RingCentral Security Bulletins

latest update 2022/12/20 20:48 UTC
CVE
Severity
TITLE
Date
Update Required

CVE-2021-34424

CVE-2021-34424
CVE: 
CVE-2021-34424
MEDIUM
SEVERITY:  
Medium
Process memory exposure in RCApp, RCM
TITLE:  
Process memory exposure in RCApp, RCM
1/11/2022
DATE:  
1/11/2022
YES
Update Required:  
YES
This vulnerability corresponds to ZSB-21020 as reported by Zoom against Zoom clients and products.
Severity (as reported by Zoom): Medium
CVSS Score (as reported by Zoom):  5.3
CVSS Vector String (as reported by Zoom): CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Description (as reported by Zoom): A vulnerability was discovered in the products listed in the "Affected Products" section of this bulletin which potentially allowed for the exposure of the state of process memory. This issue could be used to potentially gain insight into arbitrary areas of the product’s memory.
Remediation:
Customers are strongly recommended to update their apps following standard steps defined for MSI and EXE updates in response to the appropriate upgrade prompts.
Affected RingCentral Products: 
·         RCApp (mThor) prior to 21.4.30
·         RCApp (Jupiter) prior to 21.4.30
·         RCM Mobile apps (iOS) prior to 21.4.40208
·         RCM Mobile apps (Android) prior to 21.4.40206
·         RCM Desktop apps (Mac) prior to 21.4.53875
·         RCM Desktop apps (Windows) prior to 21.4.40194
·         RCM Desktop app (Linux) 655666prior to 21.4.53809
·         RCM Rooms Host app (Mac) prior to 21.3.19700
·         RCM Rooms Host app (Windows) prior to 21.3.19702
Based on affected Zoom products:
·         Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.8.4
·         Zoom Client for Meetings for Blackberry (for Android and iOS) before version 5.8.1
·         Zoom Client for Meetings for intune (for Android and iOS) before version 5.8.4
·         Zoom Client for Meetings for Chrome OS before version 5.0.1
·         Zoom Rooms for Conference Room (for Android, AndroidBali, macOS, and Windows) before version 5.8.3
·         Controllers for Zoom Rooms (for Android, iOS, and Windows) before version 5.8.3
·         Zoom VDI before version 5.8.4
·         Zoom Meeting SDK for Android before version 5.7.6.1922
·         Zoom Meeting SDK for iOS before version 5.7.6.1082
·         Zoom Meeting SDK for Windows before version 5.7.6.1081
·         Zoom Meeting SDK for Mac before version 5.7.6.1340
·         Zoom Video SDK (for Android, iOS, macOS, and Windows) before version 1.1.2
·         Zoom On-Premise Meeting Connector before version 4.8.12.20211115
·         Zoom On-Premise Meeting Connector MMR before version 4.8.12.20211115
·         Zoom On-Premise Recording Connector before version 5.1.0.65.20211116
·         Zoom On-Premise Virtual Room Connector before version 4.4.7266.20211117
·         Zoom On-Premise Virtual Room Connector Load Balancer before version 2.5.5692.20211117
·         Zoom Hybrid Zproxy before version 1.0.1058.20211116
·         Zoom Hybrid MMR before version 4.6.20211116.131_x86-64
Source: Reported by Zoom in response to a report by Natalie Silvanovich of Google Project Zero

CVE-2021-34423

CVE-2021-34423
CVE: 
CVE-2021-34423
HIGH
SEVERITY:  
High
Buffer overflow in RCApp, RCM
TITLE:  
Buffer overflow in RCApp, RCM
1/11/2022
DATE:  
1/11/2022
YES
Update Required:  
YES
This vulnerability corresponds to ZSB-21019 as reported by Zoom against Zoom clients and products.
Severity (as reported by Zoom): High
CVSS Score (as reported by Zoom):  7.3
CVSS Vector String (as reported by Zoom): CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Description (as reported by Zoom): A buffer overflow vulnerability was discovered in the products listed in the “Affected Products'' section of this bulletin. This can potentially allow a malicious actor to crash the service or application, or leverage this vulnerability to execute arbitrary code.
Remediation:
Customers are strongly recommended to update their apps following standard steps defined for MSI and EXE updates in response to the appropriate upgrade prompts.
Affected RingCentral Products:
·         RCApp (mThor) prior to 21.4.30
·         RCApp (Jupiter) prior to 21.4.30
·         RCM Mobile apps (iOS) prior to 21.4.40208
·         RCM Mobile apps (Android) prior to 21.4.40206
·         RCM Desktop apps (Mac) prior to 21.4.53875
·         RCM Desktop apps (Windows) prior to 21.4.40194
·         RCM Desktop app (Linux) 655666prior to 21.4.53809
·         RCM Rooms Host app (Mac) prior to 21.3.19700
·         RCM Rooms Host app (Windows) prior to 21.3.19702
Based on affected Zoom products:
·         Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.8.4
·         Zoom Client for Meetings for Blackberry (for Android and iOS) before version 5.8.1
·         Zoom Client for Meetings for intune (for Android and iOS) before version 5.8.4
·         Zoom Client for Meetings for Chrome OS before version 5.0.1
·         Zoom Rooms for Conference Room (for Android, AndroidBali, macOS, and Windows) before version 5.8.3
·         Controllers for Zoom Rooms (for Android, iOS, and Windows) before version 5.8.3
·         Zoom VDI before version 5.8.4
·         Zoom Meeting SDK for Android before version 5.7.6.1922
·         Zoom Meeting SDK for iOS before version 5.7.6.1082
·         Zoom Meeting SDK for Windows before version 5.7.6.1081
·         Zoom Meeting SDK for Mac before version 5.7.6.1340
·         Zoom Video SDK (for Android, iOS, macOS, and Windows) before version 1.1.2
·         Zoom On-Premise Meeting Connector before version 4.8.12.20211115
·         Zoom On-Premise Meeting Connector MMR before version 4.8.12.20211115
·         Zoom On-Premise Recording Connector before version 5.1.0.65.20211116
·         Zoom On-Premise Virtual Room Connector before version 4.4.7266.20211117
·         Zoom On-Premise Virtual Room Connector Load Balancer before version 2.5.5692.20211117
·         Zoom Hybrid Zproxy before version 1.0.1058.20211116
·         Zoom Hybrid MMR before version 4.6.20211116.131_x86-64
Source: Reported by Zoom in response to a report by Natalie Silvanovich of Google Project Zero

