Security Bulletin: Security vulnerabilities addressed in IBM Domino & IBM Domino Designer 9.0 (CVE-2013-0487, CVE-2012-2161, CVE-2012-2159, CVE-2013-0486, CVE-2012-6277, CVE-2013-0488, CVE-2013-0489)

Flash (Alert)


Abstract

This security bulletin details the fixes and/or workarounds for seven vulnerabilities fixed in the 9.0 release of IBM Domino and IBM Domino Designer.

Content




VULNERABILITY DETAILS: IBM Domino Java Console Privilege Escalation

CVE ID: CVE-2013-0487

DESCRIPTION: It is possible for an attacker with explicit knowledge of Domino server configuration to compromise time-limited authentication credentials when accessing the Domino Java Console.

CVSS:
Using the Common Vulnerability Scoring System (CVSS) v2, the security ratings for this issue are:

  • Access Vector: Network
Access Complexity: Medium
  • Authentication: Single Instance
Confidentiality Impact: Complete
  • Integrity Impact: Complete
Availability Impact: Complete

AFFECTED PLATFORMS:

IBM Domino 8.5.x (Java Console)

REMEDIATION:

Fix(es):

This issue is being tracked as SPR# KLYH8TNNDN and has been resolved in IBM Domino 9.0. Refer to the Notes & Domino Fix List to monitor availability of a fix for this issue in upcoming Fix Packs.

Workaround:

None

Mitigation(s):

Do not run untrusted scripts in the Domino Java Console.

Back to top


VULNERABILITY DETAILS: IBM Eclipse Help Cross-Site Scripting

CVE ID: CVE-2012-2161

DESCRIPTION: Specially-crafted URLs can be sent to the Eclipse Help component of IBM Domino Designer to disclose the location of private resources (files).

CVSS:
Using the Common Vulnerability Scoring System (CVSS) v2, the security ratings for this issue are:

  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None


AFFECTED PLATFORMS:

IBM Domino Designer Help 8.5.x

REMEDIATION:

Fix(es):

This issue has been resolved in Domino Designer 9.0.

Workaround:

None

Mitigation(s):

Do not serve up Domino Designer Help over HTTP.

Back to top


VULNERABILITY DETAILS: IBM Eclipse Help Open Redirect

CVE ID: CVE-2012-2159

DESCRIPTION: A remote unauthenticated attacker could exploit a security vulnerability in IBM Eclipse Help system included in IBM Domino Designer to redirect to a specified URL.

CVSS:
Using the Common Vulnerability Scoring System (CVSS) v2, the security ratings for this issue are:

  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None

AFFECTED PLATFORMS:

IBM Domino Designer 8.5.x

REMEDIATION:

Fix(es):

This issue has been resolved in Domino Designer 9.0.

Workaround:

None

Mitigation(s):

Do not serve up Domino Designer Help over HTTP.

Back to top


VULNERABILITY DETAILS: IBM Domino HTTP Denial Of Service

CVE ID: CVE-2013-0486

DESCRIPTION: An attacker could exploit a very rare memory leak in IBM Domino HTTP server to crash the server.

CVSS:
Using the Common Vulnerability Scoring System (CVSS) v2, the security ratings for this issue are:

  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Complete
  • Availability Impact: Partial


AFFECTED PLATFORMS:

IBM Domino 8.5.x

REMEDIATION:

Fix(es):

This issue is being tracked as SPR# KLYH92NKZY and has been resolved in IBM Domino 9.0. A fix is planned for an upcoming 8.5.3 Fix Pack. Refer to the Notes & Domino Fix List to monitor availability of upcoming Fix Packs.

Workaround:

None

Mitigation(s):

None

Back to top


VULNERABILITY DETAILS: Autonomy KeyView File Parser Vulnerability

CVE IDs: CVE-2012-6277

DESCRIPTION: A remote attacker could supply malicious files to execute arbitrary code on an affected system.

CVSS:
Using the Common Vulnerability Scoring System (CVSS) v2, the security ratings for this issue are:

  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Complete
  • Integrity Impact: Complete
  • Availability Impact: Complete

AFFECTED PLATFORMS:

IBM Domino 8.5.x

REMEDIATION:

Fix(es):

This issue is being tracked as SPR# YBJG8WH5JP and has been resolved in Domino 9.0. A fix is also planned for an upcoming 8.5.3 Fix Pack. Refer to the Notes & Domino Fix List to monitor availability of upcoming Fix Packs.

Workaround:

None

Mitigation(s):

None

Back to top




VULNERABILITY DETAILS: IBM Domino Web Administrator Client Cross-Site Scripting

CVE IDs: CVE-2013-0488

DESCRIPTION: The IBM Domino Web Administrator client (webadmin.nsf) is vulnerable to cross-site scripting attacks caused by improper validation of user-supplied input.

CVSS:
Using the Common Vulnerability Scoring System (CVSS) v2, the security ratings for this issue are:

  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None

AFFECTED PLATFORMS:

IBM Domino 8.5.x

REMEDIATION:

Fix(es):

At this time, IBM has no plans to address this cross-site scripting attack since the Domino Web Administrator client is under consideration for feature deprecation and end of life.

Workaround:

Use the full Domino Administrator client instead of the Domino Web Administrator client.

Mitigation(s):

To reduce the probability of successful cross-site scripting attacks against the Domino Web Administrator client, IBM recommends that Web administrators:

  • Use the Domino Web Administrator client for Domino administrative tasks only and do not use it for email or Web surfing. Instead, administrators should use another browser window for email and/or Web surfing
  • Do not click untrusted links.

Back to top


VULNERABILITY DETAILS: IBM Domino Web Administrator Client Cross-Site Request Forgery

CVE IDs: CVE-2013-0489

DESCRIPTION: The IBM Domino Web Administrator Client (webadmin.nsf) is vulnerable to cross-site request forgery attacks caused by improper validation of user-supplied input.

CVSS:
Using the Common Vulnerability Scoring System (CVSS) v2, the security ratings for this issue are:

  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: Single
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None

AFFECTED PLATFORMS:

IBM Domino 8.5.x

REMEDIATION:

Fix(es):

At this time, IBM has no plans to address this cross-site request forgery attack since the IBM Domino Web Administrator client is under consideration for feature deprecation and end of life.

Workaround:

Use the full IBM Domino Administrator client instead of the Domino Web Administrator client.

Mitigation(s):

To reduce the probability of successful cross-site scripting attacks against the Domino Web Administrator client, IBM recommends that Web administrators:

  • Use the Domino Web Administrator client for Domino administrative tasks only and do not use it for email or Web surfing. Instead, administrators should use another browser window for email and/or Web surfing.
  • Do not click untrusted links.


Back to top

References:


Change History:

21 March 2013 Initial Publication


*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.


Note:
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Back to top

Related information

Security vulnerabilities addressed in Notes 9.0
Security vulnerabilities addressed in iNotes 9.0
A simplified Chinese translation is available

Cross reference information
Segment Product Component Platform Version Edition
Messaging Applications IBM Domino Designer 8.5.3, 8.5.2, 8.5.1, 8.5

Rate this page:

(0 users)Average rating

Document information


More support for:

IBM Domino

Software version:

8.5, 8.5.1, 8.5.2, 8.5.3

Operating system(s):

AIX, AIX 64bit, IBM i, Linux, Linux iSeries, Linux zSeries, Solaris, Windows, Windows 64bit, i5/OS, z/OS

Reference #:

1627597

Modified date:

2013-03-21

Translate my page

Machine Translation

Content navigation