Product Security Advisories and Security Notes
The Product Security Team of Atos Unify publishes Security Advisories and associated notes as part of Atos Unify’s Vulnerability Intelligence Process.
Security Advisories are published to address security issues in Atos Unify products and how to mitigate or solve them.
Find more information in the associated Security Policy – Vulnerability Intelligence Process (Version 1.5 / published 2022-11-22)
Subscribe to receive e-mail notifications for new or updated Unify Product Security Advisories and Security Notes by sending an email to obso@atos.net.
As part of your subscription, we will store personal data to provide information about security advisories to you. With your subscription you provide consent to the processing of your personal data. Refer to the Privacy Information Notice for Atos Unify Security Advisories for additional information related to the processing of your personal data.
Follow @UnifyCoSecurity on Twitter or search for #obso
List of Security Advisories
| Advisory ID | Title | Risk Level | Release Date | Last Update |
| OBSO-2305-03 | Multiple vulnerabilities in Atos Unify OpenScape Xpressions | high to medium | 2023-05-22 |
2023-05-22
|
| OBSO-2305-02 | Multiple vulnerabilities affecting Atos Unify OpenScape Voice Trace Manager | critical | 2023-05-22 |
2023-05-22
|
| OBSO-2305-01 | Multiple vulnerabilities in Atos Unify OpenScape 4000 Assistant and Atos Unify OpenScape 4000 Manager | critical | 2023-05-02 |
2023-05-02
|
| OBSO-2303-02 | Command injection vulnerability in Atos Unify OpenScape SBC, Atos Unify OpenScape Branch and Atos Unify OpenScape BCF | high to medium | 2023-03-28 |
2023-05-08
|
| OBSO-2303-01 | Command injection vulnerability in the Atos Unify OpenScape 4000 Platform and OpenScape 4000 Manager | critical | 2023-03-20 |
2023-03-24
|
| OBSO-2211-02 | Command injection vulnerability in Atos Unify OpenScape 4000 Assistant and Atos Unify OpenScape 4000 Manager | critical | 2022-11-28 |
2022-11-28
|
| OBSO-2211-01 | OpenSSL V3 buffer overflow vulnerabilities (CVE-2022-3602 and CVE-2022-3786) | medium | 2022-11-08 |
2022-12-08
|
| OBSO-2210-01 | Apache Commons Text Insecure Interpolation Defaults Input Handling Arbitrary Code Execution (CVE-2022-42889) | medium |
2022-10-26
|
2023-03-09
|
| OBSO-2209-01 | Realtek eEcos SDK vulnerability (CVE-2022-27255) | info |
2022-09-05
|
2022-10-26 |
| OBSO-2207-01 | OpenSSL Certificate Parsing Infinite Loop Remote DoS (CVE-2022-0778) | high to medium |
2022-07-14
|
2023-01-31
|
| OBSO-2206-01 | Impact of critical Expat vulnerabilities on Atos Unify OpenScape Xpert (CVE-2022-23990 / CVE-2022-23852) |
high to medium |
2022-06-29
|
2022-06-29
|
| OBSO-2204-01 |
Spring Framework Remote Code Execution Vulnerability (Spring4Shell, CVE-2022-22965)
|
critical
|
2022-04-04
|
2022-04-14
|
| OBSO-2203-03 | Path Traversal vulnerability within Atos Unify OpenScape Deployment Service | high | 2022-03-16 | 2022-03-16 |
| OBSO-2203-02 | Linux Kernel lib/iov_iter.c Multiple Functions Missing Flag Initialization Read-only File Overwrite Local Privilege Escalation (CVE-2022-0847, Dirty Pipe) | medium | 2022-03-16 | 2023-01-16 |
