Fix available for potential security vulnerability in IBM Sametime

A fix is available that removes the vulnerability for both the rich client and the web client. SPR# KBIM8T2KWR has been created to report this issue; see also "Security Bulletin: Sametime Client Vulnerability". If you have questions about downloading and applying this fix, you are invited to make use of the IBM Sametime forum to post questions and share tips.
Contents:

• Affected client types
• Fix download links
• Installation instructions

---

Affected client types

---

This potential vulnerability affects the following Sametime clients:

• Sametime Connect client (stand-alone)
• Embedded Sametime in the Lotus Notes client
• Sametime Web client (uses the Sametime Proxy server)
• The above clients using Sametime Gateway connecting to another Sametime Gateway

For specific versions affected, refer to the fix tables below.

The following client types are not affected by this issue:

• Sametime Mobile clients
• STLinks integration
• Sametime version 8.0.1, 8.0.0 or 7.5.1 of all rich clients (Notes embedded and stand-alone)
• Embedded Sametime in Notes 8.5.3 FP2 client
• Notes Basic clients
• Proxy 8.5 SDK clients
• Clients using Sametime Gateway connecting to a third-party IM gateway

You can use the following technote to identify what embedded version is in use in your Notes environment: "What Sametime client versions are embedded in what Notes client versions?" (1370003).

---

Fix download links

---

The fix for this security vulnerability is posted to IBM Fix Central. Refer to the tables below for direct links to the fix by client type and version.

For Sametime Connect client (stand-alone)

Sametime version (shipped in the box)	Fix delivery vehicle
8.0.2	8.0.2.0-ST-Client-FP-CDLL-8WG5UB
8.5.1, 8.5.1.1	8.5.1.0-ST-Client-FP-CDLL-8WG6NE
8.5.2, 8.5.2.1	8.5.2.1-ST-Client-FP-CDLL-8WWKB2

For embedded Sametime in Notes (Shipped in the box)

Client	Sametime version (shipped in the box)	Fix delivery vehicle
Notes 8.5.1	8.0.2	Notes_851FP5IF3_Standard_W32
Notes 8.5.2	8.0.2	Notes_852FP4IF2_Standard_W32
Notes 8.5.3	8.5.1	8.5.3 Fix Pack 2 Incremental Installers

For embedded Sametime in Notes, updated by use of the add-on installer (Not shipped in the box)

Client	Sametime version (shipped in the box)	Add-on installer	Fix delivery vehicle
Notes 8.5.1	8.0.2	Sametime 8.5.1, 8.5.1.1	8.5.1.0-ST-Client-FP-CDLL-8WG6NE
Notes 8.5.2	8.0.2	Sametime 8.5.1, 8.5.1.1 Sametime 8.5.2, 8.5.2.1	8.5.1.0-ST-Client-FP-CDLL-8WG6NE 8.5.2.1-ST-Client-FP-CDLL-8WWKB2
Notes 8.5.3	8.5.1	Sametime 8.5.2, 8.5.2.1	8.5.2.1-ST-Client-FP-CDLL-8WWKB2

For Sametime Proxy Server and Web client

Sametime Proxy Server version	Fix delivery vehicle
8.5	8500-ST-Proxy-IF-OOSN-8VHFH6
8.5.1.1	8511-ST-Proxy-IF-OOSN-8VHF6R
8.5.2.1	8521-ST-Proxy-IF-OOSN-8WGM37

For Sametime Gateway to Sametime Gateway connections

To address the vulnerability for Sametime Gateway to Sametime Gateway connections, you apply the fix for the clients that are accessing the Sametime Gateway.

---

Installation instructions

---

The steps to apply the fix vary by client type and version, as follows:

• Sametime Connect 8.0.2
• Sametime Connect 8.5.1 and embedded Sametime 8.5.1
• Sametime Connect 8.5.2 and embedded Sametime 8.5.2
• Lotus Notes 8.5.1, 8.5.2 and 8.5.3
• Sametime Proxy Server 8.5
• Sametime Proxy Server 8.5.1.1
• Sametime Proxy Server 8.5.2 IFR 1

---

Sametime Connect 8.0.2

Use the following steps to update a single Sametime Connect 8.0.2 client:

1. Unzip "sametime.patches.update.site.20120504.0400.zip" to a local directory.
2. Launch the Sametime Connect client and log in.
3. Select Tools -> Plug-ins > Install Plugins...
4. In the update manager wizard, select "Search for new features to install", then click Next.
5. Select "Add Folder Location...". Navigate to the "updateSite" directory underneath the location where "sametime.patches.update.site.20120504.0400.zip" was unzipped.
6. Click OK to accept the site, and then click Finish to proceed.
7. In the "Select Features to Install" box, check all feature patches.
8. Click Next, complete the license page, and click Finish.
9. Select "Install" on the next page.
10. After the feature is installed, you should be prompted to restart. Select OK.

