TelWare is aware of the recently identified Apache log4J vulnerabilities, CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105, and has conducted impact assessments, mitigations, and remediation across all our services where necessary. TelWare has already implemented IPS, Intrusion Prevention Systems, to block any attempted exploit of our cloud services as well as updated all services that utilize log4j to use the latest version available. We are also working closely with our vendors to ensure all proprietary software is patched in accordance with NIST guidelines.
There is no risk or security impact to TelWare products, including OneCloud, HDMeet, SecureFax, and OCBlast. However, Avaya, a longtime partner of TelWare, has confirmed that Avaya IP Office editions 11.0.4.1 to 11.0.4.6 and 11.1.0.0 to 11.1.2.0 are affected by the log4j vulnerability if running One-X or Web Collaboration services. This is usually only enabled if you are using desktop or mobile clients such as Equinox or Avaya Communicator.
At this time, our security specialists have not seen any successful attempts to use the log4j vulnerability across our network. We continue to monitor the situation and will notify our customers of any change.
What Do I Need to Do if I have Avaya?
If you are on Avaya Cloud, TelWare engineers updated our intrusion prevention systems to block the exploit on December 9th, 2021, the date the CVE was released. Avaya also released a patch for CVE-2021-44228 and CVE-2021-45046 on December 17, 2021 that TelWare automatically applied the patch to your system once it was released.
If you are on Avaya on-premise running versions 11.0.4.1 to 11.0.4.6 or 11.1.0.0 to 11.1.2.0, your system needs to be patched to no longer be at risk. Please contact TelWare at your earliest convenience to schedule support. You can also limit your risk by shutting down services identified by Avaya as vulnerable.
For ongoing status updates, refer to the Avaya support website here.