CVE-2021-44228

CVE-2021-44228
CVE: 
CVE-2021-44228
CRITICAL
SEVERITY:  
CRITICAL
Log4j Remote Code Execution
TITLE:  
Log4j Remote Code Execution
12/13/2021
DATE:  
12/13/2021
NO
Update Required:  
NO
RingCentral is aware of the log4j 0-day vulnerability, CVE-2021-44228 and the follow up CVE-2021-45046. Our response and remediations to account for CVE-2021-45046, including updates to log4.j 2.16.  
Based on our analysis and remediation, we believe that RingCentral products are not vulnerable to the remote code execution vulnerability, including
·   RingCentral Apps (mobile, desktop, Web browser)
·   RingCentral Messaging (also known as Glip)
·   RingCentral Video 
·   RingCentral MVP (Message, Video, Phone)
·   RingCentral Engage (Video, Digital)
·   RingCentral Contact Center
·   RingCentral Analytics Portal 
·   RingCentral Admin Portal
·   RingCentral Meetings (RCM)
Severity: CRITICAL
CVSS Score: 10.0
CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Description: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to “true” or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false".

CVE-2021-45046

CVE-2021-45046
CVE: 
CVE-2021-45046
CRITICAL
SEVERITY:  
CRITICAL
Log4j Remote Code Execution
TITLE:  
Log4j Remote Code Execution
12/20/2021
DATE:  
12/20/2021
NO
Update Required:  
NO
RingCentral is aware of the log4j 0-day vulnerability, CVE-2021-44228 and the follow up vulnerabilities CVE-2021-45046 and CVE-2021-45105. Our response and remediations for ‘44228 account for ‘45046 and ‘45105 including updates to log4j 2.16 and log4j 2.17.  Based on our analysis and remediation, we continue to believe that RingCentral products are not vulnerable to the remote code execution vulnerability, including
·  RingCentral Apps (mobile, desktop, Web browser)
·  RingCentral Messaging (also known as Glip)
·  RingCentral Video 
·  RingCentral MVP (Message, Video, Phone)
·  RingCentral Engage (Video, Digital)
·  RingCentral Meetings (RCM)
·  RingCentral Contact Center
·  RingCentral Analytics Portal 
·  RingCentral Admin Portal
·  RingCentral General Web 
Severity: CRITICAL
CVSS Score: 10.0
CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Description: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to “true” or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false".

CVE-2021-45105

CVE-2021-45105
CVE: 
CVE-2021-45105
CRITICAL
SEVERITY:  
CRITICAL
Log4j Remote Code Execution
TITLE:  
Log4j Remote Code Execution
12/20/2021
DATE:  
12/20/2021
NO
Update Required:  
NO
RingCentral is aware of the log4j 0-day vulnerability, CVE-2021-44228 and the follow up vulnerabilities CVE-2021-45046 and CVE-2021-45105. Our response and remediations for ‘44228 account for ‘45046 and ‘45105 including updates to log4j 2.16 and log4j 2.17.  Based on our analysis and remediation, we continue to believe that RingCentral products are not vulnerable to the remote code execution vulnerability, including
·  RingCentral Apps (mobile, desktop, Web browser)
·  RingCentral Messaging (also known as Glip)
·  RingCentral Video 
·  RingCentral MVP (Message, Video, Phone)
·  RingCentral Engage (Video, Digital)
·  RingCentral Meetings (RCM)
·  RingCentral Contact Center
·  RingCentral Analytics Portal 
·  RingCentral Admin Portal
·  RingCentral General Web 
Severity: CRITICAL
CVSS Score: 10.0
CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Description: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to “true” or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false".