Security Bulletin: IBM Notes may fail to zero the plain text password within memory (CVE-2013-0534)

Flash (Alert)


Abstract

In some scenarios, IBM Notes may fail to zero a plain text password within memory, leaving the plain text password accessible to an attacker with the ability to access memory on the user's local workstation.

Content

CVE IDs: CVE-2013-0534

DESCRIPTION:
In some scenarios, IBM Notes may fail to zero the plaintext password within memory, leaving the plaintext password accessible to an attacker with the ability to access memory on the user's local workstation.

CVSS Base Score: 1.2
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82656 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:H/Au:N/C:P/I:N/A:N)


AFFECTED PLATFORMS:
IBM Notes 9.0, 8.5.x.

REMEDIATION: The recommended solution is to apply the fix for IBM Notes as soon as practical. See below for information on the fixes available.

Fix:
This issue is being tracked as SPR# JMOY95H59S and SPR# NPEI95BQLK. The fix is included in Interim Fix 2 for Notes 9.0 (technote 1640580) and Interim Fix 2 for Notes 8.5.3 Fix Pack 4 (technote 1639571). The fix will also be included in Notes 8.5.3 Fix Pack 5 (refer to the Notes/Domino Fix List to monitor Fix Pack availability status).

Workaround:
None known; apply fixes.

Mitigation:
None known; apply fixes.

REFERENCES:
Complete CVSS Guide
On-line Calculator V2
CVE-2013-0534
http://xforce.iss.net/xforce/xfdb/82656

RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

ACKNOWLEDGEMENT
The vulnerability was reported to IBM by Thaddeus Bogner

Related information

Interim Fix 2 for IBM Notes 8.5.3 Fix Pack 4
Interim Fix 2 for IBM Notes 9.0

Rate this page:

(0 users)Average rating

Document information


More support for:

IBM Notes
Security

Software version:

8.5, 8.5.1, 8.5.2, 8.5.3, 9.0

Operating system(s):

Linux, Mac OS X, Windows

Software edition:

All Editions

Reference #:

1636154

Modified date:

2014-03-27

Translate my page

Machine Translation

Content navigation