The Product Security Incident Response Team is dedicated to managing requests, investigating and reporting vulnerabilities or technical issues impacting our products and solutions.

PSIRT overview

We acknowledge the importance for our customers to rely on secure products and solutions. Therefore it is our goal to ensure that Alcatel-Lucent Enterprise (ALE) products are developed with all appropriate security principles as basis. We follow a comprehensive security program that combines:

  • Secure software development best practices, processes, and tools
  • Rigorous product security requirements
  • Periodic validation and quality of security testing before release

Despite these security principles and related actions, vulnerabilities can be discovered in the software components of our products which, when exploited, can have an impact on the security level of these products once deployed in customer's networks.

Reporting a suspected Security Vulnerability

Individuals or organizations that are experiencing technical security issue with an ALE product or solution are strongly encouraged to contact the ALE PSIRT by following these steps:

  1. Obtain the ALE PSIRT PGP public key, this will ensure the confidentiality of the communication. Confidentiality is a key point at this step to protect the security of our customers in regards with our responsible disclosure policy.
  2. Complete the vulnerability summary report (VSR)
  3. Send the completed report to the email address: psirt@al-enterprise.com
  4. Consider sending the report email with the reporting organization’s public PGP key and by encrypting the message with the ALE PSIRT PGP public key.

The ALE PSIRT process detailed hereunder will be followed while maintaining the discussion with the reporter. Communication with all involved parties is a key activity in our vulnerability solution process.

Other channels for contacting Alcatel-Lucent EnterpriseCustomers are also encouraged to report suspected security vulnerabilities via their usual support channels. Depending on the maintenance contract, these contact points will be able to assist in more general situations such as:

  • technical assistance to determine if a security problem exists
  • configuring an ALE product for a specific security-related function
  • questions about an announced security problem with an ALE product
  • implementation of any workarounds defined for the vulnerability

Note that ALE PSIRT should NOT be contacted to report or get support for security incidents that are happening "live" in deployed networks and solutions. Such incidents are to be reported only via the usual customer support channels.

ALE Product Security Incident Response Process

  1. Reporting the vulnerability via psirt@al-enterprise.com
  2. ALE acknowledges the reception of the VSR to the reporter
  3. ALE PSIRT analyzes the relevancy. Reporters will be informed on a regular basis about the status information of ongoing investigation of the vulnerability
  4. ALE PSIRT communicates analysis conclusions with the reporter
  5. If any impacts are confirmed ALE will:
    - Coordinate fix and impact assessment
    - Define timeframe of correction delivery, notification plans, and disclosure to public organizations such as mitre.org and CERT organizations

ALE Product Security Incident Response Process

 

Confidentiality - ALE PSIRT PGP public key

ALE PSIRT process ensures that neither unauthorized ALE employees nor outside users will get access to the information provided by the incident reporter. ALE also guarantees that on request, the name of the incident reporter will not be disclosed in public communications or be used in further external distribution. Similarly, the ALE PSIRT asks incident reporters to maintain strict confidentiality until complete resolutions are available for customers and have been published by the ALE PSIRT on the ALE websites through the appropriate coordinated disclosure.

For ensuring the confidentiality of the reporting and following steps of communication with ALE PSIRT, we encourage sending encrypted messages using the following ALE PGP public key and sending in return the public PGP key of the incident reporter.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2

