Skip to main content


Potential stack overflow vulnerability with IBM Lotus Sametime Community Services multiplexer (MUX)

 Technote (troubleshooting)
 
 
Problem
TippingPoint's Zero Day Initiative contacted IBM® Lotus® to report a potential stack overflow vulnerability with the IBM Lotus Sametime® Community Services multiplexer (MUX). The issue is fixed in Sametime 8.0.1 and addressed in other releases by a hotfix.



The advisory address is as follows:
http://zerodayinitiative.com/advisories

 
 
Cause
In order for an attacker to successfully exploit this vulnerability, the following must be accomplished:
  • Lotus Sametime server must be installed and configured
  • Attacker must be able to establish a connection to the Sametime server over HTTP
  • Attacker must send a specific HTTP request to the Sametime server
  • The Sametime Community Services multiplexer (MUX) processing the malicious request could result in a stack overflow
 
Resolving the problem
This issue was reported to Quality Engineering as SPR# RDES7CALDL. The issue is fixed in Sametime 8.0.1. Please refer to the workarounds below for other releases to determine your available options.



Workarounds for Sametime 8.0:

Upgrade to Sametime version 8.0.1. Refer to the Upgrade Central site for details.


Workarounds for Sametime 7.5.1 Cumulative Fix 1 (CF1):

Customers that have deployed Sametime 7.5.1 Cumulative Fix 1 (CF1) can download the fix from Fix Central. Click here to access hotfix ICAE-7DPP83 . The fix is also included in Sametime 7.5.1 (CF2).


Workarounds for Sametime 7.5 Cumulative Fix 1 (CF1):

Customers that have deployed Sametime 7.5 can contact IBM Support and request hotfix ICAE-7DPP3K.


Workarounds for Sametime 7.0:

Customers that have deployed Sametime 7.0 can contact IBM Support and request hotfix ICAE-7DPNVH.


Workarounds for Sametime 6.5.1 FP1:

Customers that have deployed Sametime 6.5.1 FP1 can contact IBM Support and request hotfix ICAE-7DPNNW.


Additional Information
If there is a special circumstance in which an upgrade to the most current version cannot be performed, please contact IBM Support to inquire about any alternatives.


Security Rating using Common Vulnerability Scoring System (CVSS) v2
CVSS Base Score: < 5 >
---- Impact Subscore: < 2.9 >
---- Exploitability Subscore: < 10 >
CVSS Temporal Score: < 3.9 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 3.9 >
Base Score Metrics:
  • Related exploit range/Attack Vector: < Network >
  • Access Complexity: < Low >
  • Authentication < None >
  • Confidentiality Impact: < None >
  • Integrity Impact: < Partial >
  • Availability Impact: < None >
Temporal Score Metrics:
  • Exploitability: < Proof of Concept Code>
  • Remediation Level: < Official Fix >
  • Report Confidence: < Confirmed >
References:

*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links.
 
 
 

Copyright and trademark information

IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.

Rate this page

Please take a moment to complete this form to help us better serve you.

This material provides me with the information I need.






This material is clear and easy to understand.






Did the information help you to achieve your goal?

What updates, improvements, or related information would you like to see in this document?

Your response will be used to improve our document content. Requests for assistance, if applicable, should be submitted through your normal support channel as we cannot respond from this site.

Input the verification number to submit feedback:


Document information

Product categories:

Software

Organizational Productivity, Portals & Collaboration

Real-time & Team Collaboration

Lotus Sametime

Lotus Sametime Server

Operating system(s):

AIX, Linux, Solaris, Windows, i5/OS

Software version:

6.5.1.1, 7.0, 7.5, 7.5.1, 7.5.1.1, 8.0, 8.0.1

Reference #:

1303920

IBM Group:

Software Group

Modified date:

2009-08-14

Translate my page

Rate this page