CVE-2022-29499 The Service Appliance component in Mitel MiVoice Connect through 19.2 SP3 has an error that allows remote code execution.

If a user on a call requests a Service Appliance that does not exist in the system, the request could be used by an attacker to send malicious code to the system and execute code. Mitel has identified a fix for this issue that is included in release 19.2 SP3. Mitel recommends that customers upgrade to release 19.2 SP3 as soon as possible. Mitel is notifying impacted customers of the issue and providing migration paths to the latest release. Mitel has also shared this issue with the security community and will provide updates to them when they are made available.

Mitel recommends that customers upgrade to release 19.2 SP3 as soon as possible

Mitel has identified a fix for this issue that is included in release 19.2 SP3. Mitel recommends that customers upgrade to release 19.2 SP3 as soon as possible. This will ensure that the issue is not present on the system after installation.

Summary of Issue

Mitel has identified a vulnerability in their product that could be used to execute code. Mitel is notifying affected customers, providing migration paths to the latest release and sharing this issue with the security community. Mitel is making sure that there are no other vulnerabilities in this product and has shared their findings with the security community as well.

What to do if you are impacted

Mitel advises customers to upgrade to release 19.2 SP3 as soon as possible. Mitel is notifying impacted customers of the issue and providing migration paths to the latest release.
If a Service Appliance exists in your system but it is not on version 19.2 SP3, Mitel advises you to upgrade your system to version 19.2 SP3 as soon as possible.

What is the risk to my business?

If a user on a call requests a Service Appliance that does not exist in the system, the request could be used by an attacker to send malicious code to the system and execute code. This risk is considered medium because an attacker could exploit this issue to execute code without the knowledge of the Mitel administrator.

Timeline

Published on: 04/26/2022 02:15:00 UTC
Last modified on: 05/05/2022 18:25:00 UTC

References

• https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-22-0002
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-29499