mQENBFYbygQBCADtnv6WNUaqho42wrylkrGgm1oSu1T0WpXYAUZjMKP1JUjStT45
CWJ4LwNpsYlOj4zcz5jp6KKZI/m/eCdeZAzzTRanKw6DEFrEafyBIOjYMPUFaYru
LS05AoIwP7f/cE8bz1fttIuzvM/TLlLN8iqXQg4z3yZvH6c0m0DYWa6iVoH51DxQ
xUoAjGxlqTesi4UfmGdu+gSdAQZt0Bh5d7S/r4ZTuT2uwSlR74gUl5CHBaunv6LX
cUawDQJla1RhmUP2jJCXVQlzbaqROQBSbPKFRCmB72wS+Sr9jbOIJITIbDJtLznh
dWDAp4fj8Wl4AP/9tD9b3rnF7MloXXkyO97bABEBAAG0MUFMRSBJbnRlcm5hdGlv
bmFsIFBTSVJUIDxwc2lydEBhbC1lbnRlcnByaXNlLmNvbT6JAT8EEwEIACkFAlYb
ygQCGwMFCQloXxwHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRAKfars9fu2
FYr9CAC6TZuChFMRqyIsTM4V8jFxQPlYl5TCDoOg5q7t/lY07MBMJbRmYj/FLp1o
+LhTRfFHhOhzKaVm3w7mRB0ZYxIXsMesz6Lo+WQrhaw+zvGKX80s/G61ZL9EQ5mL
gVyurFaMNcQIYAHFBHQNUfBju0d3//yy1VcZUnWqTGQsoN1vUZ64i/ZuuO2kIx5c
PmukDghM4Wx7qXQh+SQ5IGhVkxLt1SH7uSA5SYtDxS0jpkvWrmnAUcnHCKgSyhUU
ufd5qc1fi0Yz93VnS83lqRhqmm4gmvzyuM176vtG+y3tsNxc9XboW9rf9jVnTIht
SMEBbfRhngKLTaCUd+CODhdl3XxguQENBFYbygQBCADFBLjMY1zoyzZCJUeiW8Lx
b4HUi0fcfphblLhXC5QZyDnex0e9RUYAHyCMDcExUgpDJH12Ak+y2KMfsvFaEtiJ
tR6mPaGwcS19dGZwtTZEOD36ZufCkhjT5ePoy3ClX0pbMfLpDoe8u6SnbsEg9v53
c0NUSRTOTqP/hMfjafh0GVxqQImiEfh2hNDABqrOdexotu7D8N9ADRXPQRhzGYho
D8yTouduNe2aB4Jnh/cDYw0QkNf8j1JmwD1mlBa5RiC/T+YoqEzkv1o/VBKC2Y+X
DMBu39PgCo/FGMnDNavEoRV6rdC7wDl79r8Iu+jFVnbbLm6jlR+TN+OuBoPivnkJ
ABEBAAGJASUEGAEIAA8FAlYbygQCGwwFCQloXxwACgkQCn2q7PX7thVflwf+LXXZ
q99FBZFPVYeg1UoF2ILFkdXesTmmDfLZP2kmtCYHd9dCIkaWsA/u8rkQLtzYNgnq
5CwrPCe3xf/2alSN/vSG74qr69VQDmARpTjP5noYcUhjCl+xNy5+/qDoFTdNZ0v1
uJYr8jvr2yzvF1765temb4wIuE0jBEQPVt27eOve52JOHm9H9eho4nTUenRxT/3q
8cutNImcjwfBRnncAkzqhiZVg2mSKW66aNgHp7ryxItJvRwb3wf/B3O0Lzii+RTY
HTnEsqyrsQUUpssKlRcTnfBrNJsunfrv6D3tZnl7dcPmU2wS33IhdQLr/5ghixzv
k3QQTmXKk5+QAPCB9g==
=qOP/
-----END PGP PUBLIC KEY BLOCK-----

Key-ID: F5FBB615
Fingerprint: 7C52 9AB3 661A 9034 5A6C 7713 0A7D AAEC F5FB B615
E-mail: psirt@al-enterprise.com

This public key can be found on https://keyserver.pgp.com
-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 2.9.1 (Build 347)

iQEVAwUBVhvLXpcQuJvKV618AQgb9Qf9GWwtzJVU7YGYQBZrYEjGbDA4sLVt359t
5PNX+98xQDK5lF8uzumeI+dM6XnKfDJG0KXMNEZJh6ZULeu+mghJtZ2xyxOglM4I
mSe6yP2YkfE7dyBIna4pmT20cv2GeGIMkzFF8QuqVX9quexBG/IVaCNQXrqCSRdi
QyA+aQLTUtk+N+HsZvyC7QV3nO/tsG7ROG3JYj1aaNOpED+yJUUy5L7LbNMw1Ojp
X/lPlIKB43MejJdaYlYcaZg88yE3ksq/Gl4xDbaLtbaC8uirFTV/v5Yw3Kwz8QrR
3LwpZXGdPeAj2SdJdnv2XEU4LV6MPFvkYc/uOgL65idQwkklL0T2+A==
=wJy/
-----END PGP SIGNATURE-----

Third-Party Software Vulnerabilities

ALE PSIRT works with third-party coordination centers such as CERT-IST, NVD, US-CERT to manage vulnerabilities notices reported on third-party software embedded or used in ALE products and solutions. The reports are referred to with a unique CVE number (Common Vulnerabilities and Exposures After). Each issued CVE is analyzed by ALE teams to provide an adjusted risk score that reflect s the effective impact on our products.

Risk assessment

ALE PSIRT uses the version 3.0 of the Common Vulnerability Scoring System (CVSS) for evaluation of the reported and analyzed vulnerabilities. Although the CVSS numerical score gives standard information about the estimated risk on a given vulnerability, we often abstract it to a more comprehensive scale of impact with following values:

Risk impact   CVSS score  Color code
 Critical  9.0–10.0  Dark Red
 High  7.0–8.9  Red
 Medium  4.0–6.9  Amber
 Low  3.9 or below  Yellow


Responsible Disclosure

If one or more of the following conditions exist, ALE will publicly disclose a Security Advisory:

  1. An incident response process has been completed and it has been determined that enough software patches or workarounds exist to address the vulnerability, or subsequent public disclosure of code fixes is planned to address high to critical severity vulnerabilities.
  2. An active exploitation of vulnerability has been observed that could lead to increased risk for our customers. Early Security Advisories may then be published prior to the publication of available patches or corrections in order to inform our customers about potential risks.
  3. Public information about the vulnerability can expose our customers to potential increased risk. Early Security Advisories may then be published prior to the publication of available patches or corrections in order to inform our customers about potential risks.

All security publications are disclosed via the ALE Business Portal website. ALE reserves the right to deviate from this policy on an exception basis to ensure software patch availability and our customers' security.

