Avaya has released information on multiple vulnerabilities within their products. The first issue is an error in certain OpenSSL functions. A certain function can be exploited to cause a buffer overlow and a weakness in the RSA implementation can be exploited to reveal the private keys. The following products are affected:
- Avaya Communication Manager (CM 3.0)
- Avaya EMMC (1.017, 1.021)
- Avaya CCS/SES (3.1 and earlier)
- Avaya AES (AES 3.1.4 and earlier)
The next set of issues lies in the PCRE libraries. When parsing certain regular expressions an integer overflow can occur and result in a denial of service or potentially compromise an application using the library. Additionally, an error processing multiple unspecified character classes can be exploited to cause insufficient memory allocation.
The following versions are affected:
- Avaya Communication Manager (CM 3.1, CM 4.x)
- Avaya Intuity AUDIX LX (IALX 2.0)
- Avaya Messaging Storage Server (MSS 3.x)
- Avaya Message Networking (MN 3.1)
- Avaya CCS/SES (3.1.1, 3.1.2, 4.0)
- Avaya AES (AES 4.0.1)