OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL), Transport Layer Security (TLS), and Datagram Transport Layer Security (DTLS) protocols, as well as a full-strength, general purpose cryptography library.
A NULL pointer dereference flaw was found in the DTLS implementation of OpenSSL. A remote attacker could send a specially crafted DTLS message, which would cause an OpenSSL server to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-3571 to this issue.
A memory leak flaw was found in the way the dtls1_buffer_record() function of OpenSSL parsed certain DTLS messages. A remote attacker could send multiple specially crafted DTLS messages to exhaust all available memory of a DTLS server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2015-0206 to this issue.
It was found that OpenSSL's BigNumber Squaring implementation could produce incorrect results under certain special conditions. This flaw could possibly affect certain OpenSSL library functionality, such as RSA blinding. Note that this issue occurred rarely and with a low probability, and there is currently no known way of exploiting it. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-3570 to this issue.
It was discovered that OpenSSL would perform an ECDH key exchange with a non-ephemeral key even when the ephemeral ECDH cipher suite was selected. A malicious server could make a TLS/SSL client using OpenSSL use a weaker key exchange method than the one requested by the user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-3572 to this issue.
It was discovered that OpenSSL would accept ephemeral RSA keys when using non-export RSA cipher suites. A malicious server could make a TLS/SSL client using OpenSSL use a weaker key exchange method. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2015-0204 to this issue.
Multiple flaws were found in the way OpenSSL parsed X.509 certificates. An attacker could use these flaws to modify an X.509 certificate to produce a certificate with a different fingerprint without invalidating its signature, and possibly bypass fingerprint-based blacklisting in applications. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-8275 to this issue.
It was found that an OpenSSL server would, under certain conditions, accept Diffie-Hellman client certificates without the use of a private key. An attacker could use a user's client certificate to authenticate as that user, without needing the private key. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2015-0205 to this issue.
More information about these vulnerabilities can be found in the security advisory issued by Red Hat:
| Product: | Affected Version(s): | Risk Level: | Actions: |
|---|---|---|---|
| Avaya CMS | R16.x, 17 through R17 R4 | Low | Upgrade to R17 R5 or later. Apply the security patch as outlined by PSN004216u |
| Avaya Breeze™ Platform | 2.x, 3.0 through 3.0 SP3 | Low | Upgrade to 3.0 SP4 or later. |
| Avaya Aura® Conferencing | 8.0 through 8.0 SP4 | Low | Upgrade to 8.0 SP5 or later. |
| Avaya Aura® Experience Portal | 6.x, 7.0 through 7.0.1 | Low | Upgrade to 7.0.2 or later and install latest Avaya Linux Security Updates. |
| Avaya IP Office Server Edition | 8.1, 9.0 through 9.1.3 | Low | Upgrade to 9.1.4 or later. |
| Avaya IP Office Application Server | 9.0 through 9.1.3 | Low | Upgrade to 9.1.4 or later. |
| Avaya one-X® Client Enablement Services | 6.2 through 6.2 SP3 | Low | Upgrade to 6.2 SP4 or later. |
| Avaya Aura® Session Manager | 6.3 through 6.3.14 | Low | Upgrade to 6.3.15 or later. |
| Avaya Session Border Controller for Enterprise | 6.3 through 6.3.4 | Low | Upgrade to 6.3.5 or later. |
Recommended Actions for System Products:
Avaya strongly recommends following networking and
security best practices by implementing firewalls, ACLs,
physical security or other appropriate access restrictions.
Though Avaya believes such restrictions should always be in
place, risk to Avaya products and the surrounding network
from this potential vulnerability may be mitigated by
ensuring these practices are implemented until such time as
an Avaya provided product update or the recommended Avaya
action is applied.
Further restrictions as deemed necessary based on the
customer's security policies may be required during this
interim period, but the System Product operating system or
application should not be modified unless the change is
approved by Avaya. Making changes that are not approved may
void the Avaya product service contract.
