Ava-216: Ava Aware used TLS 1.0 in connection to LDAP server

Release Date

5th November 2020.

Overview

Ava Aware used TLS 1.0 in connections to LDAP servers where TLS 1.0 was the default protocol.

Affected Products

• Ava Aware:
  • All Stable upgrade channel versions up to but not including 3.0.5
  • All Beta upgrade channel versions up to but not including 3.1.2

Unaffected Products

• Ava Aware:
  • All Stable upgrade channel versions after and including 3.0.5
  • All Beta upgrade channel versions after and including 3.1.2
• Ava cloud: All versions
• Ava camera: All versions

Resolution

This issue has been fixed in Ava Aware Beta upgrade channel version 3.1.2 and Stable upgrade channel version 3.0.5.

Vulnerability Information

Ava Aware used TLS 1.0 in connections to LDAP servers where TLS 1.0 was the default protocol. We recommend enabling TLS 1.2 on your LDAP server. Additionally, if your Ava Aware installation cannot be immediately upgraded to an unaffected version, we recommend setting TLS 1.2 as the default protocol on your LDAP server. Ava Aware now only supports TLS 1.2-encrypted connections to LDAP servers.

• CVE: Pending
• CVSSv3.1 score: 6.8 (Medium)
• CVSSv3.1 vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:R

Acknowledgements

Issue found internally by Ava Security.

Disclosure Timeline

• 04/07/2019 Issue found internally by Ava Security
• 29/07/2020 Fix identified
• 29/10/2020 Patched Ava Aware 3.1.2 (Beta upgrade channel) released
• 05/11/2020 Patched Ava Aware 3.0.5 (Stable upgrade channel) released
• 05/11/2020 Advisory published internally
• 05/11/2020 Vulnerability publicly disclosed