Security Bulletin: IBM Sametime log file information disclosure (CVE-2012-3331)

Flash (Alert)


Abstract

The default permissions for the IBM Sametime database STLOG.NSF allows anonymous / unauthenticated users to access potentially sensitive information.
Vulnerability Type: Information disclosure

Content

CVE ID: CVE-2012-3331
DESCRIPTION:
By default, anonymous / unauthenticated users can access the Sametime Log database (STLOG.NSF).

This database provides a variety of potentially sensitive information including canonical usernames, and client IP addresses.

For example, from the page http://1.2.3.4/stlog.nsf (sample URL), select the link Community Server Login and Logout Events by User.

Steps to Reproduce Vulnerability: http://1.2.3.4/stlog.nsf (sample URL)

Note that access to the server where the Sametime servers are running should be possible only from within the organization. In addition these servers should not be made HTTP accessible to any machine in the organization.

CVSS:

CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/78048 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash document.

AFFECTED PLATFORMS:

All current Sametime servers that use STLOG.NSF for logging.

REMEDIATION:

The current recommended solution is to apply the simple workaround that is described below in this document.

FIX:

A fix will be provided in the next Sametime release. However, a simple workaround is described below in this document that can be implemented in order to solve this issue.

WORKAROUND:

The following is a simple workaround for the issue:

1. Open the IBM Domino Administrator



2. Select Sametime Log (STLOG.NSF)
3. Select Manage ACL.



4. Change the ACL of –Default- from Reader to No Access.



5. Click OK.
6. Restart the Sametime server.

Now it is not possible to access STLOG.NSF via HTTP without credentials.

MITIGATION:
Apply the workaround that is described above.

REFERENCES:

Complete CVSS Guide: http://www.first.org/cvss/cvss-guide.html
Online Calculator V2: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
X-Force Vulnerability Database: http://xforce.iss.net/xforce/xfdb/78048
CVE-2012-3331: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3331

ACKNOWLEDGEMENT:

The vulnerability was reported to IBM by David Taylor from Asterisk Information Security.

CHANGE HISTORY:
First version: October 15, 2012.
Fixed links: May 28, 2014.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.


Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS

Related information

Complete CVSS Guide
Online Calculator V2
X-Force Vulnerability Database
CVE-2012-3331

Rate this page:

(0 users)Average rating

Document information


More support for:

IBM Sametime
Community Server

Software version:

6.5.1, 7.0, 7.5, 7.5.1, 7.5.1.1, 7.5.1.2, 8.0, 8.0.1, 8.0.2, 8.5, 8.5.1, 8.5.1.1, 8.5.1.2, 8.5.2, 8.5.2.1

Operating system(s):

Linux, Solaris, Windows

Software edition:

Advanced, Entry, Standard

Reference #:

1613895

Modified date:

2012-10-19

Translate my page

Machine Translation

Content navigation