| OBSO-2203-01 | Remote code execution vulnerability in Atos Unify OpenScape SBC , Atos Unify OpenScape Branch and Atos Unify OpenScape BCF | high | 2022-03-03 | 2022-03-14 |
| OBSO-2202-02 | Security Update Advisory for Atos Unify OpenScape Composer | high | 2022-02-07 | 2022-02-07 |
| OBSO-2202-01 | pwnkit: Local Privilege Escalation in polkit’s pkexec (CVE-2021-4034) | high | 2022-02-03 | 2022-08-12 |
| OBSO-2201-02 | Directory Traversal vulnerability in Atos Unify OpenScape Xpressions | high | 2022-01-24 | 2022-02-10 |
| OBSO-2201-01 | Apache Log4j JMSAppender Class Configuration Property Handling JNDI Lookup Local Privilege Escalation Weakness (CVE-2021-4104) | medium to high | 2022-01-18 |
2023-01-16
|
| OBSO-2112-01 | Critical vulnerability in Apache Log4j (Log4Shell, CVE-2021-44228, CVE-2021-45046,CVE-2021-45105 | high | 2021-12-13 | 2022-06-29 |
| OBSO-2111-01 | Atos Unify OpenScape Concierge Vulnerabilities and Configuration Note | high | 2021-11-22 | 2022-01-05 |
| OBSO-2110-01 | Atos Unify Product Security Configuration Note | info | 2021-10-14 | 2021-10-14 |
| OBSO-2107-02 |
Update of Security Checklist for Atos Unify OpenScape Alarm Response
|
info | 2021-07-26 | 2021-07-26 |
| OBSO-2107-01 | Local privilege escalation vulnerability within Atos Unify OpenScape 4000 Assistant and Atos Unify OpenScape 4000 Manager | medium | 2021-07-01 | 2022-04-01 |
| OBSO-2103-01 | OpenSSL Remote Denial of Service vulnerability (CVE-2021-3449) | high | 2021-03-31 | 2022-01-25 |
| OBSO-2102-01 | Sudo Buffer Overflow Vulnerability (CVE-2021-3156) | high | 2021-02-04 | 2021-04-21 |
| OBSO-2101-02 | OpenScape Business S – WAN Interface Vulnerability | high | 2021-01-19 | 2021-01-19 |
| OBSO-2101-01 | Amnesia:33 – Impact on Atos Unify Products | medium to low | 2021-01-08 | 2022-09-01 |
| OBSO-2011-01 | Input validation vulnerability within OpenScape 4000 Assistant/Manager | high | 2020-11-05 | 2020-11-05 |
| OBSO-2009-01 | SSH configuration vulnerability within OpenScape 4000 | medium | 2020-09-08 | 2021-04-14 |
| OBSO-2006-02 | OpenScape 4000 Assistant vulnerabilities | medium | 2020-06-10 | 2020-06-10 |
| OBSO-2006-01 | Input validation vulnerability within OpenScape Business | high | 2020-06-02 | 2020-06-05 |
| OBSO-2003-02 | GhostCat. Apache Tomcat Unspecified Local File Inclusion. (CVE-2020-1938) | high | 2020-03-12 | 2020-04-28 |
| OBSO-2003-01 | Apache Log4j SocketServer Class Log Data Handling Insecure Deserialization Remote Code Execution (CVE-2019-17571) |
info | 2020-03-03 | 2020-03-13 |
| OBSO-2002-01 | OpenScape UC – Multiple vulnerabilities | medium | 2020-02-17 | 2020-02-17 |
| OBSO-1911-02 | Sudo: Privilege escalation via potential bypass of Runas user restrictions (CVE-2019-14287) | info | 2019-11-08 | 2019-11-19 |
| OBSO-1911-01 | Impact of Microsoft Advisory ADV190023 for Unify Customers (Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing) | info | 2019-11-06 | 2020-06-10 |
| OBSO-1908-01 | VxWorks TCP/IP Network Stack (IPnet, Urgent/11) (CVE-2019-12256 to CVE-2019-12265) | info | 2019-08-14 | 2019-08-14 |
