NEWS & EVENTS
Advisory on Bash-Shellshock Vulnerability
For detailed information about specific product assessments, please visit our Security Support website that has been dedicated to housing all information about the Bash – Shellshock vulnerability.
Directions for remediation of any affected products will be made available from the Security Support website dedicated to product information about the Bash - Shellshock vulnerability. Information at this site is being updated continuously, so please check in frequently.
Avaya IT conducts regular vulnerability scans of all devices and continues to do so with the addition of detection for the Bash - Shellshock vulnerability. Given the severity of the issue, Avaya has also introduced additional internal scans of our data centers as well as adding blocks and alerts for Bash-Shellshock on IDS/IPS where available. The results of these remote network scans are reviewed each day and any new discovery is immediately forwarded to the site owners for remediation. The particular remediation implemented is prescribed by each specific vendor as they release to the public. Typically, this includes security patching or software upgrades.
4. What defensive measures does Avaya have in place (Firewalls, IPS, etc.) to protect your hosted services from this and similar attacks, and are those measures updated to detect/block "Shell shock" attacks?
Avaya's network is built with layered security, including DMZ's, firewalls, and IDS/IPS. As noted above, Avaya has implemented blocks for Bash-Shellshock on its IDS/IPS where patches are available.
5. What assessment measures for Avaya IT systems are in place and planned? e.g. scanning and monitoring.
Avaya daily scanning of Internet-facing devices has been updated to include detection of the Bash-Shellshock vulnerability. The results of these remote network scans are reviewed each day and any new discovery is immediately forwarded to the site owners for remediation.
6. How is the assessment of impacted configuration items being tracked? e.g. Systems/Servers/Network/It Appliances
Findings from the scans are documented in the scanning results database. The application of patches must go through the Avaya Change Management Process, so the change would be documented and retained, to include reference to the business need for the approved change.
7. Who should I contact if I need more information about the BASH aka Shellshock vulnerability?
If your questions are not answered in the preceding list or at the product support site, please send an email to firstname.lastname@example.org.