Security Bulletin: Vulnerability in Sametime Clients - Password can be found on the clear on client's memory (CVE-2013-0534)

Flash (Alert)


Abstract

SUMMARY

Low risk vulnerability in Sametime clients. If someone gets access to the machine of the Sametime user, it is possible to scan the memory of the client and find the password of the user on the clear. Issue may be intermittent and be cleared sometime after login.

Content

VULNERABILITY DETAILS


    CVE-ID: CVE-2013-0534

    DESCRIPTION:

    Low risk vulnerability in Sametime clients. If someone gets access to the machine of the Sametime user, it is possible to scan the memory of the client and find the password of the user on the clear.

    Issue may be intermittent and be cleared sometime after login.

    The fix provided here fixes the issue for most cases.

    There are still a few cases where the password may remain in the memory in the clear for a few seconds to minutes, depending on garbage collection.

    These cases depend on open source code for which a complete fix for all cases has been requested. If a complete fix to the underlying open source code is made available, IBM will provide an updated fix.

    CVSS:

    CVSS Base Score: 1.2
    CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82656 for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:L/AC:H/Au:N/C:P/I:N/A:N)


    AFFECTED PLATFORMS:

    Sametime Connect client (stand-alone)
    Embedded Sametime in the Lotus Notes client
    On: Linux. MAC OS/X, Windows
    Versions: 8.5.1, 8.5.1.1, 8.5.1.2, 8.5.2, 8.5.2.1


    REMEDIATION:

    The recommended solution is to apply the fix for each named product as soon as practical. Please see below for information on the fixes available.

    FIX:

    Refer to the following technote for instructions on how to download the relevant fixes:


    WORKAROUND:

    None known; apply fixes.

    MITIGATION:

    None known; apply fixes.


REFERENCES: RELATED INFORMATION:
ACKNOWLEDGEMENT:
    The vulnerability was reported to IBM by Thaddeus Bogner.


CHANGE HISTORY:
    <May 31 2013>: Original Copy Published.

    *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

    Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Related information

Fix available for potential security vulnerability in S

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

IBM Sametime

Software version:

8.5.1, 8.5.1.1, 8.5.1.2, 8.5.2, 8.5.2.1

Operating system(s):

Linux, Mac OS X, Windows

Reference #:

1635218

Modified date:

2013-06-27

Translate my page

Machine Translation

Content navigation