| OBSO-1906-01 | TCP SACK PANIC -Linux Kernel vulnerabilities (CVE-2019-11477, CVE-2019-11478, CVE -2019-11479, CVE-2019-5599) | medium to high | 2019-06-21 | 2019-12-17 |
| OBSO-1905-02 | Microsoft Windows Remote Desktop Services RDP Connection Request Handling Remote Code Execution (CVE-2019-0708) |
high | 2019-05-16 | 2019-05-17 |
| OBSO-1905-01 | Apache Tomcat for Windows CGI Servlet Command Line Argument Handling Remote Code Execution (CVE-2019-0232) | high | 2019-05-07 | 2019-06-21 |
| OBSO-1904-01 | Elasticsearch Improper Permissions Name Indexing Remote Privilege Escalation (CVE-2019-7611) | medium | 2019-04-25 | 2019-04-25 |
| OBSO-1903-02 | OpenScape Desk Phones HFA and SIP CSRF and Privilege Escalation vulnerabilities | medium | 2019-03-13 | 2019-08-23 |
| OBSO-1903-01 | Google WebRTC RTCPeerConnection Object Handling Use-after-free Arbitrary Code Execution (CVE-2019-6211) | medium | 2019-03-04 | 2019-03-04 |
| OBSO-1812-01 | Spring Framework ResourceHttpRequestHandler Remote DoS (CVE-2018-15756) | low | 2018-12-13 | 2018-12-13 |
| OBSO-1810-01 | Chinese spy chips in Supermicro servers | low | 2018-10-08 | 2018-12-14 |
| OBSO-1808-01 | Faxploit: DEF CON 2018: HP OfficeJet Printer Attack (CVE-2018-5925,CVE-2018-5924) | low | 2018-08-22 | 2018-08-22 |
| OBSO-1807-01 | OpenScape Business Root Access | high | 2018-07-30 | 2018-07-30 |
| OBSO-1806-03 | Zip Slip (CVE-2018-8009) | medium | 2018-06-28 | 2018-10-18 |
| OBSO-1806-02 | Electron Custom Protocol Handler Processing Arbitrary Command Injection (CVE-2018-1000006, CVE-2018-1000118) | medium | 2018-06-28 | 2018-06-28 |
| OBSO-1806-01 | Electron webview Options Object Remote Node.js Integration Manipulation (CVE-2018-1000136) | medium | 2018-06-05 | 2018-06-05 |
| OBSO-1805-01 | Spring Framework spring-messaging Module Message Handling Remote Code Execution (CVE-2018-1270, CVE-2018-1275) | high | 2018-05-24 | 2018-06-01 |
| OBSO-1801-01 | Intel processor flaw: Meltdown and Spectre vulnerabilities (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) | medium | 2018-01-04 | 2019-06-21 |
| OBSO-1712-01 | OpenStage and OpenScape Desk Phones: Web Based Management pages access without admin password |
medium | 2017-12-13 | 2017-12-13 |
| OBSO-1711-01 | WPA2 Protocol Four-way Handshake Handling MitM Issue (KRACK attack) | medium | 2017-11-03 | 2018-02-21 |
| OBSO-1710-01 | Linux Kernel bluetooth Remote Stack Buffer Overflow (BlueBorne) (CVE-2017-1000251) | medium | 2017-10-06 | 2017-11-03 |
| OBSO-1709-02 | RTPproxy NAT Functionality RTP Traffic Handling Remote Packet Disclosure (RTP Bleed) (CVE-2017-14114) |
info | 2017-09-28 | 2017-09-28 |
| OBSO-1709-01 | curl / libcurl Function TFTP File Name Handling Out-of-bounds Read Issue (CVE-2017-1000100) | info | 2017-09-21 | 2017-09-21 |
| OBSO-1708-01 | Linux Kernel Stack Guard Page Security Feature Bypass Weakness (CVE-2017-1000364) | medium | 2017-08-02 | 2020-02-06 |
| OBSO-1704-01 | Microsoft Patchday March 2017: Microsoft Windows SMB Remote Code Execution vulnerabilities | high | 2017-04-28 | 2017-05-09 |
| OBSO-1703-02 | Apache Struts2 Jakarta Multipart Parser File Upload Remote Code Execution (CVE 2017-5638) | info | 2017-03-31 | 2018-10-12 |
