Security Bulletin: Potential Security Exposure in IBM Lotus Sametime Configuration Servlet (CVE-2011-1370)

Flash (Alert)


Abstract

Sametime configuration servlet may allow third party access to configuration data unless authentication is enabled.

Content

SUMMARY:


    Sametime configuration servlet may allow third party access to configuration data unless authentication is enabled.


VULNERABILITY DETAILS:
    CVE ID: CVE-2011-1370:

    DESCRIPTION: The Sametime server contains a configuration servlet that is accessed by several Sametime server processes. By default, this servlet does not require authentication, which could potentially allow an unauthorized user to obtain read access to configuration data. Administrators are advised to protect this servlet by configuring Sametime to require authentication to this servlet.

    CVSS:
    CVSS Base Score: 5.0
    CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/70923 for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

AFFECTED PLATFORMS:
    All Sametime Platforms

REMEDIATION:
    It is recommended that all Sametime installations immediately secure this servlet by following the instructions below.
    Administrators should also take steps to update the passwords on all credentials that are stored within the Sametime configuration database.

Fix:
    Sametime Development currently plans to establish authentication as the default setting of this servlet in a future release.
Workaround(s):

The steps to secure these servlets are as follows:

    Known issues or limitations once authentication is enabled

    When upgrading community servers, you might get a warning that registration of the upgrade failed.
    Manual registration of Sametime Community Servers and Clusters with the Sametime System Console might not work.


Mitigation(s):

SSL can be enabled to further protect the data when it is actively being accessed by administration functions. If your Sametime Community Servers are accessible from the Internet, then this step is highly recommended.



REFERENCES:

· Complete CVSS Guide
· On-line Calculator V2
· X-Force Vulnerability Database - IBM Lotus Sametime Configuration Servlet information disclosure
· CVE-2011-1370

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.


Note:
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.


Rate this page:

(0 users)Average rating

Document information


More support for:

IBM Sametime
Security/SSL

Software version:

7.0, 7.5, 7.5.1, 7.5.1.1, 7.5.1.2, 8.0, 8.0.1, 8.0.2, 8.5, 8.5.1, 8.5.1.1, 8.5.2

Operating system(s):

AIX, IBM i, Linux, Solaris, Windows, i5/OS

Reference #:

1569452

Modified date:

2011-10-27

Translate my page

Machine Translation

Content navigation