Vulnerability Note VU#690315
Avaya Secure Access Link (SAL) Gateway information disclosure vulnerability
Avaya Secure Access Link (SAL) gateway releases 1.5, 1.8, and 2.0 have an information disclosure vulnerability in the default install.
According to Avaya's Product Support Notice PSN003314u [PDF]:
"On installation of SAL Gateway with the default properties provided along with the installer, the Secondary Core Server URL and the Remote Server URL points to the secavaya.com and secaxeda.com respectively which are invalid public domain servers and not owned by Avaya. These servers resolve to invalid domains and pose a security threat. Secondary Core Server URL should be same as the primary Core Server URL and Secondary Remote Server URL should be same as the primary Remote Server URL."
Information from the SAL gateway, such as alarms or logs, may be sent to secavaya.com and secaxeda.com email addresses.
The Avaya Product Support Notice PSN003314u [PDF] states:
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Avaya, Inc.||Affected||27 Jul 2011||28 Jul 2011|
CVSS Metrics (Learn More)
Thank you to the reporter who wishes to remain anonymous.
This document was written by Jared Allar.
- CVE IDs: Unknown
- Date Public: 16 May 2011
- Date First Published: 29 Jul 2011
- Date Last Updated: 29 Jul 2011
- Severity Metric: 0.91
- Document Revision: 11
If you have feedback, comments, or additional information about this vulnerability, please send us email.