| OBSO-1703-01 | CIA Hack of Siemens/ Unify telephones | Info | 2017-03-14 | 2017-03-14 |
| OBSO-1701-01 | SHA-1 certificates: depreciation in 2017 | info | 2017-01-03 | 2017-01-03 |
| OBSO-1611-01 | Dirty Cow: Linux Kernel MAP_PRIVATE COW Flag Breakage Race Condition (CVE-2016-5195) | medium | 2016-11-07 | 2018-06-01 |
| OBSO-1610-03 | Leap Second on 2016-12-31 – Security Note for Unify Products | medium | 2016-10-27 | 2016-10-27 |
| OBSO-1610-02 | ISC BIND Nameserver Denial of Service Vulnerabilities (CVE-2016-2776, CVE-2016-2848) | medium | 2016-10-25 | 2016-10-25 |
| OBSO-1610-01 | OpenScape Xpressions – Information Exposure Vulnerability Through HTTP GET Method at Web Assistant Interface | medium | 2016-10-18 | 2016-10-18 |
| OBSO-1607-01 | httpoxy: A CGI Application Vulnerability Affecting Multiple Web Application Languages and Services | info | 2016-07-21 | 2016-07-27 |
| OBSO-1603-02 | DROWN: Breaking TLS using SSLv2 (CVE-2016-0800) | info | 2016-03-02 | 2016-10-21 |
| OBSO-1603-01 | Unify SLES 11-based Server Applications – Support of SLES 11 SP4 | info | 2016-03-01 | 2016-03-01 |
| OBSO-1602-02 | Glibc libresolv – Stack-based Buffer Overflow Vulnerability (CVE-2015-7547) | high | 2016-02-19 | 2016-04-29 |
| OBSO-1602-01 | OpenScape Accounting Management – Virus Alert in Installation Procedure | info | 2016-02-05 | 2016-09-29 |
| OBSO-1601-01 | OpenSSH Client Information Leak Vulnerability (CVE-2016-0777) | low | 2016-01-26 | 2016-04-04 |
| OBSO-1512-04 | Apache Tomcat Denial of Service Vulnerability in ChunkedInputFilter (CVE-2014-0227) | medium | 2015-12-30 | 2016-01-22 |
| OBSO-1512-03 | OpenSSH Login Handling Security Bypass Vulnerability (CVE-2015-5600) | medium | 2015-12-30 | 2016-10-25 |
| OBSO-1512-02 | Multiple Unify Products – TLS Denial of Service Vulnerability in OpenSSL Certificate Verification (CVE-2015-3194) | medium | 2015-12-23 | 2018-03-27 |
| OBSO-1512-01 | OpenScape Voice – MTLS-SIP Denial of Service Vulnerability in OpenSSL Certificate Verification (CVE-2015-0286) | medium | 2015-12-23 | 2015-12-23 |
| OBSO-1511-02 | Non-unique X.509 certificates in OpenStage / OpenScape Desk Phone IP (CVE-2015-8251) | medium | 2015-11-30 | 2015-11-30 |
| OBSO-1511-01 | Deserialisation of Java-objects – Vulnerability in Applications involving Apache Commons-Collections Classes (CVE-2015-8237, CVE-2015-8238) | high | 2015-11-17 | 2016-01-22 |
| OBSO-1510-01 | OpenScape Xpressions – unauthorized external calls via guest access (CVE-2015-7693) | medium | 2015-10-26 | 2016-05-13 |
| OBSO-1508-02 | OpenStage 60 / OpenScape Desk Phone IP 55G – Local service exposure vulnerability (CVE-2015-5391) | medium | 2015-08-13 | 2015-08-13 |
| OBSO-1508-01 | OpenScape Contact Center CDSS – Multiple vulnerabilities fixed in V8 R2.10.11192 | medium | 2015-08-05 | 2015-08-05 |
| OBSO-1505-03 | OpenScape UC Web Client and Desktop Client – Cross-Site Scripting (XSS) Vulnerability | medium | 2015-05-22 | 2015-05-22 |
| OBSO-1505-02 | OpenStage / OpenScape Desk Phone IP – HTTP header parsing vulnerability (CVE-2014-9708) | medium | 2015-05-08 | 2015-08-13 |
