints, added entry for Audiocodes.
V 7.0 - October 10, 2014 - Corrected typographical errors.
V 8.0 - October 13, 2014 - Added entry for Cygwin and updated ASA-2014-379 entry to include B179 endpoints.
V 9.0 - October 15, 2014 - Added entry for Business Communication Manager.
V 10.0 - October 21, 2014 - Added entry for Session Border Controller Enterprise.

Avaya customers or Business Partners should report any security issues found with Avaya products via the standard support process.
Independent security researchers can contact Avaya at securityalerts@avaya.com.

Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.

© 2014 Avaya Inc. All Rights Reserved. All trademarks identifying Avaya products by the ® or ™ are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners.