Skip to main content

Software  >  Lotus  >  

Possible Java plug-in vulnerability in Lotus Notes
 Technote (FAQ)
 
Question
David Gloede contacted IBM® Lotus® to report that the Notes® client was affected by a Java plug-in vulnerability originally documented in an advisory by Jouko Pynnonen. This Java vulnerability involves the execution of JavaScript within a Java applet to gain escalated privileges.
In order for an attacker to successfully exploit this vulnerability in previous releases, the following must be accomplished:

(1) Lotus Notes client must have the "Enable Java access from JavaScript" option enabled within User Preferences.

(2) Attacker must create a Java applet which utilizes JavaScript to execute Java code that will escalate the attackers access privileges.

(3) Attacker must attach the Java applet to an email and send the mail message to a user.

(4) User must open the message.


Jouko Pynnonen's original advisory is available at the following link:
http://jouko.iki.fi/adv/javaplugin.html

The related Sun advisory is available at the following link:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-101523-1
 
Answer
The Java Virtual Machine (JVM) fix for the vulnerability reported as Sun Alert # 57591/101523 has been incorporated into Notes release 7.0.2. Notes release 8.0 is not affected by this vulnerability.
For Notes releases prior to 7.0.2, it is recommended that you disable the "Enable Java access from JavaScript" preference.

To manage the User Preferences for a all users

Administrators can centrally manage the User Preferences by using a Desktop Policy.

1. Open the Domino Directory and go to the Policy section.

2. Choose the Desktop Policy and navigate to the "Preferences" tab

3. Select the "Miscellaneous" tab.

4. Deselect "Enable Java access from JavaScript".

To learn more about the Desktop Policy and how to manage it, refer to the Domino Administrator Help.


To change the User Preferences for a single user.

1. From the Lotus Notes menu, select File ->Preferences ->User Preferences.

2. Select the Basics tab, and navigate to the Additional Options section.

3. Deselect "Enable Java access from JavaScript".

Security Rating using Common Vulnerability Scoring System (CVSS) v2
CVSS Base Score: < 5.8 >
Impact Subscore: < 4.9 >
Exploitability Subscore: < 8.6 >
CVSS Temporal Score: < 4.5 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 4.5 >
Base Score Metrics:
  • Related exploit range/Attack Vector: < Network >
  • Access Complexity: < Medium >
  • Authentication < None >
  • Confidentiality Impact: < None >
  • Integrity Impact: < Partial >
  • Availability Impact: < Partial >
Temporal Score Metrics:
  • Exploitability: < Proof of Concept Code >
  • Remediation Level: < Official Fix >
  • Report Confidence: < Confirmed >
References:


*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links.
 
 
 

Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Rate this page
Please take a moment to complete this form to help us better serve you.
This material provides me with the information I need.




This material is clear and easy to understand.




Did the information help you to achieve your goal?
What updates, improvements, or related information would you like to see in this document?
Your response will be used to improve our document content. Requests for assistance, if applicable, should be submitted through your normal support channel as we cannot respond from this site.
Input the verification number to submit feedback:
Document information
 Product categories:
 Software
 Messaging Applications
 Advanced Messaging
 Lotus Notes
 Lotus Notes
 Operating system(s):
  Windows
 Software version:
  6.5.6, 7.0
 Reference #:
  1257249
 IBM Group:
 Software Group
 Modified date:
 2008-02-19

Translate My Page
 
 

Rate this page

Help us improve this page. Your response will be used to improve our document content. Requests for assistance, if applicable, should be submitted through your normal support channel as we cannot respond from this site.