Avaya Secure Access Link (SAL) gateway releases 1.5, 1.8, and 2.0 have an information disclosure vulnerability in the default install.
According to Avaya's Product Support Notice PSN003314u [PDF]:
"On installation of SAL Gateway with the default properties provided along with the installer, the Secondary Core Server URL and the Remote Server URL points to the secavaya.com and secaxeda.com respectively which are invalid public domain servers and not owned by Avaya. These servers resolve to invalid domains and pose a security threat. Secondary Core Server URL should be same as the primary Core Server URL and Secondary Remote Server URL should be same as the primary Remote Server URL."
Information from the SAL gateway, such as alarms or logs, may be sent to secavaya.com and secaxeda.com email addresses.
The Avaya Product Support Notice PSN003314u [PDF] states:
Thank you to the reporter who wishes to remain anonymous.
This document was written by Jared Allar.
|Date First Published:||2011-07-29|
|Date Last Updated:||2011-07-29 12:43 UTC|