Security Bulletin: IBM Notes accepts Java applet and JavaScript tags inside HTML emails (CVE-2013-0127, CVE-2013-0538)

Flash (Alert)


Abstract

The IBM Notes mail client accepts Java applet tags and JavaScript tags inside HTML emails,
making it possible to load Java applets and scripts from a remote location.

Content


CVE IDs: CVE-2013-0127, CVE-2013-0538

DESCRIPTION:

The IBM Notes mail client accepts Java applet tags and JavaScript tags inside HTML emails,
making it possible to load Java applets and scripts from a remote location.


CVE ID: CVE-2013-0127
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83775 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVE ID: CVE-2013-0538
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83270 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/AU:N/C:N/I:P/A:N)

AFFECTED PLATFORMS:
IBM Notes 8.0.x, 8.5.x, 9.0

REMEDIATION:

Fix:

These issues are tracked as SPRs JMOY95BLM6 and JMOY95BN49. The fix is included in Interim Fix 1 for Notes 8.5.3 Fix Pack 4* and Interim Fix 1 for Notes 9.0*.

    *NOTE: The Windows versions of Interim Fix 1 are currently available for download from Fix Central, and a Mac version is forthcoming. This technote (and the Interim Fix technotes linked above) will be updated once the Mac version is available for download.

For Linux, clients are encouraged to monitor fix availability in 8.5.3 Fix Pack 5 and 9.0.1. Or to inquire about the possiblity of obtaining a fix sooner, open a service request with IBM Support.


Workaround:
To work around these issues, you can perform one of the two options described below:

Option 1: In Notes Basic Preferences, deselect the following three preferences:
  • Enable Java applets
  • Enable Java access from JavaScript
  • Enable JavaScript

- or -

Option 2: In the notes.ini file, set the following variables:
  • EnableJavaApplets=0
  • EnableLiveConnect=0
  • EnableJavaScript=0


NOTE: In addition to protecting the system from the vulnerabilities, disabling these preferences or .ini variables will also disable JavaScript and Java applets everywhere these constructs are encountered in the Notes client. Designers sometimes use JavaScript and Java applets when building custom applications/templates. With the workaround utilized, these applets will not work.

Mitigation:
None




REFERENCES:
Complete CVSS Guide
On-line Calculator V2
CVE-2013-0127
CVE-2013-0538
http://xforce.iss.net/xforce/xfdb/83775
http://xforce.iss.net/xforce/xfdb/83270


RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog


ACKNOWLEDGEMENT
These vulnerabilities were reported to IBM by Alexander Klink of n.runs AG.


Rate this page:

(0 users)Average rating

Document information


More support for:

IBM Notes

Software version:

8.0, 8.0.1, 8.0.2, 8.5, 8.5.1, 8.5.2, 8.5.3, 9.0

Operating system(s):

Linux, Mac OS, Windows

Reference #:

1633819

Modified date:

2013-05-02

Translate my page

Machine Translation

Content navigation