RingCentral Security Bulletins

latest update 2023/10/30 20:48 UTC
CVE
Severity
TITLE
Date
Update Required
Okta October 2023 Breach in Okta
CVE: 
Okta October 2023 Breach in Okta
HIGH
SEVERITY:  
HIGH
RingCentral Response
TITLE:  
RingCentral Response
10/30/2023
DATE:  
10/30/2023
NO
Update Required:  
NO
RingCentral is aware of a breach in the Okta Support Case Management System. RingCentral has confirmed, as part of our third-party due diligence program, that no RingCentral data or customer data has been affected. 
Does this incident impact Okta services used by RingCentral?
No. Okta has confirmed that Okta products and services provided to customers were not impacted in any way.  It should be noted that the Okta Support Case Management System is separate from the production Okta service, which is fully operational and has not been impacted. 
For full details on the incident, please refer to Okta’s official publication: https://sec.okta.com/harfiles
The security of our products and services and the privacy of customer information are of the highest importance to RingCentral. We will continue to carefully monitor the overall environment to ensure overall business continuity and secure operations. If you have any further questions about our overall discipline and security posture, please do not hesitate to ask.
CVE-2023-34362
CVE: 
CVE-2023-34362
HIGH
SEVERITY:  
HIGH
MOVEit Transfer Vulnerability
TITLE:  
MOVEit Transfer Vulnerability
6/8/2023
DATE:  
6/8/2023
NO
Update Required:  
NO
RingCentral is aware of the Progress MOVEit Transfer vulnerability, reported by the NIST National Vulnerability Database under CVE-2023-34362. Based on our analysis, we do not believe that RingCentral products and services are vulnerable. RingCentral products and services do not use the MOVEit software.
Description (as reported by NVD): In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements.
See also the Progress notice.
CVE-2022-28751
CVE: 
CVE-2022-28751
HIGH
SEVERITY:  
HIGH
Zoom Local Privilege Escalation in Auto Updater for macOS
TITLE:  
Zoom Local Privilege Escalation in Auto Updater for macOS
8/9/2022
DATE:  
8/9/2022
NO
Update Required:  
NO
RingCentral is aware of the Zoom local privilege escalation vulnerability for macOS clients, CVE-2022-28751 and the follow up vulnerabilities CVE-2022-28756 and CVE-2022-28757. Based on our analysis, we believe that RingCentral products are not vulnerable to these local privilege escalation on macOS vulnerabilities.
This vulnerability corresponds to ZSB-22017 as reported by Zoom against Zoom clients and products
Severity (as reported by Zoom): High
CVSS Score (as reported by Zoom):  8.8
CVSS Vector String (as reported by Zoom): CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Description (as reported by Zoom): The Zoom Client for Meetings for macOS (Standard and for IT Admin) starting with version 5.7.3 and before 5.11.6 contains a vulnerability in the auto update process. A local low-privileged user could exploit this vulnerability to escalate their privileges to root.
Remediation:
Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.
Source: Reported by Patrick Wardle of Objective-See
Okta January 2022 Compromise
CVE: 
OKTA JANUARY 2022 COMPROMISE
MEDIUM
SEVERITY:  
Medium
RingCentral Response
TITLE:  
RingCentral Response
3/24/2022
DATE:  
3/24/2022
YES
Update Required:  
YES
RingCentral is aware of the breach reported and confirmed by Okta through one of their sub-processors, Sitel. RingCentral uses Okta as part of our internal zero-trust and single sign-on discipline. Sitel provides supplementary Tier 1 support for RingCentral customers in several locations, including Europe. We have no evidence that this incident reported by Okta has in any way impacted RingCentral and we have confirmed with Sitel that they have not seen any cross-over internally from the individual impacted to Sitel employees providing support for RingCentral. 
CVE-2021-34424
CVE: 
CVE-2021-34424
MEDIUM
SEVERITY:  
Medium
Process memory exposure in RCApp, RCM
TITLE:  
Process memory exposure in RCApp, RCM
1/11/2022
DATE:  
1/11/2022
YES
Update Required:  
YES
This vulnerability corresponds to ZSB-21020 as reported by Zoom against Zoom clients and products.
Severity (as reported by Zoom): Medium
CVSS Score (as reported by Zoom):  5.3
CVSS Vector String (as reported by Zoom): CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Description (as reported by Zoom): A vulnerability was discovered in the products listed in the "Affected Products" section of this bulletin which potentially allowed for the exposure of the state of process memory. This issue could be used to potentially gain insight into arbitrary areas of the product’s memory.