| OBSO-1505-01 | Leap Second on 2015-06-30 – Security Note for Unify Products | info | 2015-05-21 | 2015-05-21 |
| OBSO-1503-02 | Samba smbd – Remote Code Execution Vulnerability in netlogon server (CVE-2015-0240) | high | 2015-03-31 | 2015-03-31 |
| OBSO-1503-01 | OpenScape SBC V8 – SIP Authentication Bypass Vulnerability (CVE-2015-2057) | high | 2015-03-03 | 2015-03-24 |
| OBSO-1501-04 | GNU glibc Remote Buffer Overflow Vulnerability in gethostbyname – „Ghost“ (CVE-2015-0235) | low | 2015-01-31 | 2016-10-10 |
| OBSO-1501-03 | OpenScape Business UC Suite – SQL Injection Vulnerability (CVE-2015-1183) | high | 2015-01-27 | 2015-01-27 |
| OBSO-1501-02 | OpenStage / OpenScape Desk Phone IP – Input Validation Vulnerability via Web Interface (CVE-2014-9563) |
low | 2015-02-26 | 2015-02-26 |
| OBSO-1501-01 | OpenStage / OpenScape Desk Phone IP – Authentication Bypass Vulnerability in WPI Default Mode (CVE-2015-1184) | high | 2015-01-20 | 2015-03-24 |
| OBSO-1412-03 | Hardening of the Intelligent Platform Management Interface (IPMI) on Unify Servers | info | 2014-12-31 | 2014-12-31 |
| OBSO-1412-02 | NTP – Multiple Stack Based Buffer Overflow Vulnerabilities (CVE-2014-9295) | medium | 2014-12-23 | 2015-01-27 |
| OBSO-1412-01 | Microsoft Windows Remote Code Execution Vulnerability in Schannel („Winshock“, MS14-066, CVE-2014-6321) | high | 2014-12-01 | 2015-06-16 |
| OBSO-1410-03 | OpenScape Business – Getting Root Access | low | 2014-10-24 | 2014-10-26 |
| OBSO-1410-02 | SSL 3.0 „POODLE“ vulnerability (CVE-2014-3566) | low | 2014-10-17 | 2014-10-17 |
| OBSO-1410-01 | OpenStage / OpenScape Desk Phone IP – Authentication Bypass Vulnerability in web-based management (CVE-2014-7950) | high | 2014-10-10 | 2014-10-10 |
| OBSO-1409-01 | Bash – Remote Command Injection Vulnerability „Shellshock“ (CVE-2014-6271, CVE-2014 7169 et al.) | high | 2014-09-27 | 2015-07-28 |
| OBSO-1408-04 | Java in Unify products – RSA private key timing attack vulnerability (CVE-2014-4244) and failure to validate public Diffie-Hellman parameters (CVE-2014-4263) | low | 2014-08-26 | 2015-08-21 |
| OBSO-1408-03 | OpenScape Web Collaboration – Two Cross Site Scripting (XSS) vulnerabilities | medium | 2014-08-25 | 2014-08-25 |
| OBSO-1408-02 | OpenScape Deployment Service – Hardening of the TLS-based Workpoint Interface | info | 2014-08-22 | 2015-01-31 |
| OBSO-1408-01 | openSSL TLS Client Denial of Service vulnerability (CVE-2014-3509) | low | 2014-08-12 | 2014-09-26 |
| OBSO-1407-03 | OpenStage / OpenScape Desk Phone IP – Information Exposure Vulnerability in web-based management | medium | 2014-07-24 | 2014-07-24 |
| OBSO-1407-02 | HiPath 4000 V6 – Security Updates for the Gateway Web Interface | medium | 2014-07-23 | 2014-07-23 |
| OBSO-1407-01 | NTP Distributed Reflection Denial-of-Service (DRDoS) attack via the monlist feature (CVE-2013-5211) | medium | 2014-07-25 | 2014-07-25 |
| OBSO-1406-01 | openSSL ChangeCipherSpec Injection Vulnerability (CVE-2014-0224) and FLUSH+RELOAD Cache Side-channel Attack (CVE-2014-0076) | medium | 2014-06-06 | 2015-07-28 |
| OBSO-1404-02 | openSSL „Heartbleed“ Vulnerability (CVE-2014-0160) | medium | 2014-04-11 | 2014-05-02 |
