Poly Plygn 21 08 Systems Apache
plygn-21-08-poly-systems-apache
plygn-21-08-poly-systems-apache
plygn-21-08-poly-systems-apache
plygn-21-08-poly-systems-apache
User Manual: Poly
Open the PDF directly: View PDF .
Page Count: 10
Download | |
Open PDF In Browser | View PDF |
Security Advisory _____________________________________________________________________________________________________________________________ _____________________________________________________________________________________ Vulnerability in Apache Log4j Affecting Poly Systems Last Update: 24-Dec-2021 – 09:00 Central Time Initial Public Release: 13-Dec-2021 Advisory ID: PLYGN21-108 CVE ID: CVE-2021-44228 CVSS Score: 10.0 CVSS: 3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Vulnerability Summary A critical remote command execution (RCE) vulnerability in Apache Log4j (CVE-202144228) was publicly disclosed on December 9th, 2021. Apache has released a patch for vulnerable versions. Upon notice of the vulnerability, Poly's incident response process was initiated and we have been conducting a thorough investigation to determine which, if any Poly products and services might be subject to this vulnerability. This effort is a top priority for Poly and we will continue to update this advisory as more information becomes available. As this is an ongoing investigation, please note that information related to any product or service may be subject to change. Any product not listed below is still under investigation to determine whether they are affected by this vulnerability. Product Status The following have been identified as affected product or service and includes the dates and versions of which we are currently aware (subject to change as investigation continues). If no date or version is currently listed for an affected product or service, we will update this bulletin when our evaluation is complete, and the information is available. Product Poly Clariti Core/Edge (a.k.a. DMA/CCE) - 9.0 and above Fix Availability - 14-Dec-2021 Manual configuration change available. Please contact Poly Support - CCE (a.k.a. DMA) 10.1.0.2 released Poly Clariti Relay version 1.x Clariti Relay 1.0.2 – released Poly RealConnect for Microsoft Teams and Skype for Business Mitigations Complete Cloud Relay (OTD and RealConnect hybrid use case) Mitigations Complete Plantronics Manager Mitigations Complete Plantronics Manager Pro Mitigations Complete Products Identified as Not Vulnerable Headsets Wireless and Wired Headsets Phones and Speakerphones VVX 150/250/350/450 VVX 150/250/350/450 Obi Software VVX 101/201/300/310/301/311/400/410/401/411/500/501/600/601 CX5100/CX5500 Poly Rove DECT SoundStation SoundStation IP SoundPoint IP VoiceStation Obi 300/302/312/504/508 VVX D230 Poly Edge B10/B20/B30 CCX 400/500/600/700 Video Conferencing ATX300 CX7000/CX8000 Poly G7500 Poly X30/X50/X70 Poly G10-T/G40-T/G85-T Polycom RealPresence Group Series Family Polycom RealPresence Immersive Studio Polycom HDX Family Polycom Pano Poly OTX100/OTX300 Poly OTX Studio Polycom Companion App Polycom Content App Trio C60 Trio 8500/Trio 8800 Trio 8300 Trio VisualPro Visual+ G200 RealPresence Centro RealPresence Debut Software and Services Poly Clariti Manager (RealPresence Resource Manager / RPRM) Poly RealPresence Collaboration Server (RPCS/RMX) Poly Clariti App Poly Content Connect Poly RealPresence Desktop Poly RealPresence Mobile Poly Workflow Server Poly Workflow Lite RealPresence Distributed Media Application (DMA 6.x and below) Poly Lens PDMS-SP PDMS-E Cloud-OTD RealPresence Access Director (RPAD) Zero Touch Provisioning Service (ZTP) Polycom RealAccess RealPresence Web Suite (RPWS) Plantronics Hub Desktop (Windows) Plantronics Hub Desktop (Mac) Plantronics Hub Mobile (iOS) Plantronics Hub Mobile (Android) BToE for VVX Plantronics Status Indicator Companion PC Audio Connector Peripherals EagleEye Director II EagleEye IV EagleEye Mini EagleEye Cube Poly Studio E70 Poly Studio Poly P5 Poly P15 Poly P21 Poly TC8 EagleEye Producer RealPresence Touch Eagle Eye IV USB Poly IP Mic Poly IP Mic Adapter Poly IP Ceiling Microphone Solution Poly recommends customers upgrade to appropriate software version or later as established in the product table. https://support.polycom.com/PolycomService/home/home.htm Implement Alternative Controls for Products/Services until Patches are Available for Deployment It is recommended to implement