Avis du CERT RENATER

Par défaut, cette page vous affichera les derniers messages envoyés par le CERT RENATER à la communauté. Vous pouvez affiner par année ou par type de message. Si aucun critère n'est précisé, seuls les derniers messages sont affichés
Date : Wed, 17 Dec 2008 17:27:11 +0100
Type : VULN
Sujet : CERT-Renater : 2008/VULN595 (Avaya: Java Runtime Environment vulnerabilities)
====================================================================                                   CERT-Renater

                        Note d'Information No. 2008/VULN595
_____________________________________________________________________

DATE                      : 17/12/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Avaya CMS, Avaya IR.

======================================================================
http://support.avaya.com/elmodocs2/security/ASA-2008-484.htm
http://support.avaya.com/elmodocs2/security/ASA-2008-485.htm
______________________________________________________________________

The Java Runtime Environment Creates Temporary Files That Have "Guessable"
File Names (Sun 244986)

Original Release Date: December 15, 2008
Last Revised: December 15, 2008
Number: ASA-2008-484
Risk Level: Low
Advisory Version: 1.0
Advisory Status: Interim

1. Overview:

A new Sun Alert Notification from Sun Microsystems has been issued and is
described below. Additional information about this issue may be found on the
sunsolve.sun.com website, although a maintenance contract with Sun may be
required to view the information.

    244986
    The Java Runtime Environment Creates Temporary Files That Have "Guessable"
    File Names
    Product: Java Platform, Standard Edition (Java SE)
    Category: Security
    Date Released: 03-Dec-2008
    http://sunsolve.sun.com/search/document.do?assetkey=1-66-244986-1

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the name CVE-2008-5360 to this issue.

2. Avaya System Products using a Sun Microsystems Operating System:

Avaya system products include an Operating System with the product when it is
delivered. Avaya Call Management System (CMS) and Avaya Interactive Response
(IR) are both shipped with an operating system from Sun Microsystems. Actions
to be taken on those products are described below.

Product: 	Affected Version(s): 	Risk Level: 	Actions:

Avaya CMS 	All 	Low 	See recommended actions below.  This issue
will be addressed in accordance with Avaya's Product Security Vulnerability
Response Policy

Avaya IR 	2.0, 3.0 	Low 	See recommended actions below.  This
issue will be addressed in accordance with Avaya's Product Security
Vulnerability Response Policy

Recommended Actions:
For all vulnerable system products, Avaya recommends that customers restrict
local and network access to the server. This restriction should be enforced
through the use of physical security, firewalls, ACLs, VPNs, and other
generally-accepted networking practices until such time as an update becomes
available and can be installed.

3. Additional Information:

Additional information may also be available via the Avaya support website
and through your Avaya account representative. Please contact your Avaya
product support representative, or dial 1-800-242-2121, with any questions.

4. Disclaimer:

ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF PUBLICATION AND IS
PROVIDED "AS IS". AVAYA INC., ON BEHALF ITSELF AND ITS SUBSIDIARIES AND
AFFILIATES (HEREINAFTER COLLECTIVELY REFERRED TO AS "AVAYA"), DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND
FURTHERMORE, AVAYA MAKES NO REPRESENTATIONS OR WARRANTIES THAT THE STEPS
RECOMMENDED WILL ELIMINATE SECURITY OR VIRUS THREATS TO CUSTOMERS' SYSTEMS.
IN NO EVENT SHALL AVAYA BE LIABLE FOR ANY DAMAGES WHATSOEVER ARISING OUT OF
OR IN CONNECTION WITH THE INFORMATION OR RECOMMENDED ACTIONS PROVIDED HEREIN,
INCLUDING DIRECT, INDIRECT, INCIDENTAL, STATUTORY, CONSEQUENTIAL DAMAGES,
LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF AVAYA HAS BEEN ADVISED
OF THE POSSIBILITY OF SUCH DAMAGES.

THE INFORMATION PROVIDED HERE DOES NOT AFFECT THE SUPPORT AGREEMENTS IN
PLACE FOR AVAYA PRODUCTS. SUPPORT FOR AVAYA PRODUCTS CONTINUES TO BE EXECUTED
AS PER EXISTING AGREEMENTS WITH AVAYA.