When determining risk, Avaya takes into account many factors as outlined by Avaya's Security Vulnerability Classification Policy. The following table describes factors that mitigate the risk of specific vulnerabilities for affected Avaya products:
| Vulnerability | Mitigating Factors |
|---|---|
| CVE-2014-3570 | The risk is rated Low for all listed products because the issue occurred rarely and with a low probability, and there is currently no known way of exploiting it. Additionally, RSA is used by default and their operations are not affected by this vulnerability. |
|
CVE-2014-3571 CVE-2015-0206 |
The risk is rated None for all listed products because DTLS is not used by default. |
|
CVE-2014-3572 |
The risk is rated Low for all listed products because by default, weak keys are disabled and ECDSA certificates are not used. |
| CVE-2014-8275 | The risk is rated Low for all listed products because the fingerprint-based certificate-blacklist protection mechanism is not used by default. |
|
CVE-2015-0204 |
The risk is rated Low for all listed products because weak keys are disabled by default. |
|
CVE-2015-0205 |
The risk is rated Low for all listed products because they do not trust a client CA that issues certificates containing DH keys by default. |
Avaya software-only products operate on general-purpose operating systems. Occasionally vulnerabilities may be discovered in the underlying operating system or applications that come with the operating system. These vulnerabilities often do not impact the software-only product directly but may threaten the integrity of the underlying platform.
In the case of this advisory Avaya software-only products are not affected by the vulnerability directly but the underlying Linux platform may be. Customers should determine on which Linux operating system the product was installed and then follow that vendor's guidance.
| Product: | Actions: |
|---|---|
| Avaya Aura® Experience Portal | Depending on the Operating System installed, the affected package may be installed on the underlying Operating System supporting the EP application. |
Recommended Actions for Software-Only Products:
In the event that the affected package is installed, Avaya recommends following recommended actions supplied by Red Hat regarding their Enterprise Linux.
Additional information may also be available via the Avaya support website and through your Avaya account representative. Please contact your Avaya product support representative, or dial 1-800-242-2121, with any questions.
ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF PUBLICATION, IS PROVIDED "AS IS", AND IS APPLICABLE ONLY TO PRODUCT VERSIONS ELIGIBLE FOR MANUFACTURER SUPPORT IN ACCORDANCE WITH AVAYA PRODUCT LIFE CYCLE POLICY. AVAYA INC., ON BEHALF ITSELF AND ITS SUBSIDIARIES AND AFFILIATES (HEREINAFTER COLLECTIVELY REFERRED TO AS "AVAYA"), DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND FURTHERMORE, AVAYA MAKES NO REPRESENTATIONS OR WARRANTIES THAT THE STEPS RECOMMENDED WILL ELIMINATE SECURITY OR VIRUS THREATS TO CUSTOMERS' SYSTEMS. IN NO EVENT SHALL AVAYA BE LIABLE FOR ANY DAMAGES WHATSOEVER ARISING OUT OF OR IN CONNECTION WITH THE INFORMATION OR RECOMMENDED ACTIONS PROVIDED HEREIN, INCLUDING DIRECT, INDIRECT, INCIDENTAL, STATUTORY, CONSEQUENTIAL DAMAGES, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF AVAYA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
THE INFORMATION PROVIDED HERE DOES NOT AFFECT THE SUPPORT AGREEMENTS IN PLACE FOR AVAYA PRODUCTS. SUPPORT FOR AVAYA PRODUCTS CONTINUES TO BE EXECUTED AS PER EXISTING AGREEMENTS WITH AVAYA.
V 1.0 - March 6, 2015 - Initial Statement issued.
V 2.0 - March 18, 2015 - Updated Section 2 to include ASBCE affected versions.
V 3.0 - March 24, 2015 - Updated CMS affected versions and actions.
V 4.0 - November 29, 2017 - Updated affected versions and actions for all other products and set the advisory status to Final.
V 4.1 - November 29, 2017 - Republished the ASA.
Avaya customers or Business Partners should report any security issues found with Avaya products via the standard support process.
Independent security researchers can contact Avaya at
securityalerts@avaya.com.
Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.
© 2015 Avaya Inc. All Rights Reserved. All trademarks identifying Avaya products by the ® or ™ are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners.