Although Heartbleed is most dangerous bug in the past year, I have no idea how it can affect a SPA5xx phone unless it's in danger even without Heartbleed.
Phone must not be accessible for communication from untrusted sources at all, even without Heartbleed. And trusted partners will not Heartbleeds against you. And even if they will violate the trust, they can catch only information they have already.
Or I missed something ?
In short, Yes, there is no clear declaration related to the issue. But it seems that Heartbleed is not so important issue in this particular environment.
Although I'm curious as well, I would like to repeat that the answer to this question is not so important.
You have your network either secure and no untrusted computer can speak to your phones, then no MITM attack is possible (as there is no untrusted computer to become MITM), so the Heardbleed is not severe issue to you.
Or you have your network designed insecurely, untrusted computer can speak to your phone, then you are in risk of bill fraud even without Heartbleed.
I can tell that the Cisco SPA Phones are delivered as part of a hosted solution. Phones are delivered into customer network, which is not under the operator control. Its not possible to control the customer network. However, as a hosted service, we should ensure that the solution follows the security best practices.
If a vulnerability is known, it wouldn't be wise not do anything about it.
... despite it is not severe, in the particular case.
I agree, I will welcome clear statement related to it from Cisco, and/or patched firmware if necessary. At least it may calm down the customer's panic a lot.
I'm just saying it's not so big problem it's not available yet. Just explain your customer, that the Hearbleed is not so harmful in properly designed (=closed) VoIP network. As you claimed, customer network is not under your control, so it's customer responsibility to have appropriate configuration of voice LAN. If has nothing to do with Heartbleed.
Configure Multicast Paging on the Cisco IP Phone 7800 Series or 8800 Series Multiplatform Phone
The Cisco IP Phone 7800 and 8800 Series Multiplatform Phones provide voice communication over an Internet Protocol (IP) network...
Add Call Park on a Cisco 7800 or 8800 Series Multiplatform Phone Key Expansion Module
Call park allows the user of the phone to put an incoming call on hold so that the call can be retrieved on another phone. A call is park...