OBSO Unify/Mitel

Unify OpenScape 4000 Assistant and Unify OpenScape 4000 Manager Command Injection Vulnerability

Link auf Unify OBSO https://www.mitel.com/support/security-advisories/obso-2407-03

Risk Assessment

CVSS3.1 Base score: 9.8 (Critical)

Products confirmed affected

Product Name	Product Version	Available Solution(s)
Unify OpenScape 4000 Assistant	V11 R0.22 and earlier	For version V10 R1.42 upgrade to fixed version OS4K Assistant Hotfix V10 R1.42.8 or laterFor version V11 R0.22 upgrade to fixed version OS4K Assistant Hotfix V11 R0.22.2 or later
Unify OpenScape 4000 Manager	V11 R0.22 and earlier	For version V10 R1.42 upgrade to fixed version OS4K Manager Hotfix V10 R1.42.8 or laterFor version V11 R0.22 upgrade to fixed version OS4K Manager Hotfix V11 R0.22.2 or later

PUBLIC – FOR EXTERNAL USE (TLP: WHITE) – PHP CGI Module Argument Injection Vulnerability (CVE-2024-4577)

https://www.mitel.com/support/security-advisories/obso-2407-01

The vulnerability severity is rated as critical.

Affected Products

Product statements are related to product versions before End of Support (M44) is reached

Products confirmed affected

Unify OpenScape Voice Trace Manager V8.R0.9.13 and earlier.
Update to V8.R0.9.14 or later.

Products confirmed not affected

Unify OpenScape Deployment Service V10 (see Note1)

Additional Notes

Note 1:
OpenScape Deployment Service is not directly impacted as it does not deliver PHP. DLS delivers a PHP script (dls_directory_reader.php) that the admin can use to integrate DLS into an existing Apache server. Customers that use the PHP script should check their configuration and update their PHP stack to a fixed version.