Product Support Notice © 2021 Avaya Inc. All Rights Reserved.
PSN # PSN005946u Avaya Proprietary – Use pursuant to the terms of your signed agreement or company policy.
Original publication date 15-Dec-2021. This is Issue #03,
published date: 16-Dec-2021.
Severity/risk
level
High Urgency Immediately
Name of problem
IP Office Log4j vulnerability (CVE-2021-44228).
Products affected
IP Office Perpetual, Subscription, Powered By VM
Releases: 11.0.4.1 to 11.0.4.6. 11.1.0.0 to 11.1.2.0
Problem description
The one-X Portal for IP Office, Media Manager, Web RTC Gateway and Web Collaboration
applications are susceptible to the Log4j vulnerability CVE-2021-44228: Apache Log4j2 JNDI features
do not protect against attacker-controlled LDAP and other JNDI related endpoints.
This issue does not affect IP Office Basic Edition, Essential Edition, Branch deployments or IP Office
Powered By Containers.
Preferred Edition without any of the vulnerable applications active is also not affected.
Details for other Avaya products can be found at:
https://support.avaya.com/helpcenter/getGenericDetails?detailId=1399839287609Resolution
A patch will be provided on or before 17th December 2021 to remediate all affected releases.
Workaround or alternative remediation
Ensure one-X Portal for IP Office, Media Manager, Web RTC Gateway and Web Collaboration
services are disabled