Remediation:
Customers are strongly recommended to update their apps following standard steps defined for MSI and EXE updates in response to the appropriate upgrade prompts.
Affected RingCentral Products: 
·         RCApp (mThor) prior to 21.4.30
·         RCApp (Jupiter) prior to 21.4.30
·         RCM Mobile apps (iOS) prior to 21.4.40208
·         RCM Mobile apps (Android) prior to 21.4.40206
·         RCM Desktop apps (Mac) prior to 21.4.53875
·         RCM Desktop apps (Windows) prior to 21.4.40194
·         RCM Desktop app (Linux) 655666prior to 21.4.53809
·         RCM Rooms Host app (Mac) prior to 21.3.19700
·         RCM Rooms Host app (Windows) prior to 21.3.19702
Based on affected Zoom products:
·         Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.8.4
·         Zoom Client for Meetings for Blackberry (for Android and iOS) before version 5.8.1
·         Zoom Client for Meetings for intune (for Android and iOS) before version 5.8.4
·         Zoom Client for Meetings for Chrome OS before version 5.0.1
·         Zoom Rooms for Conference Room (for Android, AndroidBali, macOS, and Windows) before version 5.8.3
·         Controllers for Zoom Rooms (for Android, iOS, and Windows) before version 5.8.3
·         Zoom VDI before version 5.8.4
·         Zoom Meeting SDK for Android before version 5.7.6.1922
·         Zoom Meeting SDK for iOS before version 5.7.6.1082
·         Zoom Meeting SDK for Windows before version 5.7.6.1081
·         Zoom Meeting SDK for Mac before version 5.7.6.1340
·         Zoom Video SDK (for Android, iOS, macOS, and Windows) before version 1.1.2
·         Zoom On-Premise Meeting Connector before version 4.8.12.20211115
·         Zoom On-Premise Meeting Connector MMR before version 4.8.12.20211115
·         Zoom On-Premise Recording Connector before version 5.1.0.65.20211116
·         Zoom On-Premise Virtual Room Connector before version 4.4.7266.20211117
·         Zoom On-Premise Virtual Room Connector Load Balancer before version 2.5.5692.20211117
·         Zoom Hybrid Zproxy before version 1.0.1058.20211116
·         Zoom Hybrid MMR before version 4.6.20211116.131_x86-64
Source: Reported by Zoom in response to a report by Natalie Silvanovich of Google Project Zero
CVE-2021-34423
CVE: 
CVE-2021-34423
HIGH
SEVERITY:  
High
Buffer overflow in RCApp, RCM
TITLE:  
Buffer overflow in RCApp, RCM
1/11/2022
DATE:  
1/11/2022
YES
Update Required:  
YES
This vulnerability corresponds to ZSB-21019 as reported by Zoom against Zoom clients and products.
Severity (as reported by Zoom): High
CVSS Score (as reported by Zoom):  7.3
CVSS Vector String (as reported by Zoom): CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Description (as reported by Zoom): A buffer overflow vulnerability was discovered in the products listed in the “Affected Products'' section of this bulletin. This can potentially allow a malicious actor to crash the service or application, or leverage this vulnerability to execute arbitrary code.
Remediation:
Customers are strongly recommended to update their apps following standard steps defined for MSI and EXE updates in response to the appropriate upgrade prompts.