Advisories
Full list of Advisories

 

Title

Edition

Date Issued

SA-N0037-OmniAccess ClearPass Policy Manager Multiple Vulnerabilities September 2016

ed01

09/22/2016

SA-N0036-AOS-W Default Cert Revocation

ed01

09/12/2016

SA-N0035-ClearPass Policy Manager Multiple Vulnerabilities June 2016

ed01

06/02/2016

SA-N0033-ALE WLAN FCC DFS regulatory change and impact resolution plan

ed01

05/18/2016

SA-N0031-AOS-W Multiple Vulnerabilities May 2016

ed01

05/12/2016

SA-N0032-ClearPass Policy Manager Multiple Vulnerabilities May 2016

ed01

05/12/2016

SA-N0029-OAW Instant Multiple Vulnerabilities May2016

ed01

05/11/2016

SA-N0028-Information about DROWN vulnerability

ed01

05/03/2016

SA-C0056-Information about DROWN vulnerability

ed01

04/25/2016

SA-C0055-Information about GLIBC vulnerabilities

ed01

03/04/2016

SA-N0027-Glibc DNS Stack-based Buffer Overflow

ed01

03/04/2016

SA-C0053 Information about POODLE vulnerability

ed02

01/25/2016

SA-N0025-AOS-W Multiple Vulnerabilities December 2015

ed01

12/05/2015

SA-N0026-Network Time Protocol Daemon Multiple Vulnerabilities December 2015

ed01

12/04/2015

SA-N0024-Cross-Site Request Forgery in OmniSwitch management interface CVE-2015-2805

ed01

10/19/2015

SA-N0023-ClearPass Policy Manager Multiple Vulnerabilities June 2015

ed01

06/30/2015

SA-C0054-Information about GHOST vulnerability

ed02

04/20/2015

SA-N0020-OpenSSL Multiple Vulnerabilities March 2015

ed01

03/31/2015

SA-N0021-OV3600 Multiple Vulnerabilities March 2015

ed01

03/31/2015

SA-N0022-Alcatel-Lucent Remote Access Point (RAP) Command Injection

ed01

03/31/2015

SA-C0052-Information about BASH shellshock vulnerability

ed05

02/27/2015

SA-N0017-AOS-W instantiap wireless dos attack

ed01

02/27/2015

SA-N0018-Buffer Overflow in glibc aka GHOST

ed01

02/27/2015

SA-N0019-OpenSSL Multiple Vulnerabilities 08 January 2015

ed01

02/27/2015

SA-N0016-Information on AOS about NTP daemon (ntpd) multiple vulnerabilities

ed01

01/31/2015

SA-N0015-Unauthenticated SQL Injection Vulnerability in ClearPass Policy Manager

ed01

11/26/2014

SA-N0011-Information on ENS and AVBS about GNU Bash Shell Vulnerabilities

ed02

10/31/2014

SA-N0012-OmniAccess WLAN Authentication Bypass Vulnerability

ed01

10/31/2014

SA-N0013-ClearPass Multiple Vulnerabilities October 2014

ed01

10/31/2014

SA-N0014-Information on AOS about SSLv3 POODLE Attack

ed01

10/31/2014

SA-C0050-Information about OpenSSL Security Fixes

ed03

09/30/2014

SA-N0009-Information on AOS-W about GNU Bash Shell Vulnerabilities

ed01

09/30/2014

SA-N0010-Information on AOS about GNU Bash Shell Vulnerabilities

ed01

09/30/2014

SA-C0051-OmniPCX Office RCE secured network deployment measures

ed01

07/31/2014

SA-N0007-OmniAccess WLAN ClearPass Policy Manager march2014

ed01

07/31/2014

SA-N0008-FAQ OmniAccess WLAN ClearPass Policy Manager SQL Injection and Credential Disclosure

ed01

07/31/2014

SA-C0049-Reinforcing Security on 4635 Voicemail Systems Complementary information to TC1774

ed04

05/27/2014

SA-N0005-FAQ Clearpass security advisory may2014

ed01

05/27/2014

SA-N0006-Clearpass security advisory may2014

ed01

05/27/2014

SA-C0048-Information about TLS heartbeat read overrun

ed05

04/28/2014

SA-N0004 AOS openssl heartbleed

ed01

04/28/2014

SA-N0003-Clearpass apache struts2 security

ed01

09/30/2013

SA-C0047-XSS vulnerability in Alcatel-Lucent OmniTouch MyTeamwork

ed01

07/29/2013

SA-N0002-OmniAccess WLAN Cross-Site Scripting Vulnerability

ed01

03/14/2013

SA-C0046-Voicemail phreaking prevention and security measures

ed01

06/20/2012

SA-N0001-AOS-W Default Certificate Expiration

ed01

06/20/2012

SA-C0043-Cross site scripting vulnerability in OmniPCX Enterprise

ed01

01/13/2012

SA-C0044-Cross-site scripting vulnerability in OmniVista 4760

ed03

01/13/2012

SA-C0045-Multiple vulnerabilities in Instant Communication Suite

ed05

01/13/2012