For deployment to multiple clients, refer to following document about setting up automatic updates: Adding optional features to the client after install

---

Sametime Connect 8.5.1 and embedded Sametime 8.5.1

The Sametime Connect 8.5.1 cumulative fix package is available in the form of install packages for Windows (windows.zip), Mac (macosx.zip), and Linux (linux.zip).

The following table outlines the install packages by operating system and client type:

Operating system	Client type	Package name	Description
Windows	Sametime Connect 8.5.1 stand-alone	sametime.hotfix.win32.no.oi_20120414-1745.exe	Windows self-extracting executable containing the MSI install files to fix stand-alone Sametime Connect 8.5.1 without OI (Office Integration) features
		sametime.hotfix.win32_20120414-1745.exe	Windows self-extracting executable containing the MSI install files to fix stand-alone Sametime Connect 8.5.1 with OI (Office Integration) features
	embedded Sametime in Notes 8.5.1 Fix Pack 2 or later	sametime.embedded.addon.win32_20120414-1745.exe	Windows self-extracting executable containing MSI install files to fix embedded Sametime in Notes 8.5.1 Fix Pack 2 or later
Mac OSX	Sametime Connect 8.5.1 stand-alone	sametime.hotfix.macosx_20120414-1745.tar	Single TAR compressed file containing the Mac PKG install package to fix stand-alone Sametime Connect
	embedded Sametime in Notes 8.5.1 Fix Pack 2 or later	sametime.embedded.addon.macosx_20120414-1745.tar	Single TAR compressed file containing the Mac PKG install package to fix embedded Sametime in Notes 8.5.1 Fix Pack 2 or later
Linux	Sametime Connect 8.5.1 stand-alone	sametime-hotfix-8.5.1-20120414.2015.i586.rpm	Linux RPM install package to fix stand-alone Sametime Connect
		sametime-hotfix-8.5.1-20120414.2015.i386.deb	Linux Debian install package to fix stand-alone Sametime Connect
	embedded Sametime in Notes 8.5.1 Fix Pack 2 or later	sametime-connect-embedded-8.5.1-20120414.2015.i586.rpm sametime-connect-embedded-core-8.5.1-20120414.2015.i586.rpm	Two Linux RPM install packages to fix embedded Sametime in Notes 8.5.1 Fix Pack 2 or later
		sametime-connect-embedded-8.5.1-20120414.2015.i386.deb sametime-connect-embedded-core-8.5.1-20120414.2015.i386.deb	Linux Debian install packages to fix embedded Sametime in Notes 8.5.1 Fix Pack 2 or later

Windows install steps

A Windows user can manually install this update by executing the sametime.hotfix.win32.no.oi_20120414-1745.exe file.
1. Close the Sametime client if it is running
2. Launch the fix install executable: sametime.hotfix.win32.no.oi_20120414-1745.exe
3. When the Language dialog appears, select the language and click Next
4. The install wizard appears. Click Next to start, read the license agreement, and click Accept if you choose to accept it
5. Click Install to begin the installation
6. When the install completes, click Finish

For Notes 8.5.1 Fix Pack 2 or later client, run the sametime.embedded.addon.win32_20120414-1745.exe file. The dialog and steps are similar to those above.

--------------------
Mac OSX install steps

Both the stand-alone and embedded form of the fix for the Mac OSX platform are provided as compressed TAR files consisting of standard PKG files. Uncompress the TAR files to a folder, and you will see the standard PKG set of files.

Refer to the Apple installer Manual page for options and parameters that can be used:
http://developer.apple.com/mac/library/documentation/Darwin/Reference/ManPages/man8/installer.8.html

--------------------
Linux install steps

Both the stand-alone and embedded form of the fix for the Linux platform are provided as Linux RPM and Debian DEB packages. Refer to the standard documentation of installing and managing RPM or DEB packages on Linux.

---

Sametime Connect 8.5.2 and embedded Sametime 8.5.2

The Sametime Connect 8.5.2 cumulative fix package is available in the form of install packages for Windows (windows.zip), Mac (macosx.zip), and Linux (linux.zip).

The following table outlines the install packages by operating system and client type:

Operating system	Client type	Package name	Description
Windows	Sametime Connect 8.5.2 stand-alone	sametime.hotfix.win32.no.oi_20120803-1300.exe	Windows self-extracting executable containing the MSI install files to fix stand-alone Sametime Connect 8.5.2 without OI (Office Integration) features
		sametime.hotfix.win32_20120803-1300.exe	Windows self-extracting executable containing the MSI install files to fix stand-alone Sametime Connect 8.5.2 with OI (Office Integration) features
	embedded Sametime in Notes 8.5.2	sametime.embedded.addon.win32_20120803-1300.exe	Windows self-extracting executable containing MSI install files to fix embedded Sametime in Notes 8.5.2
Mac OSX	Sametime Connect 8.5.2 stand-alone	sametime.hotfix.macosx_20120803-1300.tar	Single TAR compressed file containing the Mac PKG install package to fix stand-alone Sametime Connect
	embedded Sametime in Notes 8.5.2 or later	sametime.embedded.addon.macosx_20120803-1300.tar	Single TAR compressed file containing the Mac PKG install package to fix embedded Sametime in Notes 8.5.2 or later
Linux	Sametime Connect 8.5.2 stand-alone	sametime-hotfix-8.5.2-20120803.1615.i586.rpm	Linux RPM install package to fix stand-alone Sametime Connect
		sametime-hotfix-8.5.2-20120803.1615.i386.deb	Linux Debian install package to fix stand-alone Sametime Connect
	embedded Sametime in Notes 8.5.2 or later	sametime-connect-embedded-8.5.2-20120803.1615.i586.rpm sametime-connect-embedded-core-8.5.2-20120803.1615.i586.rpm	Two Linux RPM install packages to fix embedded Sametime in Notes 8.5.2 or later
		sametime-connect-embedded-8.5.2-20120803.1615.i386.deb sametime-connect-embedded-core-8.5.2-20120803.1615.i386.deb	Linux Debian install packages to fix embedded Sametime in Notes 8.5.2 or later

Windows install steps

A Windows user can manually install this update by executing the sametime.hotfix.win32.no.oi_20120803-1300.exe file.
1. Close the Sametime client if it is running
2. Launch the fix install executable: sametime.hotfix.win32.no.oi_20120803-1300.exe
3. When the Language dialog appears, select the language and click Next
4. The install wizard appears. Click Next to start, read the license agreement, and click Accept if you choose to accept it
5. Click Install to begin the installation
6. When the install completes, click Finish

For Notes 8.5.2 or later client, run the sametime.embedded.addon.win32_20120803-1300.exe file. The dialog and steps are similar to those above.

--------------------
Mac OSX install steps

Both the stand-alone and embedded form of the fix for the Mac OSX platform are provided as compressed TAR files consisting of standard PKG files. Uncompress the TAR files to a folder, and you will see the standard PKG set of files.

Refer to the Apple installer Manual page for options and parameters that can be used:
http://developer.apple.com/mac/library/documentation/Darwin/Reference/ManPages/man8/installer.8.html

--------------------
Linux install steps

Both the stand-alone and embedded form of the fix for the Linux platform are provided as Linux RPM and Debian DEB packages. Refer to the standard documentation of installing and managing RPM or DEB packages on Linux.

---

Notes 8.5.1, 8.5.2 and 8.5.3

Shut down the Notes client, and double-click the executable fix file. Fixes for Windows only are posted to IBM Fix Central. If you need the fix for Mac or Linux platforms, open a service request with IBM Support.

---

Sametime Proxy Server 8.5

1. Download the fix 8500-ST-Proxy-IF-OOSN-8VHFH6 from IBM Fix Central
2. Stop the STProxy Server
3. Create a backup of /IBM/WebSphere/AppServer/profiles/<STProxyProfile>/optionalLibraries/stproxy/stproxyservices.jar
4. Copy stproxyservices.jar to /IBM/WebSphere/AppServer/profiles/<STProxyProfile>/optionalLibraries/stproxy
5. Restart the STProxyServer

---

Sametime Proxy Server 8.5.1.1

Download the fix 8511-ST-Proxy-IF-OOSN-8VHF6R from IBM Fix Central.

• STProxyHotfix.zip contains the update to be applied.
• Instructions are provided in the readme.txt included in the fix package.
• The STProxy Server needs to be stopped prior to the update being applied.

---

Sametime Proxy Server 8.5.2 IFR1

Prerequisite: The Sametime System Console must be at version 8.5.2 IFR 1. If not, then you will see a failure message during the fix install noting an incorrect version level. Refer to Installing Sametime 8.5.2 Interim Feature Release 1 on the Sametime System Console to get started.

This fix must be installed on top of a Sametime Proxy Server 8.5.2 Interim Feature Release 1 (IFR 1). If the server is running 8.5.2 (without the IFR 1 fix), then the IFR 1 fix will be automatically installed.

To install this fix on a Sametime Proxy Server node, follow these steps:

1. Download the fix 8521-ST-Proxy-IF-OOSN-8WGM37 from IBM Fix Central

2. Shut down the Sametime Proxy Server

3. Copy the file you downloaded onto the Sametime Proxy Server

4. Unzip the file on the server file system

5. Apply the fix by running the appropriate update command:

• If running on the Microsoft Windows operating system, run the update.bat batch file
• If running on the AIX, Linux or Solaris operating systems, run the update.sh script
• If running on IBM i, run the IBMi\stii_sp\install_stp.sh script

6. Follow the instructions on screen until the installation completes

If you are running a multi-node (cluster) configuration, then repeat these instructions on each node.