strong network security practices and monitor network connections for any unauthorized connections. In addition, monitoring logs for indications of exploitation is encouraged as well. Ensure that any alerts from a vulnerable product or service are actioned immediately. Report incidents promptly to law enforcement and to Poly as provided below. Details CVE 2021-44228: Apache Log4j Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects. Source: https://nvd.nist.gov/vuln/detail/CVE-2021-44228 CVE 2021-45046: Apache Log4j It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non- default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 makes a best-effort attempt to restrict JNDI LDAP lookups to localhost by default. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default. Source: https://nvd.nist.gov/vuln/detail/CVE-2021-45046 CVE 2021-45105: Apache Log4j Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3. Source: https://nvd.nist.gov/vuln/detail/CVE-2021-45105 Contact Any customer using an affected system who is concerned about this vulnerability within their deployment should contact Polycom Technical Support – either call 1-800POLYCOM or visit: https://support.polycom.com/content/support/security-center.html For the latest information. Revision History Date Description Status Interim 1.49 12/24/2021 Updated product status and patch availability 1.48 12/22/2021 Updated product status Interim 1.48 12/21/2021 Updated product status Interim 1.47 12/20/2021 Updated product status Interim 1.46 12/18/2021 Updated product status Added CVE-2021-45105 Interim 1.45 12/17/2021 Updated product status Interim Version 1.44 12/17/2021 Updated product and services status Interim 1.43 12/16/2021 Updated product status Interim 1.42 12/16/2021 Modified Last update time format Updated product status, Vulnerability Summary Added update revision to top of document Updated CVE-2021-44228 Detail Added CVE-2021-45046 Updated product status, Vulnerability Summary and Alternative Controls sections Updated product status and added products not included in prior releases Updated status and added products Updated status and added products Interim Initial Public Release Interim 1.41 12/16/2021 1.4 12/15/2021 1.3 12/15/2021 1.2 12/14/2021 1.1 12/14/2021 1.0 12/13/2021 Interim Interim Interim Interim Interim ©2021 Plantronics, Inc. All rights reserved. Trademarks Poly, the propeller design, and the Poly logo are trademarks of Plantronics, Inc. All other trademarks are property of their respective owners. No portion hereof may be reproduced or transmitted in any form or by any means, for any purpose other than the recipient's personal use, without the express written permission of Poly. Disclaimer While Poly uses reasonable efforts to include accurate and up-to-date information in this document, Poly makes no warranties or representations as to its accuracy. Poly assumes no liability or responsibility for any typographical errors, out of date information, or any errors or omissions in the content of this document. Poly reserves the right to change or update this document at any time. Individuals are solely responsible for verifying that they have and are using the most recent Technical Bulletin. Limitation of Liability Poly and/or its respective suppliers make no representations about the suitability of the information contained in this document for any purpose. Information is provided "as is" without warranty of any kind and is subject to change without notice. The entire risk arising out of its use remains with the recipient. In no event shall Poly and/or its respective suppliers be liable for any direct, consequential, incidental, special, punitive, or other damages whatsoever (including without limitation, damages for loss of business profits, business interruption, or loss of business information), even if Poly has been advised of the possibility of such damages.
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.7 Linearized : No Page Count : 10 Language : en-US Tagged PDF : Yes XMP Toolkit : 3.1-701 Producer : Microsoft® Word for Microsoft 365 Creator Tool : Microsoft® Word for Microsoft 365 Create Date : 2021:12:24 08:14:17-06:00 Modify Date : 2021:12:24 08:14:17-06:00 Document ID : uuid:E85907BA-E356-44C3-BF51-70B92B4E550C Instance ID : uuid:E85907BA-E356-44C3-BF51-70B92B4E550C Creator : Microsoft® Word for Microsoft 365EXIF Metadata provided by EXIF.tools