| OBSO-1404-02-A | Impact of the „Heartbleed“ vulnerability to third-party products (CVE-2014-0160) | info | 2014-04-18 | 2014-05-02 |
| OBSO-1404-01 | OpenScape Deployment Service – Blind SQL Injection Vulnerability (CVE-2014-2652) | medium | 2014-04-11 | 2014-04-11 |
| OBSO-1403-02 | OpenStage / OpenScape Desk Phone IP – Authentication Bypass Vulnerability in WPI Default Mode (CVE-2014-2651) | high | 2014-03-28 | 2014-03-28 |
| OBSO-1403-01 | OpenStage / OpenScape Desk Phone IP (SIP) – OS command Injection Vulnerability in web-based management (CVE-2014-2650) | high | 2014-03-28 | 2014-03-28 |
| OBSO-1402-01 | Mediatrix 4400 Series – Cross-site scripting (XSS) vulnerability (CVE-2014-1612) | medium | 2014-02-07 | 2014-02-07 |
| OBSO-1401-05 | OpenScape UC Applications – Cross-site Scripting Vulnerability | medium | 2014-01-31 | 2014-01-31 |
| OBSO-1401-04 | OpenScape Deployment Service – SQL Injection Vulnerability | high | 2014-01-31 | 2014-01-31 |
| OBSO-1401-03 | HiPath 4000/OpenScape 4000 – Unauthenticated write access to file system | medium | 2014-01-31 | 2014-01-31 |
| OBSO-1401-02 | Informational – Expiry of Default Root CA Certificate in OpenScape Solutions | info | 2014-01-28 | 2014-01-28 |
| OBSO-1401-01 | OpenScape Voice V6 – Multiple Vulnerabilities in Operating System and Java Components | medium | 2014-01-15 | 2014-01-15 |
| OBSO-1312-02 | OpenScape Voice Trace Manager – Multiple Vulnerabilities in PHP | medium | 2013-12-20 | 2013-12-20 |
| OBSO-1312-01 | OpenStage HFA/SIP – Cross-site scripting vulnerability in web-based management | medium | 2013-12-16 | 2013-12-16 |
| OBSO-1307-02 | OpenScape Branch/SBC – Nameserver vulnerabilities (CVE-2012-4244, CVE-2012-5166, CVE-2013-2266) | high | 2013-07-26 | 2013-07-26 |
| OBSO-1307-01 | OpenScape Voice V7 R1 – Multiple Vulnerabilities in Operating System and Java Components | high | 2013-07-24 | 2013-12-06 |
| OBSO-1306-02 | OpenStage Cloud Diagnostic Data Collector – PHP and Web Server Vulnerabilities (CVE-2013-1643, CVE-2012-3499) | medium | 2013-06-17 | 2013-06-17 |
| OBSO-1306-01 | OpenScape Branch / OpenScape SBC – Multiple Web Interface Vulnerabilities | high | 2013-06-12 | 2013-11-08 |
| OBSO-1305-01 | PostgreSQL Security Updates for Multiple Products (CVE-2013-1899) | high | 2013-05-07 | 2013-11-08 |
| OBSO-1202-01 | Linux Kernel Privilege Escalation Vulnerability (CVE-2012-0056) | info | 2012-02-01 | 2013-11-08 |
| OBSO-1108-02 | OpenScape UC Application – local access vulnerability via Web Client | high | 2011-08-23 | 2011-12-08 |
| OBSO-1108-01 | OpenStage – password accessible in cleartext on webbased interface | low | 2011-08-22 | 2011-08-22 |
| OBSO-1106-01 | Allied Telesis divulges secret backdoor | info | 2011-06-07 | 2013-11-08 |
| OBSO-1011-01 | OpenStage – configuration data readable by unauthorized users | medium | 2010-11-30 | 2010-11-30 |
| OBSO-1010-03 | Impact of the Stuxnet worm to Unify systems | info | 2010-10-25 | 2013-11-08 |
| OBSO-1010-02 | Arbitrary code execution at Manager-E | medium | 2010-10-15 | 2010-10-26 |
| OBSO-1010-01 | Enabled VxWorks debug service | high | 2010-10-15 | 2010-10-15 |