Heartbleed Vulnerability: Manufacturer Hotfixes and Upgrades
Dear Valued Customer:
As you may already be aware, a major new security vulnerability termed 'Heartbleed' was disclosed on Monday, April 7th. Accordingly, SPS has been proactively working with our manufacturing partners to get all issues addressed and related hotfixes and/or upgrades out to our customers.
Realizing our customer base may be impacted across various products and manufacturers, this advisory notice includes the latest information we have received from Avaya, Cisco and Polycom. Please review the information below and follow the links for detailed information.
Avaya software-only products operate on general-purpose operating systems. Occasionally vulnerabilities may be discovered in the underlying operating system or applications that come with the operating system. These vulnerabilities often do not impact the software-only product directly, but may threaten the integrity of the underlying platform.
In the case of this advisory, Avaya software-only products are not affected by the vulnerability directly, but the underlying Linux platform may be. Customers should determine on which Linux operating system the product was installed and then follow that vendor's guidance.
Cisco's PSIRT team (Product Security Incident Response Team) is currently investigating which Cisco products may be affected. Please check the affected products section for an up-to-date list of products that have been confirmed as affected. As more updates become available the security advisory will be updated. More information
At present, the Cisco Video Communication Server (VCS) has been confirmed as affected. Cisco's developers have released a fix for VCS (X8.1.1). Prior to upgrading to VCS X8.1.1, please read the full release notes and validate that your environment is ready for the upgrade. More information
Important: As other Cisco and/or legacy TANDBERG products may be affected with this upgrade, we advise you to contact your account representative to schedule an audit of your environment.
At this time, a nearly complete list of Polycom products, their versions, and version of OpenSSL (if any) has been provided. This bulletin will be updated periodically until all Polycom products/versions are known as vulnerable or not, and until all vulnerable systems are fixed. Note as well that fix data will appear in this same table as fixes occur. More information
If you need more information or have any questions about this notice, please contact Technical Services at 888-477-6225 or email@example.com.
Your SPS Team
CURRENT ADVISORY - FEBRUARY 24, 2014
This advisory notice serves as an update to the series of communications we have sent regarding infrastructure upgrades for the Avaya Secure Access Link (SAL) remote access. We are pleased to inform you that Avaya has confirmed the infrastructure upgrade will be complete by April 30, 2014.
All versions (1.5, 1.8., 2.0, 2.1, 2.2) of Secure Access Link (SAL) Gateway will be affected, including:
/ Standalone SAL Gateway (software only)
/ Virtualized SAL vAppliance on VMware
/ SAL Gateway on System Platform (Services-VM)
/ SAL Gateway packaged with Avaya Diagnostic Server
/ ION SAL SA5600
Each customer environment is unique and may need to address different variables within their environment. We encourage you to plan accordingly in order to avoid any disruption in service. For each environment, the following questions need to be asked:
- Do you have any firewall rules that enable SAL Gateway to communicate with Avaya SAL Enterprise?
- Does your environment have a proxy server?
- Does your SAL Gateway use DNS to communicate to Avaya?
Please visit the Avaya website to access the Avaya Product Support Notice and review the "Network settings update table" to determine what actions are required for your network environment.
If you have any questions or require additional support, please contact SPS at 888.777.7280, or you may submit a support ticket online. Depending on your coverage, additional support may incur charges.
PREVIOUS ADVISORY - DECEMBER 30, 2013.
On November 26, 2013, SPS issued an advisory product support notice (PSN) regarding infrastructure upgrades for Avaya's Secure Access Link (SAL) remote access. This communication outlined relevant action items and timelines associated with this upgrade.
Please be advised that this PSN has been put on hold. All dates associated with this PSN will be rescheduled in 2014. No further action is required until the new dates have been published. To review the original announcement, please see the below previous advisory from November 26, 2013.
