The default permissions for the IBM Sametime database STLOG.NSF allows anonymous / unauthenticated users to access potentially sensitive information.
Vulnerability Type: Information disclosure
CVE ID: CVE-2012-3331
By default, anonymous / unauthenticated users can access the Sametime Log database (STLOG.NSF).
This database provides a variety of potentially sensitive information including canonical usernames, and client IP addresses.
For example, from the page http://220.127.116.11/stlog.nsf (sample URL), select the link Community Server Login and Logout Events by User.
Steps to Reproduce Vulnerability: http://18.104.22.168/stlog.nsf (sample URL)
Note that access to the server where the Sametime servers are running should be possible only from within the organization. In addition these servers should not be made HTTP accessible to any machine in the organization.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/78048 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash document.
All current Sametime servers that use STLOG.NSF for logging.
The current recommended solution is to apply the simple workaround that is described below in this document.
A fix will be provided in the next Sametime release. However, a simple workaround is described below in this document that can be implemented in order to solve this issue.
The following is a simple workaround for the issue:
1. Open the IBM Domino Administrator
2. Select Sametime Log (STLOG.NSF)
3. Select Manage ACL.
4. Change the ACL of –Default- from Reader to No Access.
5. Click OK.
6. Restart the Sametime server.
Now it is not possible to access STLOG.NSF via HTTP without credentials.
Apply the workaround that is described above.
Complete CVSS Guide: http://www.first.org/cvss/cvss-guide.html
Online Calculator V2: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
X-Force Vulnerability Database: http://xforce.iss.net/xforce/xfdb/78048
The vulnerability was reported to IBM by David Taylor from Asterisk Information Security.
First version: October 15, 2012.
Fixed links: May 28, 2014.
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS