3Com

Notified:  October 30, 2002 Updated: February 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Alcatel

Notified:  October 30, 2002 Updated: March 06, 2003

Status

  Vulnerable

Vendor Statement

Following CERT advisory CA-2003-06 on security vulnerabilities in SIP implementations, Alcatel has conducted an immediate assessment to determine any impact this may have on our portfolio. A first analysis has shown that the OmniPCX Enterprise 5.0 Lx is impacted. Alcatel is currently working on a fix that will be made available via our business partners. Customers may wish to contact their support for more information. The security of our customers' networks is of highest priority for Alcatel. Therefore we continue to test our product portfolio against potential SIP security vulnerabilities and will provide updates if necessary.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

AOL Time Warner

Notified:  October 30, 2002 Updated: March 25, 2003

Status

  Not Vulnerable

Vendor Statement

Not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Apple Computer, Inc.

Notified:  October 30, 2002 Updated: February 17, 2003

Status

  Not Vulnerable

Vendor Statement

There are currently no applications shipped by Apple with Mac OS X or Mac OS X Server which make use of the Session Initiation Protocol.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

AT&T

Notified:  October 30, 2002 Updated: February 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Avaya

Notified:  October 30, 2002 Updated: February 25, 2003

Status

  Not Vulnerable

Vendor Statement

Avaya products are not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Avici Systems Inc.

Notified:  February 20, 2003 Updated: February 20, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Berkeley Software Design, Inc.

Notified:  October 30, 2002 Updated: February 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Borderware

Notified:  October 30, 2002 Updated: February 17, 2003

Status

  Not Vulnerable

Vendor Statement

No BorderWare products make use of SIP and thus no BorderWare products are affected by this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Cable and Wirless

Notified:  February 20, 2003 Updated: February 20, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Check Point

Notified:  October 30, 2002 Updated: March 06, 2003

Status

  Not Vulnerable

Vendor Statement

No Check Point products are vulnerable to the described attacks. FireWall-1 blocks the majority of the attacks described in this advisory through strict enforcement of the SIP protocol.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Cirpack

Updated:  March 13, 2003

Status

  Vulnerable

Vendor Statement

Cirpack Switches deployed by telecom service providers for carrier-class SIP voice services are not vulnerable to problem described in VU#528719 as of software version = 4.3c. If your Cirpack switches use earlier software version, please contact your Cirpack account manager.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Cisco Systems, Inc.

Notified:  October 30, 2002 Updated: February 21, 2003

Status

  Vulnerable

Vendor Statement

Cisco Systems is addressing the vulnerabilities identified by VU#528719 across its entire product line. Cisco has released an advisory: http://www.cisco.com/warp/public/707/cisco-sa-20030221-protos.shtml

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Clavister

Notified:  October 30, 2002 Updated: February 17, 2003

Status

  Not Vulnerable

Vendor Statement

No Clavister products currently incorporate support for the SIP protocol suite, and as such, are not vulnerable. We would however like to extend our thanks to the OUSPG for their work as well as for the responsible manner in which they handle their discoveries. Their detailed reports and test suites are certainly well-received. We would also like to reiterate the fact that SIP has yet to mature, protocol-wise as well as implementation-wise. We do not recommend that our customers set up SIP relays in parallel to our firewall products to pass SIP-based applications in or out of networks where security is a concern of note.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Columbia SIP User Agent (sipc)

Updated:  February 25, 2003

Status

  Vulnerable

Vendor Statement

Sipc (version 1.74) contains vulnerabilities identified by OUSPG PROTOS SIP Test Suite. The vulnerabilities have been resolved in sipc (version 2.0, build 2003-02-21). Please see sipc (version 1.74) vulnerabilities found by PROTOS SIP Test Suite for detailed information. We strongly advice to upgrade to sipc version 2.0, which is much more stable, has much better user interface and can perform more functions.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Compaq Computer Corporation

Notified:  October 30, 2002 Updated: February 21, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Compaq Computer Corporation has merged with Hewlett-Packard.

Computer Associates

Notified:  October 30, 2002 Updated: February 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

COVERT Labs

Notified:  October 30, 2002 Updated: February 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Cray Inc.

Notified:  October 30, 2002 Updated: February 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Data General

Notified:  October 30, 2002 Updated: February 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Debian Linux

Notified:  October 30, 2002 Updated: February 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

D-Link Systems

Notified:  October 30, 2002 Updated: February 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

DynamicSoft Inc

Notified:  November 26, 2002 Updated: February 27, 2003

Status

  Vulnerable

Vendor Statement

Please see http://www.dynamicsoft.com/support/advisory/ca-2003-06.php.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Engarde

Notified:  October 30, 2002 Updated: February 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

eSoft

Notified:  October 30, 2002 Updated: February 17, 2003

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

EZonics

Notified:  February 13, 2003 Updated: February 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

F5 Networks, Inc.

Notified:  October 30, 2002 Updated: February 20, 2003

Status

  Not Vulnerable

Vendor Statement

F5 Networks does not have a SIP server product, and is therefore not affected by this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Foundry Networks Inc.

Updated:  March 25, 2003

Status

  Not Vulnerable

Vendor Statement

Foundry Networks, Inc. products do not use the SIP protocol and is not affected by the vulnerabilities described in CA-2003-06.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

FreeBSD, Inc.

Notified:  October 30, 2002 Updated: February 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Fujitsu

Notified:  October 30, 2002 Updated: February 17, 2003

Status

  Not Vulnerable

Vendor Statement

With regards to VU#528719, Fujitsu's UXP/V o.s. is not vulnerable because the relevant function is not supported under UXP/V.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Global Technology Associates

Notified:  October 30, 2002 Updated: February 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Hewlett-Packard Company

Notified:  October 30, 2002 Updated: February 20, 2003

Status

  Not Vulnerable

Vendor Statement

Source: Hewlett-Packard Company Software Security Response Team cross reference id: SSRT2402 HP-UX - not vulnerable HP-MPE/ix - not vulnerable HP Tru64 UNIX - not vulnerable HP OpenVMS - not vulnerable HP NonStop Servers - not vulnerable To report potential security vulnerabilities in HP software, send an E-mail message to: mailto:security-alert@hp.com

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Hotsip AB

Updated:  March 12, 2003

Status

  Not Vulnerable

Vendor Statement

Hotsip has investigated the issues reported in VU#528719 and found that Hotsip Active Contacts(tm) PC 3.x, SIP Application Server 3.x and Presence Engine 2.x are not affected by this.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Hughes Software Systems

Notified:  February 13, 2003 Updated: April 18, 2003

Status

  Not Vulnerable

Vendor Statement

SIP Core stack - Not Vulnerable [ Version : 5.0.1 ] SIP User Agent - Not Vulnerable [ Version : 2.0 ] microSIP stack - Not Vulnerable [ Version: 2.0 ] microUser Agent - Not Vulnerable [ Version: 2.0 ]

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

IBM Corporation

Notified:  October 30, 2002 Updated: February 21, 2003

Status

  Not Vulnerable

Vendor Statement

SIP is not implemented as part of the AIX operating system. The issues discussed in VU#528719 do not pertain to AIX.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

IBM-zSeries

Notified:  October 30, 2002 Updated: February 24, 2003

Status

  Unknown

Vendor Statement

zSeries customers should feel free to contact servsec@us.ibm.com with any CERT related security questions or concerns.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Indigo Software

Updated:  April 01, 2003

Status

  Not Vulnerable

Vendor Statement

Indigo Software certifies that its Indigo SIP Foundation Class, Indigo SIP Server & SDK and Indigo Communications Server & SDK products are NOT VULNERABLE to DoS and other attacks simulated by the PROTOS Vulnerability Assessment Test Suiteā€. For more information, please refer to http://www.indigosw.com/html/cert_advisory.htm

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Ingate Systems

Updated:  March 07, 2003

Status

  Vulnerable

Vendor Statement

Ingate Firewall and Ingate SIParator running versions prior to 3.1.3 are vulnerable to problems exposed by the PROTOS c07-sip test suite. The vulnerabilities have been fixed in version 3.1.3, which is available for download from http://www.ingate.com/upgrades/. We strongly advice to upgrade to version 3.1.3.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Intel

Notified:  October 30, 2002 Updated: February 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Intoto

Notified:  October 30, 2002 Updated: March 24, 2003

Status

  Not Vulnerable

Vendor Statement

Intoto, Inc has examined its SIP based product iGateway-VoIP Ver 1.0.1, for possible buffer overflow vulnerabilities documented in VU#528719, and found that iGateway-VoIP is not vulnerable to these attacks.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

IP Filter

Notified:  October 30, 2002 Updated: February 17, 2003

Status

  Not Vulnerable

Vendor Statement

IPFilter does not do any SIP specific protocol handling and is therefore not affected by the issues mentioned in the paper cited.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

IPTel

Notified:  October 30, 2002 Updated: February 20, 2003

Status

  Vulnerable

Vendor Statement

All versions of SIP Express Router up to 0.8.9 are sadly vulnerable to the OUSPG test suite. We strongly advice to upgrade to version 0.8.10. Please also apply the patch to version 0.8.10 from http://www.iptel.org/ser/security/ before installation and keep on watching this site in the future. We apologize to our users for the trouble.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

This is resolved in SIP Express Router version 0.8.10. Available from the download section on iptel.org.

Juniper Networks, Inc.

Notified:  October 30, 2002 Updated: February 21, 2003

Status

  Not Vulnerable

Vendor Statement

Juniper Networks products are not SIP-aware, and neither generate, process, nor act as a proxy for SIP protocol messages. Therefore, Juniper Networks products are not susceptible to this vulnerability. Customers wishing to use the packet filtering features of Juniper Networks products to block SIP protocol messages can visit the Juniper Networks product support web-site at https://www.juniper.net/support/csc/ or they can contact Juniper's Technical Assistance Center by telephone at at 1-888-314-JTAC (U.S. customers only; non-U.S. customers should call JTAC at +1 408-745-9500.)

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Kphone

Notified:  February 12, 2003 Updated: February 17, 2003

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Lachman

Notified:  October 30, 2002 Updated: February 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Lockheed Martin

Notified:  February 17, 2003 Updated: February 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Lotus Software

Notified:  February 10, 2003 Updated: February 19, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Lucent Technologies

Notified:  October 30, 2002 Updated: February 20, 2003

Status

  Unknown

Vendor Statement

No Lucent products are known to be affected by this vulnerability, however we are still researching the issue and will update this statement as needed.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Mandriva, Inc.

Notified:  October 30, 2002 Updated: February 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Mandriva, Inc.

Notified:  October 30, 2002 Updated: February 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Mediatrix Telecom Inc

Updated:  May 09, 2003

Status

  Vulnerable

Vendor Statement

Tests developed by the University of Oulu and performed by Mediatrix Telecom Inc on Mediatrix VoIP Access Devices and Gateways have uncovered vulnerabilities, as per CERT vulnerability note VU#52789, that will be eliminated through software patches with the following availabilities: - By March 21 for Mediatrix units running the SIPv2.4 firmware. - By April 11 for Mediatrix units running the SIPv4.3 firmware. Additional information on Mediatrix Telecom Inc products are available at www.mediatrix.com.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

MeetingHouse Data Communications

Notified:  February 12, 2003 Updated: February 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Microsoft Corporation

Notified:  October 30, 2002 Updated: February 20, 2003

Status

  Not Vulnerable

Vendor Statement

Microsoft has investigated these issues. The Microsoft SIP client implementation is not affected.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Mitel Networks, Inc.

Updated:  September 19, 2005

Status

  Not Vulnerable

Vendor Statement

Mitel SIP products are not vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

MontaVista Software, Inc.

Notified:  October 30, 2002 Updated: February 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Motorola

Notified:  October 30, 2002 Updated: February 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

MySIP

Notified:  February 13, 2003 Updated: February 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

NEC Corporation

Notified:  October 30, 2002 Updated: May 20, 2003

Status

  Not Vulnerable

Vendor Statement

NEC vender statement for VU#528719 sent on May 20, 2003 [Server Products] * EWS/UP 48 Series operating system - is NOT vulnerable, because it does not support SIP. [Router Products] * IX 1000 / 2000 / 5000 Series - is NOT vulnerable, because it does not support SIP. [Other Network products] * CX6820 Call Service Server Series (CA/SS/MD) V2.2 - is NOT vulnerable. * CX7620-VG Media Server - is NOT vulnerable. * We continue to check our products which support SIP protocol.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

NETBSD

Notified:  October 30, 2002 Updated: February 17, 2003

Status

  Not Vulnerable

Vendor Statement

NetBSD does not ship any implementation of SIP.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

NETfilter.org

Notified:  October 30, 2002 Updated: February 17, 2003

Status

  Not Vulnerable

Vendor Statement

As the linux 2.4/2.5 netfilter implementation currently doesn't support connection tracking or NAT for the SIP protocol suite, we are not vulnerable to this bug.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

NetScreen

Notified:  October 30, 2002 Updated: February 21, 2003

Status

  Not Vulnerable

Vendor Statement

NetScreen is not vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Network Appliance

Notified:  October 30, 2002 Updated: February 18, 2003

Status

  Not Vulnerable

Vendor Statement

NetApp products are not affected by this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

NeXT

Notified:  October 30, 2002 Updated: February 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Nokia

Notified:  October 30, 2002 Updated: February 20, 2003

Status

  Not Vulnerable

Vendor Statement

Nokia IP Security Platforms based on IPSO, Nokis Small Office Solution platforms, Nokia VPN products and Nokia Message Protector platform do not initiate or terminate SIP based sessions. The mentioned Nokia products are not susceptible to this vulnerability

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Nortel Networks, Inc.

Notified:  October 30, 2002 Updated: July 24, 2003

Status

  Vulnerable

Vendor Statement

Nortel Networks is cooperating to the fullest extent with the CERT Coordination Center. All Nortel Networks products that use Session Initiation Protocol SIP) have been tested and all generally available products, with the following exceptions, have passed the test suite: Succession Communication Server 2000 and Succession Communication Server 2000 - Compact are impacted by the test suite only in configurations where SIP-T has been provisioned within the Communication Server; a software patch is expected to be available by the end of February. For further information about Nortel Networks products please contact Nortel Networks Global Network Support. North America: 1-800-4-NORTEL, or (1-800-466-7835) Europe, Middle East & Africa: 00800 8008 9009, or +44 (0) 870 907 9009 Contacts for other regions available at the Global Contact web page.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Novell, Inc.

Notified:  October 30, 2002 Updated: February 20, 2003

Status

  Not Vulnerable

Vendor Statement

Novell has no products implementing SIP.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

OpenBSD

Notified:  October 30, 2002 Updated: February 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Openwall GNU/*/Linux

Notified:  October 30, 2002 Updated: February 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Oracle Corporation

Notified:  October 30, 2002 Updated: February 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Pingtel

Notified:  October 30, 2002 Updated: March 24, 2003

Status

  Vulnerable

Vendor Statement

Pingtel has verified that the current versions of software for the Pingtel xpressa desk phone and instant xpressa softphone products, Release 2.1.6, are not vulnerable to any of the tests developed by the University of Oulu and described in CERT Vulnerability Note VU#528719. Pingtel strongly encourages its customers to use Version 2.1.6. Existing customers may upgrade to this software, free of charge. This software is available at http://www.pingtel.com/s_upgrades.jsp. While the process of updating software for xpressa and instant xpressa can take a phone out of service for two minutes, Pingtel recommends that customers make the effort to stay current, if they aren't already, by upgrading to Version 2.1.6 now. Earlier software revisions are vulnerable, making the use of any release prior to 2.1.6 inadvisable. Customers that have any questions or concerns are welcome to contact the Pingtel Technical Assistance Center at any time by calling 781-938-5306, emailing support@pingtel.com, or going online at http://support.pingtel.com. Emergency cases are always handled 24 x 7 x 365.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Process Software

Notified:  October 30, 2002 Updated: February 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Red Hat, Inc.

Notified:  October 30, 2002 Updated: February 19, 2003

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Secure Computing Corporation

Notified:  October 30, 2002 Updated: February 17, 2003

Status

  Not Vulnerable

Vendor Statement

Neither Sidewinder nor Gauntlet implements SIP, so we do not need to be on the vendor list for this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

SecureWorx

Notified:  October 30, 2002 Updated: February 17, 2003

Status

  Not Vulnerable

Vendor Statement

We hereby attest that SecureWorx Basilisk Gateway Security product suite (Firmware version 3.4.2 or later) is NOT VULNERABLE to the Session Initiation Protocol (SIP) Vulnerability VU#528719 as described in the OUSPG announcement (OUSPG#0106) received on Fri, 8 Nov 2002 10:17:11 -0500.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Sequent Computer Systems, Inc.

Notified:  October 30, 2002 Updated: February 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

SGI

Notified:  October 30, 2002 Updated: February 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Shoreline Communication

Notified:  November 07, 2002 Updated: February 17, 2003

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Siemens

Notified:  October 30, 2002 Updated: February 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Sony Corporation

Notified:  October 30, 2002 Updated: February 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Stonesoft

Notified:  October 30, 2002 Updated: February 17, 2003

Status

  Not Vulnerable

Vendor Statement

Stonesoft's StoneGate high availability firewall and VPN product does not contain any code that handles SIP protocol. No versions of StoneGate are vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Sun Microsystems, Inc.

Notified:  October 30, 2002 Updated: February 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

SUSE Linux

Notified:  October 30, 2002 Updated: February 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Symantec Corporation

Notified:  October 30, 2002 Updated: April 01, 2003

Status

  Not Vulnerable

Vendor Statement

Symantec Corporation products are not vulnerable to this issue. Symantec does not implement the Session Initiation Protocol (SIP) in any of our products.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

The SCO Group (SCO Linux)

Notified:  October 30, 2002 Updated: February 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

The SCO Group (SCO Unix)

Notified:  October 30, 2002 Updated: February 18, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Unisys

Notified:  October 30, 2002 Updated: March 26, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

University of Columbia

Notified:  November 25, 2002 Updated: February 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Vegastream

Notified:  February 13, 2003 Updated: February 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

WatchGuard

Notified:  October 30, 2002 Updated: February 17, 2003

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Wind River Systems, Inc.

Notified:  October 30, 2002 Updated: February 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Wirex

Notified:  October 30, 2002 Updated: February 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Xerox Corporation

Notified:  October 30, 2002 Updated: February 17, 2003

Status

  Unknown

Vendor Statement

Xerox is aware of this vulnerability and is currently assessing all products. This statement will be updated as new information becomes available.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Yahoo

Notified:  October 30, 2002 Updated: February 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

ZYXEL

Notified:  October 30, 2002 Updated: February 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

View all 94 vendors View less vendors