- This PSN and infrastructure update has no impact on the SAL alarming capabilities or infrastructure
- Firewall and proxy settings within the customer network can be made now in preparation for the migration
- Administration configuration changes to the SAL Gateway cannot be made until the new dates are published. Any changes made in advance will cause disruption of remote access services
PREVIOUS ADVISORY - NOVEMBER 26, 2013
We are pleased to inform you that Avaya is investing in a significant infrastructure upgrade for their Secure Access Link (SAL) remote access. This advance notification is intended to help our customers plan accordingly in order to avoid any disruption in service, and includes important information on the equipment and software that will be affected during the migration process. The following versions and releases of Secure Access Link (SAL) Gateway will be affected:
- Standalone SAL Gateway (software only)
- Virtualized SAL vAppliance on VMware
- SAL Gateway on System Platform (Services-VM)
- SAL Gateway packaged with Avaya Diagnostic Server
- ION SAL SA5600
WHAT THIS MEANS FOR OUR CUSTOMERS:
In order to avoid interrupted communication with Avaya during the migration process, customers need to review and update firewalls, outbound proxies, and DNS host entries with new IP addresses and fully qualified domain names (FQDNs). The changes on your network to accommodate the new IP addresses and FQDNs are critical for continued access and ability to support Avaya products via the SAL remote access method.
Download the Avaya Product Support Notice and review the "Network settings update table" to determine what actions are required for your network environment.
PLEASE NOTE: The due dates vary from January 1, 2014 through January 31, based on action item.
With improved scalability and availability, customers will benefit from enhanced communication between your Avaya SAL Gateway and Avaya's infrastructure. If you have any questions or require additional support, please contact SPS at 888.777.7280, or you may submit a support ticket online. Depending on your coverage, additional support may incur charges.
Daylight Saving Time
The 2014 Daylight Saving Time Change dates are March 9, 2014 and November 2, 2014.
The 2015 Daylight Saving Time Change dates are March 8, 2015 and November 1, 2015.
As a valued SPS customer, we want to keep you informed about the effect this change will have on your communications equipment. Many electronic devices, including computers, servers, telephony, and voice messaging equipment utilize a Daylight Saving Automated Time Change feature. This automated feature is currently programmed for the former DST dates and will not recognize the changes required for the revised dates.
ACTION MAY BE REQUIRED
Businesses with server-based solutions, contact centers, time-of-day greetings, time-stamping, or support for multiple time-zone workers, will want to take action to avoid interruptions or mis-routing of calls.
Depending on the type of equipment you have installed, various patches may be available (or manual override) to change the time settings on your electronic devices.
The SPS Customer Service Team is here to assist you. Please call 888.777.7281.
A Service Representative will create an order for a Remote Technician to call into your system to make any necessary updates to the time settings. Please note, this is a billable service.
Avaya DST Support Page
Merlin Magix Time Change Instructions
Partner Time Change Instructions
North Carolina Utilities Commission Announces New 984 Area Code That Will Share the Existing 919 Area Code Region
To accommodate the growing need for telephone numbers in the geographic area served by the 919 Area Code, the North Carolina Utilities Commission has approved the addition of a new Area Code. The new 984 Area Code will apply to the same geographical area as the 919 Area Code, which generally covers the north central portion of North Carolina and serves communities such as Apex, Carrboro, Cary, Chapel Hill, Durham, Garner, Goldsboro, Raleigh, Sanford, Smithfield, and Wake Forest.
How will this affect me?
No one currently with a 919 Area Code will need to change their existing phone number when the 984 Area Code is introduced. All customers within the 919/984 geographical area will need to dial the appropriate 3-digit Area Code followed by the 7-digit telephone number when dialing a 919 or a 984 number. Please see the map below for an outline of the 919/984 Area Code region.
When will the 984 Area Code be assigned?
Customers seeking new telephone numbers in the affected region may be assigned the new 984 Area Code as early as April 30, 2012.
What is the dialing change?
Because of the addition of the new 984 Area Code, you will be required to dial 10 digits (Area Code + 7-digit phone number) when making local calls. Long-distance calls will require 1+10-digit dialing. Operator assisted calls will require 0+10-digit dialing. Remember to use the new 984 Area Code as needed.
Type of Call
How to Dial Calls
Local and EAS Calls
919 or 984 Area Code
(Area Code + XXX-XXXX)
All Area Codes
(1+Area Code + XXX-XXXX)
Operator Calls credit card, collect, third party
All Area Codes
(0+Area Code + XXX-XXXX)
When will the changes go into effect?
