IBM Support

Java applet signatures and the Execution Control List

Technote (FAQ)


David Gloede contacted IBM® Lotus® to report a potential security issue with the Execution Control List (ECL) and Notes® signatures on Java applets.


The Execution Control List (ECL) enables administrators and users to protect their data against the threats of e-mail bombs, viruses, Trojan horses, and unwanted application intrusions. The ECL provides the mechanism for managing whether such programs or code should be allowed to execute based upon a Notes signature. In this specific situation, it has been determined that an unsigned applet would be signed when acted upon.
In order for an attacker to successfully exploit this vulnerability, the following must be accomplished:

For the purposes of this example the following are defined:
- Attacker (original sender)
- User 1 (original recipient - Notes User)
- User 2 (recipient of forwarded message - Notes User)

(1) Attacker must create a Java applet and send it to User1 over the Internet. At this point, the Java applet does not have a Notes signature. If ECLs are properly configured (that is, Default and No Signature set to "No Access") an Execution Security Alert (ESA) will be generated when the document is opened by User1.

(2) User1 must forward the mail using Lotus Notes to User2. The previously unsigned applet will now be signed by User1 using Notes signatures.

(3) At this point, User2 must have the "Enable Java Applets" option enabled within User Preferences

(4) Additionally, the ECL of User2 must allow User1 proper rights to execute Java

(5) If User1 is trusted to sign Java applets, then this Java applet would execute according to the rights assigned within User2's ECL.


This issue was reported to Quality Engineering as SPR# TMDS6W826S and SPR# TMDS6W82A5.

Suggested Workarounds

There are two options that can be taken to prevent this potential issue.

Option #1: Disable the setting for "Enable Java Applets"
a. From the Lotus Notes client File menu, select File-->Preferences-->User Preferences
b. On the Basics tab, under Additional Options
c. Deselect "Enable Java Applets"
d. The result is that no Java Applets will be allowed to execute within Lotus Notes.

Note: If your organization does not develop Java applets for use within Notes database applications (NOT Java agents, which run under the rights assigned to Workstation security), then there is no need to enable Java applets within Notes.

Option #2: Use a trusted signature for all Java Applets
First, you must create a Notes ID file that will be used to sign Java applets. It is recommended that this ID file not be assigned to an actual user . It should be registered as an application signing ID (for example: "Java Applet Signature" or "xxx Application Signing )

Next, the users ECLs must be updated. This can be done using a policy or on an individual basis.

To manage the ECL for a all users
The ECL can be managed centrally by using the Administration ECL found in the Security Policy.

1. Open the Domino Directory and go to the Policy section.

2. Choose the Security Policy and navigate to the "Execution Control List" tab

3. Edit the Admin ECL to make any necessary changes to the "Java Applet" section.

4. Add your new trusted signature name to the "When applet is signed by:" list by clicking Add, enter the name trusted signature, and then click OK.

5. Select the signature name you just added and enable the types of access you want

To learn more about the Administration ECL and how to manage it, refer to "Deploying and updating workstation ECLs" and "the Administration ECL" topics discussed in the Domino Administrator Help.

To change the ECL for a single user.

1. Select File -> Security -> User Security.
(Macintosh OS X users: Select Notes -> Security -> User Security.)

2. Select "What Others Do" and then select "Using Applets".

3. The "When applet is signed by:" list should contain only signature names that are fully trusted.

4. Add your new trusted signature name to the "When applet is signed by:" list by clicking Add, enter the name trusted signature, and then click OK.

5. Select the signature name you just added and enable the desired access types.

Security Rating using Common Vulnerability Scoring System (CVSS) v2
CVSS Base Score: < 5.8 >
Impact Subscore: < 4.9 >
Exploitability Subscore: < 8.6 >
CVSS Temporal Score: < 5.0 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 5.0 >
Base Score Metrics:
    • Related exploit range/Attack Vector: < Network >
    • Access Complexity: < Medium >
    • Authentication < None >
    • Confidentiality Impact: < None >
    • Integrity Impact: < Partial >
    • Availability Impact: < Partial >
Temporal Score Metrics:
    • Exploitability: < Proof of Concept Code >
    • Remediation Level: < Workaround >
    • Report Confidence: < Confirmed >

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links.

Document information

More support for: IBM Notes

Software version: 6.0, 6.5, 7.0, 8.0

Operating system(s): Windows

Reference #: 1257250

Modified date: 02 November 2015

Translate this page: