Avaya takes the privacy and security of our customers very seriously. From the products to the systems that touch our customers and partners, Avaya fully engages to understand, eliminate or remediate any factors that could put you at risk. Since the news of the Bash-Shellshock vulnerability, Avaya Corporate Security along with the IT, Product and Services Security teams have been working aggressively to assess impact and if needed, develop actions for remediation.
A brief Q&A below will provide information about the measures being taken to assess the BASH- Shellshock vulnerability in Avaya products and systems. Although we’re moving as quickly as possible, careful, extensive assessments take a bit of time and we ask for your patience as we work through the portfolio. In addition, security is rarely “once and done,” and we will continue to monitor and update our assessments.
1. Which Avaya products are affected?’
For detailed information about specific product assessments, please visit our Security Support website that has been dedicated to housing all information about the Bash – Shellshock vulnerability.
2. What steps do I need to take if I am using an affected product?
Directions for remediation of any affected products will be made available from the Security Support website dedicated to product information about the Bash - Shellshock vulnerability. Information at this site is being updated continuously, so please check in frequently.
3. What is current mitigation plan and countermeasures for BASH - Shellshock with regards to Avaya IT systems?
Avaya IT conducts regular vulnerability scans of all devices and continues to do so with the addition of detection for the Bash - Shellshock vulnerability. Given the severity of the issue, Avaya has also introduced additional internal scans of our data centers as well as adding blocks and alerts for Bash-Shellshock on IDS/IPS where available. The results of these remote network scans are reviewed each day and any new discovery is immediately forwarded to the site owners for remediation. The particular remediation implemented is prescribed by each specific vendor as they release to the public. Typically, this includes security patching or software upgrades.
4. What defensive measures does Avaya have in place (Firewalls, IPS, etc.) to protect your hosted services from this and similar attacks, and are those measures updated to detect/block "Shell shock" attacks?
Avaya's network is built with layered security, including DMZ's, firewalls, and IDS/IPS. As noted above, Avaya has implemented blocks for Bash-Shellshock on its IDS/IPS where patches are available.
5. What assessment measures for Avaya IT systems are in place and planned? e.g. scanning and monitoring.
Avaya daily scanning of Internet-facing devices has been updated to include detection of the Bash-Shellshock vulnerability. The results of these remote network scans are reviewed each day and any new discovery is immediately forwarded to the site owners for remediation.
6. How is the assessment of impacted configuration items being tracked? e.g. Systems/Servers/Network/It Appliances
Findings from the scans are documented in the scanning results database. The application of patches must go through the Avaya Change Management Process, so the change would be documented and retained, to include reference to the business need for the approved change.
7. Who should I contact if I need more information about the BASH aka Shellshock vulnerability?
If your questions are not answered in the preceding list or at the product support site, please send an email to firstname.lastname@example.org.
TRIAL AGREEMENT FOR AVAYA COLLABORATORY
v. 1.0 January 27, 2018
"TRIAL CUSTOMER," "YOU", OR "YOUR" AS REFERENCED HEREIN MEANS THE LEGAL ENTITY WHICH IS ACCEPTING THIS TRIAL AGREEMENT, PLACING AN ORDER UNDER THIS TRIAL AGREEMENT, OR IS DOWNLOADING, ACCESSING OR USING THE SOFTWARE AND SERVICES (OR HAS PERMITTED SOMEBODY TO DO SO ON ITS BEHALF).
