Mitel Product Security Advisory 16-0013
Multiple Vulnerabilities in OpenSSL
Advisory ID: 16-0013
Publish Date: 2016-07-05
Multiple vulnerabilities have been identified in specific versions of OpenSSL.
The following CVEs have been issued against specific versions of the OpenSSL 1.0.1 and 1.0.2 cryptographic libraries:
Four of these vulnerabilities are noted by the CVE as being of moderate or high risk:
The fmtstr function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g improperly calculates string lengths, which allows remote attackers to cause a denial of service (overflow and out-of-bounds read) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-2842.
The ASN.1 implementation in OpenSSL before 1.0.1o and 1.0.2 before 1.0.2c allows remote attackers to execute arbitrary code or cause a denial of service (buffer underflow and memory corruption) via an ANY field in crafted serialized data, aka the "negative zero" issue.
The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in the ASN.1 BIO implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (memory consumption) via a short invalid encoding.
The doapr_outch function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not verify that a certain memory allocation succeeds, which allows remote attackers to cause a denial of service (out-of-bounds write or memory consumption) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-0799.
Mitel is not aware of any specific products being vulnerable. However, all Linux and MSL-based products that include the OpenSSL library are potentially affected.
Security Bulletins are being issued for the following products:
|Product Name||Product Versions||Security Bulletin||Last Updated|
|MiCollab AWV||AWV 6.1 (184.108.40.206)
AWV 6.0 (220.127.116.11)
AWV 5.0 (18.104.22.168)
6.0 and earlier
|MiCollab NPM||NPM 8 SP1 (22.214.171.124)
NPM 8 (126.96.36.199)
NPM 7 SP2 (188.8.131.52)
|MiVoice Business for Industry Standard
VMware Virtual Appliance,
|MiVoice Business for Stratus||All||16-0013-002||2016-07-05|
|Server Manager for MiVoice Business for
Industry Standard Server, VMware Virtual
Appliance, Multi-instance platform
This list will be updated as additional Security Bulletins are published.
Products Under Investigation
All Enterprise products are being evaluated for these vulnerabilities. This advisory will be updated with additional information as it becomes available.