• Beginning October 1, 2011, you should dial a local 919 number with 10 digits (Area Code+ 7-digits).
• As of March 31, 2012, you must dial 10 digits to complete all local calls. If you don’t dial all 10 digits, your call will not be connected.
What needs to change?
• You will need to dial 10 digits (Area Code+ 7-digit phone number) for every local call.
• You may need to reprogram or upgrade your equipment to accommodate the new dialing procedure if you use specialized communications equipment like a PBX, electronic telephone sets, auto-dial systems or multi-line key systems. Customers may see changes in the display screen on their phone sets based upon their particular type of device.
• Some automatically dialed calls may require reprogramming to include the new dialing procedure using 10 digits. These calls may include life safety systems, fax machines, Internet dial-up numbers, alarm and security systems, speed dialers, call forwarding settings, voicemail services, and similar functions. Remember that you need to dial a “1” if these numbers are long distance.
• Check your internet websites, business stationery, advertising materials, personal checks, contact information, ID tags and other items that include your telephone number to make sure the Area Code is included.
What will remain the same?
• Your telephone number, which includes your Area Code, will remain the same.
• The price of a call, local and long-distance calling areas, and other rates and services will not change as a result the new Area Code. What is a local call now will remain a local call regardless of the number of digits dialed.
• For emergency calls, you should continue to dial 3 digits: 9 -1 -1.
• If 211, 311, 411, 511, 611, 711 and 811 are currently available for services in your community; you still dial them with just three digits.
*A service representative will create an order for a Remote Technician to connect into your system(s) and determine if changes are needed. Please note this is a billable service and not covered under either Avaya or SPS software support maintenance agreements.
ADVISORY: Public Key Infrastructure (PKI) Certificate Expiration
SPS Release Date: April 2011 Update: August 2011
Release Level: Enterprise
Related System Platforms
· Avaya Aura Communication Manager, Branch Edition (DO) & Conferencing
· Avaya Aura SIP Enablement Services
· Avaya One-X Desktop
· IP Softphone; 96xx SIP Phone
· Modular Messaging
Industry standard digital Public Key Infrastructure (PKI) security certificates are used for data encryption on secure communication links in several Avaya products. As an industry standard security measure, security certificates expire after a time, requiring system administrators to update them periodically. This advisory is to notify customers that many Avaya systems worldwide have PKI certificates with expiration dates that were July 23, 2011. Note that this is only an issue on the above listed system platforms in enterprises with SIP enabled in the environment. The listed products are only affected if communication over SIP with Transport Layer Security (TLS) is enabled. SIP over TCP is not affected. All other SIP capable products in Avaya’s portfolio are not impacted by this PKI certificate event.
Be advised that, due to the durability of many SIP connections (e.g. Communication Manager to SIP Enablement Services, Communication Manager to Modular Messaging or Voice Portal, etc.), it is very possible that some systems with expired certificates have not yet exhibited issues. The PKI certificate is only needed when a SIP connection needs to be re-established after being dropped deliberately or inadvertently. All SIP-enabled products at the release levels indicated below that use TLS for secure SIP communication, must receive an updated certificate. If nothing has been done to date, action should be taken immediately.
Impact of Expired Certificates
Certain features and capabilities will not operate properly after the certificate expiration date. Details regarding the impact of expiring certificates vary by product; CLICK HERE for further information.
SPS Technical Service Center *
Call (888) 777-7281
If you intend to upgrade to the most current product version / service pack, combination, new certificates come as part of the upgrade.
Most of the certificate update methods involve downloading and applying a service pack, which is considered to be a task that you can perform. In some cases, a system reboot is required to complete the installation of a Service Pack.
*A service representative will create an order for a Remote Technician to connect into your system(s) and determine if your certificate is affected. Please note this is a billable service and not covered under either Avaya or SPS software support maintenance agreements. Customers that have opted to purchase the SPS Firmware Update offer will have patch and software updates performed at no additional fee. Activities required to upgrade systems requiring full feature upgrades (I.E. R-4.x to R-6.x) are not included in the update offer.
