Security Bulletin: IBM Lotus Notes & Domino affected by vulnerabilities in IBM JRE (CVE-2012-4820, CVE-2012-4821, CVE-2012-4822, CVE-2012-4823)

Flash (Alert)


Abstract

IBM Lotus Notes and IBM Lotus Domino are vulnerable to four Java exploits where malicious agents, applets, or XPages applications can escalate privileges. These vulnerabilities are in the IBM Java SDK.

Content

** For information about the impact of this vulnerability on other affected IBM products, refer to this post on the IBM Product Security Incident Reporting Team (PSIRT) blog.**


Vulnerability details
Affected products & versions
Remediation (fixes, mitigations)
Q&A
Additional information



VULNERABILITY DETAILS

CVE IDs: CVE-2012-4820, CVE-2012-4821, CVE-2012-4822, CVE-2012-4823

DESCRIPTION:
There are a number of vulnerabilities in the IBM Java SDK versions that affect various components (ORB, XML and JMX). The vulnerabilities allow code running under a security manager to escalate its privileges by modifying or removing the security manager. Some of the issues need to be combined in sequence to achieve an exploit.

An attacker could persuade a user into running Java code from an untrusted, malicious source resulting in privilege escalation. The attacker must convince the Notes user to either open an email containing a malicious applet or click on a malicious Notes:// URL which, in turn, runs a Java agent, applet or XPages application. The attack against the Domino server can be exploited only by an authenticated user with the rights to run LotusScript or Java agents on the server.


CVEID: CVE-2012-4820
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/78764 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2012-4821
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/78765 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2012-4822
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/78766 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2012-4823
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/78767 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

Note that the fixes listed below also include the following Oracle critical patch updates:
AFFECTED PRODUCTS & VERSIONS

IBM Lotus Notes and Domino versions 8.0.x, 8.5.x through 8.5.3 Fix Pack 2.
REMEDIATION

Fixes:

This issue is being tracked as SPR KLYH8Z3Q37. See below for fix information.


Notes:

Version Notes Fix Information
Target Availability
8.5.3 Fix Pack 3 8.5.3 Fix Pack 3 includes new JVM
30 November 2012
8.5.3x
8.5.2x
For instructions to download and install the 8.5.x client JVM security patch, see technote #1617185.
14 November 2012
8.5.1x For instructions to download and install the 8.5.x client JVM security patch, see technote #1617185.
14 November 2012
8.0.2x
8.0.1x
Limited availability via Interim Fix starting 30 Nov 2012. To inquire about availability, open a service request with IBM Support and reference SPR KLYH8Z3Q37.
30 November 2012


Domino:

Version Domino Fix Information
Target Availability
8.5.3 Fix Pack 3 8.5.3 Fix Pack 3 includes new JVM
30 November 2012
8.5.3x
8.5.2x
For instructions to download and install the server JVM security patch, see technote #1617197.
14 November 2012
8.5.1x For instructions to download and install the server JVM security patch, see technote #1617197.
21 November 2012
8.0.2x
8.0.1x
Limited availability via Interim Fix. To inquire about availability, open a service request with IBM Support and reference SPR KLYH8Z3Q37.
30 November 2012



Mitigation(s):

IBM recommends that you install the Interim Fixes listed above. However, in lieu of installing these Interim Fixes, the following mitigation options are offered to disable code through which the attack may be transmitted. IMPORTANT: Be aware that these mitigations will disable some functions in Notes, Domino and in other applications which make use of Java, Java applets, and JavaScript.

Notes Client

To disable Java applets and JavaScript in a Notes client, deselect (uncheck) the following three options in Preferences > Basic Notes Client Configuration:

  • Enable Java applets
  • Enable JavaScript
  • Enable Java access from JavaScript

Domino Servers

  • For XPages, add "iNotesDisableXPageCMD=1" to the Domino notes.ini and then restart the HTTP task. (This will disable XPages, Notes Widget Catalog, and Notes Traveler.)
  • Add "EnableJavaAgents=0" to the Domino notes.ini and then restart the Agent Manager task. (This disables all Java agents run on the server by Agent Manager).
  • Disable Java agents and applets by restricting rights via the "Sign or run restricted LotusScript/Java agents" field on the Security tab of the Server document:




Q&A

Are Lotus Notes Traveler and IBM Sametime at risk?
No. Neither Notes Traveler nor Sametime are vulnerable to this issue. For information about the impact of this vulnerability on other affected IBM products, refer to this post on the IBM Product Security Incident Reporting Team (PSIRT) blog.


Does turning off Java applets in Notes affect sideshelf widgets?
No. The preferences impact only the traditional NSF Java Applet functionality in Notes Basic, not the Notes Standard client's sideshelf widgets which use a different security model.


Is the risk confined to Notes:// URLs and thus HTTP/HTTPS are not affected? HTTP and HTTPS are not affected. However, there are other ways to execute Java code outside of Notes:// URL. Embedded Applet in an email is one example.


If we set Notes Location documents to use only Microsoft Internet Explorer would this eliminate the risk?
No. The browser and HTTP protocol are unrelated to the vulnerability.


Would the risk be eliminated if we disable HTTP JVM via the "HttpDisableJVM=1" notes.ini parameter?
No. The JVM in context of HTTP is not impacted by this security vulnerability so that notes.ini parameter is not applicable.


Are only Notes:// URLs opening NSF files affected?
No. If you open a document or NSF that executes an applet, Java agent, or XPages Application containing malicious code, you can be affected.


If a Notes:// link is sent via Notes embedded browser, is the client v ulnerable? Yes
If a Notes:// link is sent via standalone browser, is the client vulnerable? Yes
    NOTE: If you click a Notes:// URL that executes code to exploit the vulnerability, the Notes client is affected. It does not matter how the Notes URL was delivered or where it was executed from.


Could a Notes:// link sent from outside the organization can affect the server?
No.


Does order of install matter if you apply this patch as well as other fixes?
Yes, the order of install does matter for certain releases. Notes releases 8.5.1, 8.5.2, 8.5.3, and 8.5.3 Fix Pack 2 install a JVM earlier than the one supplied via this patch, which is JVM SR12. If any of those releases are installed after the JVM SR12 update, then you must reapply the patch.

For all other releases, the patch can be applied either before or after. Also, note that the upcoming 8.5.3 Fix Pack 3 release has SR12 so no patch is necessary for that release level.


Can the client and server JVM fixes be extracted and deployed using a third-party installer tool without stopping the client or server?
The server or client must be shut down during install as the files being replaced are in use. We recommend executing the installation packages IBM provides. The server installation package backs up the files in case the fix needs to be reverted. The client installation package deletes and moves files as part of the JVM SR12 update.


Does the client/server need to be restarted for the fix to become effective?
Yes. The client and server must be shut down during the JVM SR12 update.


Are there steps to roll back the patch if an issue is encountered after it's applied to the server or client?
Server patch can be run a second time to uninstall. Client cannot, but re-applying 8.5.3 would restore the JVM directory to pre-patch level.


Will disabling the "Sign or run restricted LotusScript/Java agents" field impact users' ability to run Out of Office agents?
Out of Office agents will be disabled, but the Out of Office service introduced in 8.5 will not be impacted and will continue to run.


To remediate this vulnerability, would it be enough to either update or disable the settings in the Notes client or the Domino server, as advised? Or are the changes needed for both the client and the server?
Both. Updating the client will prevent the unauthenticated attack against Notes, while updating the server will prevent the insider attack against Domino.
ADDITIONAL INFORMATION

REFERENCES

RELATED INFORMATION
ACKNOWLEDGEMENT
The vulnerability was reported to IBM by Adam Gowdiak of Security Explorations.


CHANGE HISTORY
15 Nov 2012 - Q&A section added
14 Dec 2012 - Added links to PTFs for IBM i
02 Jan 2013 - Replaced KLYH8ZVMCM references with KLYH8ZVQ37
27 June 2014 - Removed links to PTFs for IBM i. Files not found on Fix Central

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.


Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Related information

IBM Product Security Incident Response (PSIRT) blog
A simplified Chinese translation is available

Cross reference information
Segment Product Component Platform Version Edition
Messaging Applications IBM Domino AIX, AIX 64bit, IBM i, Linux, Linux iSeries, Linux zSeries, Solaris, Windows, Windows 64bit 8.5, 8.0

Rate this page:

(0 users)Average rating

Document information


More support for:

IBM Notes

Software version:

8.0, 8.5

Operating system(s):

Linux, Windows

Reference #:

1616652

Modified date:

2012-12-14

Translate my page

Machine Translation

Content navigation