5. Revision History:

V 1.0 - December 15, 2008 - Initial Statement issued.

Send information regarding any discovered security problems with Avaya
products to either the contact noted in the product's documentation or
securityalerts@avaya.com.

 2008 Avaya Inc. All Rights Reserved. All trademarks identified by the  or
 are registered trademarks or trademarks, respectively, of Avaya Inc. All
 other trademarks are the property of their respective owners.
___________________________________________________________________________

Java Runtime Environment (JRE) Buffer Overflow Vulnerabilities in Processing
Image Files and Fonts May Allow Applets or Java Web Start Applications to
Elevate Their Privileges

Original Release Date: December 15, 2008
Last Revised: December 15, 2008
Number: ASA-2008-485
Risk Level: Low
Advisory Version: 1.0
Advisory Status: Interim

1. Overview:

A new Sun Alert Notification from Sun Microsystems has been issued and is
described below. Additional information about this issue may be found on the
sunsolve.sun.com website, although a maintenance contract with Sun may be
required to view the information.

    244987
    Java Runtime Environment (JRE) Buffer Overflow Vulnerabilities in
    Processing Image Files and Fonts May Allow Applets or Java Web Start
    Applications to Elevate Their Privileges
    Product: Java Platform, Standard Edition (Java SE)
    Category: Security
    Date Released: 03-Dec-2008
    http://sunsolve.sun.com/search/document.do?assetkey=1-66-244987-1

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the names CVE-2008-5356, CVE-2008-5357, CVE-2008-5358 and CVE-2008-5359 to
these issues.

2. Avaya System Products using a Sun Microsystems Operating System:

Avaya system products include an Operating System with the product when it is
delivered. Avaya Call Management System (CMS) and Avaya Interactive Response
(IR) are both shipped with an operating system from Sun Microsystems. Actions
to be taken on those products are described below.

Product:        Affected Version(s):    Risk Level:     Actions:

Avaya CMS       All     Low     See recommended actions below.  This issue
will be addressed in accordance with Avaya's Product Security Vulnerability
Response Policy

Avaya IR        2.0, 3.0        Low     See recommended actions below.  This
issue will be addressed in accordance with Avaya's Product Security
Vulnerability Response Policy

Recommended Actions:
For all vulnerable system products, Avaya recommends that customers restrict
local and network access to the server. This restriction should be enforced
through the use of physical security, firewalls, ACLs, VPNs, and other
generally-accepted networking practices until such time as an update becomes
available and can be installed.

3. Additional Information:

Additional information may also be available via the Avaya support website
and through your Avaya account representative. Please contact your Avaya
product support representative, or dial 1-800-242-2121, with any questions.

4. Disclaimer:

ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF PUBLICATION AND IS
PROVIDED "AS IS". AVAYA INC., ON BEHALF ITSELF AND ITS SUBSIDIARIES AND
AFFILIATES (HEREINAFTER COLLECTIVELY REFERRED TO AS "AVAYA"), DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND
FURTHERMORE, AVAYA MAKES NO REPRESENTATIONS OR WARRANTIES THAT THE STEPS
RECOMMENDED WILL ELIMINATE SECURITY OR VIRUS THREATS TO CUSTOMERS' SYSTEMS.
IN NO EVENT SHALL AVAYA BE LIABLE FOR ANY DAMAGES WHATSOEVER ARISING OUT OF
OR IN CONNECTION WITH THE INFORMATION OR RECOMMENDED ACTIONS PROVIDED HEREIN,
INCLUDING DIRECT, INDIRECT, INCIDENTAL, STATUTORY, CONSEQUENTIAL DAMAGES,
LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF AVAYA HAS BEEN ADVISED
OF THE POSSIBILITY OF SUCH DAMAGES.

THE INFORMATION PROVIDED HERE DOES NOT AFFECT THE SUPPORT AGREEMENTS IN PLACE
FOR AVAYA PRODUCTS. SUPPORT FOR AVAYA PRODUCTS CONTINUES TO BE EXECUTED AS
PER EXISTING AGREEMENTS WITH AVAYA.

5. Revision History:

V 1.0 - December 15, 2008 - Initial Statement issued.

Send information regarding any discovered security problems with Avaya
products to either the contact noted in the product's documentation or
securityalerts@avaya.com.

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================