If your certificate is determined to need an update, the Remote Engineer will advise you, and will then provide a quote for approval to proceed with remediation activities.
For Self Service Certificate Update Resources – CLICK HERE
For Impact of Expired PKI Certificates on Product Operation – CLICK HERE
Avaya Day One Billing Change
Effective: November 8, 2010
Avaya is changing the policy related to the billing start date of legacy support offers to align with the newer support offers that it has introduced in recent years. Under the new policy, billing will commence at the point-of-sale without a deferral period on Traditional (Per Component basis) and Utility support agreements for new products and for aftermarket additions sold for existing installed products. The billing deferral period of 12 months for Utility and for most hardware products and 90 days for most software products will no longer apply.
Day One Billing will begin on the first day of support and will go on during the manufacturer’s warranty period. The trigger for Day One start is as follows:
- If Avaya sells the product directly and installs the product, support will commence on the date Avaya notifies that the product is installed according to specifications.
- If Avaya sells the product directly, but does not install the product, support will commence on the earlier of the date when: (i) features are enabled, (ii) is downloaded to the target processor or (iii) physically delivered to the customer premises.
- If the product is purchased through an authorized Avaya reseller, support will commence on the first day of the second month following order closure. Support for additional licenses and/or hardware additions/expansions (after initial commencement of support) will commence on the first day of the month following order closure for those additional materials.
What’s New; What Changed?
The change in policy applies to Retail, Wholesale, and Partner Support Services (PSS) offers based on the Traditional and Utility offer structures
Key Features & Capabilities
- Alignment with other support offers.
- Alignment with competitors that already bill from Day One for HW and SW support.
- Globally consistent with other Avaya regions who are already billing Day One for HW support.
The policy change applies to all product attach maintenance support that is not included in Software Support or Support Advantage and includes retail, wholesale and PSS options.
Simplification and consistency of terms and billing start dates across Avaya support offers.
Effective date will be November 8, 2010.
Policy change is applicable to all point-of-sale attach of maintenance for any new hardware or software product and for aftermarket additions sold for existing installed products that are not covered under Software Support or Support Advantage. Includes Retail, Wholesale and Partner Support Services (PSS) offers based on Traditional and Utility support structure.
Service Delivery Offers & Requirements
The policy change will apply to all coverage levels available with Traditional and Utility support offers as follows:
- Full Coverage 24X7 and 8X5
- Parts Plus Remote Support 24X7 and 8X5
- Remote Only Support 24X7 and 8X5
Retail, Wholesale and PSS versions of these offers are included.
Customers that do not elect to purchase coverage at the point of sale will only be covered by the factory warranty, which does not include any on-site support or advance delivery of replacement parts. Also, warranty coverage does not include 24x7 monitoring and alarm resolution provided by diagnostic tools. There is no change in the fragmentation rules.
Comparison of standard warranty coverage and maintenance agreement coverage:
Customers Without an Avaya Maintenance Agreement
Customers With an Avaya Maintenance Agreement
Customers receive support in accordance with the Avaya standard Warranty Policy located at http://support.avaya.com. Warranty provides:
· Replacement of defective Software or Hardware
· Access to Software and Firmware updates
· Access to the Self Help Web Site
Will include the following services where applicable to the customer's Services Support Agreement:
· Replacement of defective Software or Hardware
· Access to Software and Firmware updates
· Access to the Self Help Web Site
· 24/7 Monitoring / Alarming
· EXPERT Systems (SM)
· Maintenance Software Permissions (MSP's)
· Toll Fraud Identification
· Power Surge Protection
· Proactive IP Support
· Priority Service Over Per Incident
· Preventive Maintenance
· Security Scanning
· Out of Hours Support
· On-Site Service
· Advance Parts Replacement
Click here to open the Day One Billing Presentation.
Maintenance per Incident Time and Material Services Support Policy Change
Effective July 1, 2010, Avaya is changing their maintenance per incident time and materials support policy.
The policy change applies to any products that are not under a minimum Avaya Maintenance contract. Please select the links below for more information.
SPS provides comprehensive support for all customers who choose time and material or minimal coverage plans. SPS also offers flexible service plans in support of Avaya’s maintenance plans.