YOU REPRESENT THAT YOU ARE A CORPORATION, COMPANY OR OTHER BUSINESS ENTITY, AND NOT A CONSUMER, AND THAT YOU HAVE AUTHORIZED THE PERSON ACCEPTING THIS TRIAL AGREEMENT TO BIND YOU TO THIS TRIAL AGREEMENT. THE PERSON ACCEPTING THIS TRIAL AGREEMENT ON YOUR BEHALF REPRESENTS THAT HE OR SHE HAS READ THE TRIAL AGREEMENT DOCUMENTS IN FULL AND HAS FULL LEGAL AUTHORITY TO LEGALLY BIND YOU TO THIS TRIAL AGREEMENT. SUCH PERSONâS ONLINE ACCEPTANCE OF THIS TRIAL AGREEMENT WILL HAVE THE SAME LEGAL EFFECT AS IF YOU WERE PROVIDING A HANDWRITTEN SIGNATURE OF ACCEPTANCE. IF SUCH PERSON DOES NOT HAVE SUCH AUTHORITY OR IF YOU DO NOT WISH TO BE BOUND BY THIS TRIAL AGREEMENT, SELECT THE "I DECLINE" BUTTON AT THE END OF THIS TRIAL AGREEMENT. OTHERWISE, SELECT THE "I ACCEPT" BUTTON AT THE END OF THIS TRIAL AGREEMENT TO SIGNIFY THAT YOU AGREE TO THE TERMS AND CONDITIONS OF THIS TRIAL AGREEMENT. YOU MAY PRINT A COPY OF THIS TRIAL AGREEMENT BY SELECTING THE "PRINT" BUTTON AT THE END OF THIS AGREEMENT. THIS AGREEMENT IS EFFECTIVE AS OF THE DATE YOU EITHER SELECT THE "I ACCEPT" BUTTON OR ACCESS OR USE THE AVAYA SOFTWARE OR HOSTED SERVICES.
YOU RECOGNIZE AND AGREE THAT THE SOFTWARE AND SERVICES ARE FOR BUSINESS USE AND NOT FOR CONSUMERS, AND YOU REPRESENT AND WARRANT THAT YOU WILL USE THE SOFTWARE AND SERVICES FOR BUSINESS PURPOSES ONLY AND NOT FOR PERSONAL, FAMILY, HOUSEHOLD, OR ANY OTHER CONSUMER PURPOSE.
Avaya and its licensors reserve and retain all right, title, and interest in the Hosted Services and any and all software, products and services that are included in the Hosted Services, including, but not limited to, any and all modifications and derivative works made thereto. Avaya hereby grants You a limited, non-exclusive, non-transferable, royalty-free right to access and use the Hosted Services during the Trial Period (defined below) solely for Your internal evaluation purposes only and only for use in a non-production environment. You shall not reverse engineer, decompile, sublicense, lease, assign, copy, modify, merge or transfer the Hosted Services or any Avaya software or code.
Trial Customer may internally trial the non-production version of the Hosted Services from the United States only for a period of up to 90 days from the date when Avaya enables access to the Hosted Services or otherwise makes the Hosted Services or its software available to You, unless that time period is modified in writing by Avaya at its discretion ("Trial Period"). This trial is for Your internal review only, and You may not offer the Hosted Services to any End User or other party during the Trial Period. Upon expiration of the 90 day trial period or any extension thereof, You shall cease use of the Hosted Services, return all software to Avaya, and irretrievably delete all software from your systems. Upon request, a duly authorized representative of Trial Customer will certify such destruction to Avaya. Avaya may share such certification with applicable suppliers whose software is part of the Hosted Services.
Avaya provides the Hosted Services "AS IS" for non-production use only without any warranties, express or implied, and without any promise to enter into a definitive agreement with You for the purchase or license of the Hosted Services. Use of the Hosted Services is at Your own risk, and You understand and agree that if the Hosted Services do not operate as expected, or if Avaya so chooses, Avaya reserves the right to end the Hosted Services trial without liability to Avaya. Either party, without any liability to the other, may terminate this trial early.
AVAYA DISCLAIMS ALL EXPRESS, STATUTORY, IMPLIED OR OTHER WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT.
AVAYA AND ITS SUPPLIERS SHALL NOT BE LIABLE FOR ANY INCIDENTAL, INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH, ARISING OUT OF OR RELATING TO THIS TRIAL AGREEMENT OR USE OF HOSTED SERVICES, OR FOR THE LOSS OR CORRUPTION OF DATA, INFORMATION OF ANY KIND, BUSINESS, PROFITS, OR OTHER COMMERCIAL LOSS, HOWEVER CAUSED, AND WHETHER OR NOT AVAYA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
IN NO EVENT SHALL AVAYA'S OR ITS SUPPLIERâS TOTAL LIABILITY TO TRIAL CUSTOMER IN CONNECTION WITH, ARISING OUT OF OR RELATING TO THIS TRIAL AGREEMENT OR THE HOSTED SERVICES EXCEED FIVE HUNDRED DOLLARS ($500). THE PARTIES AGREE THAT THE LIMITATIONS SPECIFIED IN THIS SECTION WILL APPLY EVEN IF ANY LIMITED REMEDY PROVIDED IN THIS TRIAL AGREEMENT IS FOUND TO HAVE FAILED OF ITS ESSENTIAL PURPOSE.
FOR PURPOSES OF THIS TRIAL: (i) THE HOSTED SERVICES ARE NOT A TELECOMMUNICATIONS SERVICE; (ii) THE HOSTED SERVICES MAY NOT BE CONNECTED TO THE PUBLIC TELEPHONE NETWORK; (iii) THE TRIAL CUSTOMER MAY NOT USE CONFIDENTIAL, PERSONAL, PERSONALLY IDENTIFIABLE, PRIVATE, OR PERSONAL HEALTH INFORMATION WHEN USING THE HOSTED SERVICES; (iv) THE HOSTED SERVICES MAY NOT BE USED FOR ANY HIGH RISK ACTIVITIES; AND, (v) TRIAL CUSTOMER ACKNOWLEDGES AND UNDERSTANDS THAT THE HOSTED SERVICES ARE NOT INTENDED TO SUPPORT OR CARRY EMERGENCY CALLS OR COMMUNICATIONS OF ANY NATURE TO ANY TYPE OF EMERGENCY SERVICES OF ANY KIND, INCLUDING 911 AND E911 SERVICE OR SUCH SIMILAR SERVICES WHICH MAY BE LIMITED OR UNAVAILABLE. AVAYA IS NOT LIABLE IN ANY MANNER FOR TRIAL CUSTOMERâS USE OF THE HOSTED SERVICES IN VIOLATION OF THIS PARAGRAPH.
You shall observe all applicable laws and regulations when accessing and/or using the Hosted Services or any content of the Hosted Services, including, but not limited to, any export and import laws and/or regulations.
Because Avaya provides the Hosted Services to You as a trial, Your feedback will be essential to Avaya. Avaya will contact You periodically for Your feedback and You will provide feedback to Avaya. Any feedback You provide will become the property of Avaya, without any payment or other conditions owed to You. By signing below, You hereby assign to Avaya all right, title, and interest in and to such feedback. Avaya cannot promise to implement any of Your feedback in any future releases of the service.
Avaya and its suppliers reserve and retain all right, title, and interest in the Avaya Hosted Services, trial or otherwise. You must maintain the confidentiality of any information Avaya provides regarding the Hosted Services and any conversations Avaya has or other information Avaya exchanges about the Hosted Services, including Your feedback and comments ("Confidential Information"). You may not disclose to any third party, or provide or enable access to the Hosted Services or any other Confidential Information, by any third party. By signing below, You agree to take all reasonable precautions to protect Avayaâs Confidential Information, and Avaya will also take all reasonable precautions to protect any confidential information You share with us in connection with this Hosted Services, which, at the time of disclosure, is designated as confidential.
YOU SHALL DEFEND, HOLD HARMLESS, AND INDEMNIFY AVAYA AND ITS AFFILATES FROM AND AGAINST ANY DAMAGES AND LOSSES, INCLUDING BUT NOT LIMITED TO COURT COSTS AND ATTORNEYSâ FEES, IN CONNECTION WITH ANY THIRD PARTY CLAIMS OR ACTIONS BROUGHT AGAINST AVAYA AND/OR ITS AFFILIATES AS A RESULT OF OR RELATED TO YOUR USE OF THE HOSTED SERVICES OR ANY FAILURE BY YOU TO COMPLY WITH THIS TRIAL AGREEMENT.