Affected RingCentral Products:
·         RCApp (mThor) prior to 21.4.30
·         RCApp (Jupiter) prior to 21.4.30
·         RCM Mobile apps (iOS) prior to 21.4.40208
·         RCM Mobile apps (Android) prior to 21.4.40206
·         RCM Desktop apps (Mac) prior to 21.4.53875
·         RCM Desktop apps (Windows) prior to 21.4.40194
·         RCM Desktop app (Linux) 655666prior to 21.4.53809
·         RCM Rooms Host app (Mac) prior to 21.3.19700
·         RCM Rooms Host app (Windows) prior to 21.3.19702
Based on affected Zoom products:
·         Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.8.4
·         Zoom Client for Meetings for Blackberry (for Android and iOS) before version 5.8.1
·         Zoom Client for Meetings for intune (for Android and iOS) before version 5.8.4
·         Zoom Client for Meetings for Chrome OS before version 5.0.1
·         Zoom Rooms for Conference Room (for Android, AndroidBali, macOS, and Windows) before version 5.8.3
·         Controllers for Zoom Rooms (for Android, iOS, and Windows) before version 5.8.3
·         Zoom VDI before version 5.8.4
·         Zoom Meeting SDK for Android before version 5.7.6.1922
·         Zoom Meeting SDK for iOS before version 5.7.6.1082
·         Zoom Meeting SDK for Windows before version 5.7.6.1081
·         Zoom Meeting SDK for Mac before version 5.7.6.1340
·         Zoom Video SDK (for Android, iOS, macOS, and Windows) before version 1.1.2
·         Zoom On-Premise Meeting Connector before version 4.8.12.20211115
·         Zoom On-Premise Meeting Connector MMR before version 4.8.12.20211115
·         Zoom On-Premise Recording Connector before version 5.1.0.65.20211116
·         Zoom On-Premise Virtual Room Connector before version 4.4.7266.20211117
·         Zoom On-Premise Virtual Room Connector Load Balancer before version 2.5.5692.20211117
·         Zoom Hybrid Zproxy before version 1.0.1058.20211116
·         Zoom Hybrid MMR before version 4.6.20211116.131_x86-64
Source: Reported by Zoom in response to a report by Natalie Silvanovich of Google Project Zero
CVE-2021-45105
CVE: 
CVE-2021-45105
CRITICAL
SEVERITY:  
CRITICAL
Log4j Remote Code Execution
TITLE:  
Log4j Remote Code Execution
12/20/2021
DATE:  
12/20/2021
NO
Update Required:  
NO
RingCentral is aware of the log4j 0-day vulnerability, CVE-2021-44228 and the follow up vulnerabilities CVE-2021-45046 and CVE-2021-45105. Our response and remediations for ‘44228 account for ‘45046 and ‘45105 including updates to log4j 2.16 and log4j 2.17.  Based on our analysis and remediation, we continue to believe that RingCentral products are not vulnerable to the remote code execution vulnerability, including
·  RingCentral Apps (mobile, desktop, Web browser)
·  RingCentral Messaging (also known as Glip)
·  RingCentral Video 
·  RingCentral MVP (Message, Video, Phone)
·  RingCentral Engage (Video, Digital)
·  RingCentral Meetings (RCM)
·  RingCentral Contact Center
·  RingCentral Analytics Portal 
·  RingCentral Admin Portal
·  RingCentral General Web 
Severity: CRITICAL
CVSS Score: 10.0
CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Description: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to “true” or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false".
CVE-2021-45046
CVE: 
CVE-2021-45046
CRITICAL
SEVERITY:  
CRITICAL
Log4j Remote Code Execution
TITLE:  
Log4j Remote Code Execution
12/20/2021
DATE:  
12/20/2021
NO
Update Required:  
NO
RingCentral is aware of the log4j 0-day vulnerability, CVE-2021-44228 and the follow up vulnerabilities CVE-2021-45046 and CVE-2021-45105. Our response and remediations for ‘44228 account for ‘45046 and ‘45105 including updates to log4j 2.16 and log4j 2.17.  Based on our analysis and remediation, we continue to believe that RingCentral products are not vulnerable to the remote code execution vulnerability, including
·  RingCentral Apps (mobile, desktop, Web browser)
·  RingCentral Messaging (also known as Glip)
·  RingCentral Video 
·  RingCentral MVP (Message, Video, Phone)
·  RingCentral Engage (Video, Digital)
·  RingCentral Meetings (RCM)
·  RingCentral Contact Center
·  RingCentral Analytics Portal 
·  RingCentral Admin Portal
·  RingCentral General Web 
Severity: CRITICAL
CVSS Score: 10.0
CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Description: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to “true” or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false".
CVE-2021-44228
CVE: 
CVE-2021-44228
CRITICAL
SEVERITY:  
CRITICAL
Log4j Remote Code Execution
TITLE:  
Log4j Remote Code Execution
12/13/2021
DATE:  
12/13/2021
NO
Update Required:  
NO
RingCentral is aware of the log4j 0-day vulnerability, CVE-2021-44228 and the follow up CVE-2021-45046. Our response and remediations to account for CVE-2021-45046, including updates to log4.j 2.16.  
Based on our analysis and remediation, we believe that RingCentral products are not vulnerable to the remote code execution vulnerability, including
·   RingCentral Apps (mobile, desktop, Web browser)
·   RingCentral Messaging (also known as Glip)
·   RingCentral Video 
·   RingCentral MVP (Message, Video, Phone)
·   RingCentral Engage (Video, Digital)
·   RingCentral Contact Center
·   RingCentral Analytics Portal 
·   RingCentral Admin Portal
·   RingCentral Meetings (RCM)
Severity: CRITICAL
CVSS Score: 10.0
CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Description: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to “true” or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false".