Security Bulletin: Vulnerability in Sametime Clients - Password can be found on the clear on client's memory (CVE-2013-0534)
Low risk vulnerability in Sametime clients. If someone gets access to the machine of the Sametime user, it is possible to scan the memory of the client and find the password of the user on the clear. Issue may be intermittent and be cleared sometime after login.
Low risk vulnerability in Sametime clients. If someone gets access to the machine of the Sametime user, it is possible to scan the memory of the client and find the password of the user on the clear.
Issue may be intermittent and be cleared sometime after login.
The fix provided here fixes the issue for most cases.
There are still a few cases where the password may remain in the memory in the clear for a few seconds to minutes, depending on garbage collection.
These cases depend on open source code for which a complete fix for all cases has been requested. If a complete fix to the underlying open source code is made available, IBM will provide an updated fix.
CVSS Base Score: 1.2
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82656 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:H/Au:N/C:P/I:N/A:N)
Sametime Connect client (stand-alone)
Embedded Sametime in the Lotus Notes client
On: Linux. MAC OS/X, Windows
Versions: 8.5.1, 188.8.131.52, 184.108.40.206, 8.5.2, 220.127.116.11
The recommended solution is to apply the fix for each named product as soon as practical. Please see below for information on the fixes available.
Refer to the following technote for instructions on how to download the relevant fixes:
Fix available for potential security vulnerability in Sametime clients - Password can be found on the clear on client's memory"
None known; apply fixes.
None known; apply fixes.
Complete CVSS Guide: http://www.first.org/cvss/v2/guide
On-line Calculator V2: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
X-Force Vulnerability Database: http://xforce.iss.net/xforce/xfdb/82656
The vulnerability was reported to IBM by Thaddeus Bogner.
<May 31 2013>: Original Copy Published.
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.