Advisory on Bash-Shellshock Vulnerability

03 Oct 2014
Avaya takes the privacy and security of our customers very seriously. From the products to the systems that touch our customers and partners, Avaya fully engages to understand, eliminate or remediate any factors that could put you at risk.  Since the news of the Bash-Shellshock vulnerability, Avaya Corporate Security along with the IT, Product and Services Security teams have been working aggressively to assess impact and if needed, develop actions for remediation.
A brief Q&A below will provide information about the measures being taken to assess the BASH- Shellshock vulnerability in Avaya products and systems. Although we’re moving as quickly as possible, careful, extensive assessments take a bit of time and we ask for your patience as we work through the portfolio. In addition, security is rarely “once and done,” and we will continue to monitor and update our assessments.
1.  Which Avaya products are affected?’
For detailed information about specific product assessments, please visit our Security Support website that has been dedicated to housing all information about the Bash – Shellshock vulnerability.
2.  What steps do I need to take if I am using an affected product?
Directions for remediation of any affected products will be made available from the Security Support website dedicated to product information about the Bash - Shellshock vulnerability. Information at this site is being updated continuously, so please check in frequently.
3.  What is current mitigation plan and countermeasures for BASH - Shellshock with regards to Avaya IT systems?
Avaya IT conducts regular vulnerability scans of all devices and continues to do so with the addition of detection for the Bash - Shellshock vulnerability.  Given the severity of the issue, Avaya has also introduced additional internal scans of our data centers as well as adding blocks and alerts for Bash-Shellshock on IDS/IPS where available. The results of these remote network scans are reviewed each day and any new discovery is immediately forwarded to the site owners for remediation. The particular remediation implemented is prescribed by each specific vendor as they release to the public.  Typically, this includes security patching or software upgrades.  

4.  What defensive measures does Avaya have in place (Firewalls, IPS, etc.) to protect your hosted services from this and similar attacks, and are those measures updated to detect/block "Shell shock" attacks?
Avaya's network is built with layered security, including DMZ's, firewalls, and IDS/IPS. As noted above, Avaya has implemented blocks for Bash-Shellshock on its IDS/IPS where patches are available.

5.  What assessment measures for Avaya IT systems are in place and planned? e.g. scanning and monitoring.
Avaya daily scanning of Internet-facing devices has been updated to include detection of the Bash-Shellshock vulnerability.  The results of these remote network scans are reviewed each day and any new discovery is immediately forwarded to the site owners for remediation.  

6.  How is the assessment of impacted configuration items being tracked? e.g. Systems/Servers/Network/It Appliances
Findings from the scans are documented in the scanning results database.  The application of patches must go through the Avaya Change Management Process, so the change would be documented and retained, to include reference to the business need for the approved change.

7.  Who should I contact if I need more information about the BASH aka Shellshock vulnerability?
If your questions are not answered in the preceding list or at the product support site, please send an email to