Date: 10 March 2009
References: AL-2009.0015 ESB-2009.0204 ESB-2009.0262 ESB-2009.0381 ESB-2009.0541
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2009.0220 -- [Linux]
A number of vulnerabilities have been identified in Mozilla
Firefox as used by Avaya
10 March 2009
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Avaya Intuity AUDIX LX
Avaya Messaging Storage Server
Avaya Message Networking
Publisher: Avaya
Operating System: Linux variants
Impact: Execute Arbitrary Code/Commands
Access Privileged Data
Provide Misleading Information
Denial of Service
Access: Remote/Unauthenticated
CVE Names: CVE-2009-0777 CVE-2009-0776 CVE-2009-0775
CVE-2009-0774 CVE-2009-0773 CVE-2009-0772
CVE-2009-0771 CVE-2009-0040
Ref: ESB-2009.0204
AL-2009.0015
Original Bulletin:
http://support.avaya.com/elmodocs2/security/ASA-2009-069.htm
- --------------------------BEGIN INCLUDED TEXT--------------------
firefox security update (RHSA-2009-0315)
Original Release Date: March 5, 2009
Last Revised: March 5, 2009
Number: ASA-2009-069
Risk Level: Low
Advisory Version: 1.0
Advisory Status: Interim
1. Overview:
Mozilla Firefox is an open source Web browser.
Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox to crash or,
potentially, execute arbitrary code as the user running Firefox. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names
CVE-2009-0040, CVE-2009-0771, CVE-2009-0772, CVE-2009-0773, CVE-2009-0774 and
CVE-2009-0775 to these issues.
Several flaws were found in the way malformed content was processed. A website
containing specially-crafted content could, potentially, trick a Firefox user
into surrendering sensitive information. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the names CVE-2009-0776 and
CVE-2009-0777 to these issues.
More information about these vulnerabilities can be found in the security
advisory issued by RedHat Linux:
* https://rhn.redhat.com/errata/RHSA-2009-0315.html
2. Avaya System Products with firefox installed:
Product: Affected Version(s): Risk Level: Actions:
Avaya Intuity AUDIX LX All Low See recommended actions below.
This issue will be addressed in accordance
with section five of Avaya's Product Security
Vulnerability Response Policy
Avaya Messaging Storage Server All Low See recommended actions below.
This issue will be addressed in accordance
with section five of Avaya's Product Security
Vulnerability Response Policy
Avaya Message Networking All Low See recommended actions below.
This issue will be addressed in accordance
with section five of Avaya's Product Security
Vulnerability Response Policy
Recommended Actions:
Avaya strongly recommends that customers follow networking and security best
practices by implementing firewalls, ACLs, physical security or other
appropriate access restrictions. Though Avaya believes such restrictions
should always be in place; risk to Avaya's product and the surrounding
network from this potential vulnerability may be mitigated by ensuring these
practices are implemented until such time as a product update is available.
Further restrictions as deemed necessary based on the customer's security
policies may be required during this interim period.
3. Avaya Software-Only Products:
Avaya software-only products operate on general-purpose operating systems.
Occasionally vulnerabilities may be discovered in the underlying operating
system or applications that come with the operating system. These
vulnerabilities often do not impact the software-only product directly but
may threaten the integrity of the underlying platform.
In the case of this advisory Avaya software-only products are not affected by
the vulnerability directly but the underlying Linux platform may be.
Customers should determine on which Linux operating system the product was
installed and then follow that vendor's guidance.
Product: Actions:
CVLAN Depending on the Operating System provided by customers, the
affected package may be installed on the underlying Operating System supporting the
CVLAN application.
Avaya Integrated Management Suite (IMS) Depending on the Operating System
provided by customers, the affected package may be installed on the
underlying Operating System supporting the IMS application.
Voice Portal Depending on the Operating System provided by customers, the
affected package may be installed on the underlying Operating System
supporting the Voice Portal application.
AES 4.x Depending on the Operating System provided by customers, the
affected package may be installed on the underlying Operating System
supporting the AES application.
Recommended Actions:
In the event that the affected package is installed, Avaya recommends that
customers follow recommended actions supplied by RedHat Linux.
4. Additional Information:
Additional information may also be available via the Avaya support website
and through your Avaya account representative. Please contact your Avaya
product support representative, or dial 1-800-242-2121, with any questions.
5. Disclaimer:
ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF PUBLICATION AND IS
PROVIDED "AS IS". AVAYA INC., ON BEHALF ITSELF AND ITS SUBSIDIARIES AND
AFFILIATES (HEREINAFTER COLLECTIVELY REFERRED TO AS "AVAYA"), DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND
FURTHERMORE, AVAYA MAKES NO REPRESENTATIONS OR WARRANTIES THAT THE STEPS
RECOMMENDED WILL ELIMINATE SECURITY OR VIRUS THREATS TO CUSTOMERS' SYSTEMS.
IN NO EVENT SHALL AVAYA BE LIABLE FOR ANY DAMAGES WHATSOEVER ARISING OUT OF
OR IN CONNECTION WITH THE INFORMATION OR RECOMMENDED ACTIONS PROVIDED HEREIN,
INCLUDING DIRECT, INDIRECT, INCIDENTAL, STATUTORY, CONSEQUENTIAL DAMAGES,
LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF AVAYA HAS BEEN ADVISED
OF THE POSSIBILITY OF SUCH DAMAGES.
THE INFORMATION PROVIDED HERE DOES NOT AFFECT THE SUPPORT AGREEMENTS IN
PLACE FOR AVAYA PRODUCTS. SUPPORT FOR AVAYA PRODUCTS CONTINUES TO BE EXECUTED
AS PER EXISTING AGREEMENTS WITH AVAYA.
6. Revision History:
V 1.0 - March 5, 2009 - Initial Statement issued.
Send information regarding any discovered security problems with Avaya
products to either the contact noted in the product's documentation or
securityalerts@avaya.com.
2009 Avaya Inc. All Rights Reserved. All trademarks identified by the or
are registered trademarks or trademarks, respectively, of Avaya Inc. All
other trademarks are the property of their respective owners.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFJtghjNVH5XJJInbgRAnEzAJ4lciyP3EgrWsXeVkQ0mDEdYJ+F8QCfeYTr
Nj7dKhjUdS6FlMccPLzyqP8=
=R/mS
-----END PGP SIGNATURE-----
|