User's Manual

ManualsBrandsAvaya ManualsBasic Call Management SystemAvaya MS09-020 Vulnerabilities

MS09-020 Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation

of Privilege (970483)

Original Release Date: June 10, 2009

Last Revised: June 10, 2009

Number: ASA-2009-215

Risk Level: Medium

Advisory Version: 1.0

Advisory Status: Final

1. Overview:

Microsoft issued a security bulletin which contained security advisory MS09-020. This

security update resolves vulnerabilities in Microsoft Internet Information Services (IIS)

that could allow elevation of privilege if an attacker sent a specially crafted HTTP request

to a Web site that requires authentication. The Common Vulnerabilities and Exposures

project (cve.mitre.org) has assigned the names CVE-2009-1122 and CVE-2009-1535 to

these issues. A description of the vulnerabilities may be found at:

• http://www.microsoft.com/technet/security/bulletin/ms09-020.mspx

Certain Avaya products utilize Microsoft Operating Systems and may be affected by this

vulnerability.

2. Avaya System Products:

Avaya system products include an Operating System with the product when it is

delivered. The system products described below are delivered with a Microsoft Operating

System. Actions to be taken with these products are also described below.

Product:

Affected

Version(s):

Risk

Level:

Actions:

Avaya Messaging

Application Server

All Medium

Avaya recommends that customers

install the security update as provided

via Microsoft Windows Update.

Recommended Actions:

Avaya strongly recommends that customers follow networking and security best practices

by implementing firewalls, ACLs, physical security or other appropriate access

restrictions. Though Avaya believes such restrictions should always be in place; risk to

Avaya's product and the surrounding network from this potential vulnerability may be

mitigated by ensuring these practices are implemented until such time as a product update

Summary of content (4 pages)

PAGE 1
MS09-020 Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege (970483) Original Release Date: June 10, 2009 Last Revised: June 10, 2009 Number: ASA-2009-215 Risk Level: Medium Advisory Version: 1.0 Advisory Status: Final 1. Overview: Microsoft issued a security bulletin which contained security advisory MS09-020.
PAGE 2
can be installed. Further restrictions as deemed necessary based on the customer's security policies may be required during this interim period. 3. Avaya Software-Only Products: Avaya software-only products operate on general-purpose operating systems. Occasionally vulnerabilities may be discovered in the underlying operating system or applications that come with the operating system.
PAGE 3
Avaya IP Agent All Versions Avaya IP Softphone All Versions Avaya Modular Messaging All Versions Avaya Network Reporting All Versions Avaya OctelAccess(r) Server All Versions Avaya OctelDesignerTM All Versions Avaya Operational Analyst All Versions Avaya Outbound Contact Management All Versions Avaya Speech Access All Versions Avaya Unified Communication Center (UCC) All Versions Avaya Unified Messenger (r) All Versions Avaya Visual Messenger TM All Versions Avaya Visual Vector Clien
PAGE 4
FURTHERMORE, AVAYA MAKES NO REPRESENTATIONS OR WARRANTIES THAT THE STEPS RECOMMENDED WILL ELIMINATE SECURITY OR VIRUS THREATS TO CUSTOMERS' SYSTEMS. IN NO EVENT SHALL AVAYA BE LIABLE FOR ANY DAMAGES WHATSOEVER ARISING OUT OF OR IN CONNECTION WITH THE INFORMATION OR RECOMMENDED ACTIONS PROVIDED HEREIN, INCLUDING DIRECT, INDIRECT, INCIDENTAL, STATUTORY, CONSEQUENTIAL DAMAGES, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF AVAYA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.