Fix available for potential security vulnerability in Sametime clients - Password can be found on the clear on client's memory

Fix readme


Abstract

A fix is available for a potential password security vulnerability that has been identified for Sametime clients. The issue exists in the Sametime rich client (Sametime Connect or embedded Sametime in Notes).

Content

A fix is available that removes the vulnerability in the Sametime rich client.
Please see the following security bulletin: "Security Bulletin: Vulnerability in Sametime Clients - Password can be found on the clear on client's memory (CVE-2013-0534)"


Sections below:

Affected products
Fix download links
Installation instructions for each version


Affected products




This potential vulnerability affects the following clients:
Sametime Connect client (stand-alone)
Embedded Sametime in the Lotus Notes client


Fix download links



The fix for this security vulnerability is posted to IBM Fix Central. Refer to the tables below for direct links to the fix by client type and version.

For Sametime Connect client (stand-alone)
Sametime version (shipped in the box) Fix delivery vehicle
8.5.1, 8.5.1.1 8511-ST-Client-FP-SJWG-98V3DT
8.5.2, 8.5.2.1 8521-ST-Client-FP-SJWG-98V3VH


For embedded Sametime in Notes (Shipped in the box)


Client Sametime version
(shipped in the box)
Fix delivery vehicle for W32 Fix delivery vehicle for MAC
Notes 8.5.3 8.5.1 Notes_853FP4IF2_W32_Standard Notes_853FP4IF2_MAC_Standard
Notes 9.0 8.5.2 Notes_90IF2_W32_Standard
Hotfix still in progress


For embedded Sametime in Notes, updated by use of the add-on installer (Not shipped in the box)

Client Sametime version (shipped in the box) Add-on installer Fix delivery vehicle
Notes 8.5.3 8.5.1 Sametime 8.5.2, 8.5.2.1 8521-ST-Client-FP-SJWG-98V3VH




Installation Instructions




The steps to apply the fix vary by client type and version, as follows:
  • Sametime Connect 8.5.1
  • Sametime Connect 8.5.2 and embedded Sametime 8.5.2
  • Notes 8.5.3 and 9.0



Installation Instructions Sametime Connect 8.5.1



The Sametime Connect 8.5.1 cumulative fix package is available in the form of install packages for Windows, Mac, and Linux.

The following table outlines the install packages by operating system and client type:

Operating system Client type Package name Description
Windows Sametime Connect 8.5.1 stand-alone sametime.hotfix.win32_20130618-1145.exe Windows self-extracting executable containing the MSI install files to fix stand-alone Sametime Connect 8.5.1
Mac OSX Sametime Connect 8.5.1 stand-alone sametime.hotfix.macosx_20130618-1145.tar Single TAR compressed file containing the Mac PKG install package to fix stand-alone Sametime Connect
Linux Sametime Connect 8.5.1 stand-alone sametime-hotfix-8.5.1-20130618.1415.i586.rpm Linux RPM install package to fix stand-alone Sametime Connect
sametime-hotfix-8.5.1-20130618.1415.i386.deb Linux Debian install package to fix stand-alone Sametime Connect


Windows install steps

A Windows user can manually install this update by executing the sametime.hotfix.win32_20130618-1145.exe file.
  1. Close the Sametime client if it is running.
  2. Launch the fix install executable: sametime.hotfix.win32_20130618-1145.exe
  3. When the Language dialog appears, select the language and click Next.
  4. The install wizard appears. Click Next to start, read the license agreement, and click Accept if you choose to accept it.
  5. Click Install to begin the installation.
  6. When the install completes, click Finish.

--------------------
Mac OSX install steps

Both the stand-alone and embedded form of the fix for the Mac OSX platform are provided as compressed TAR files consisting of standard PKG files. Uncompress the TAR files to a folder, and you will see the standard PKG set of files.

Refer to the Apple installer Manual page for options and parameters that can be used:
http://developer.apple.com/mac/library/documentation/Darwin/Reference/ManPages/man8/installer.8.html

--------------------
Linux install steps

Both the stand-alone and embedded form of the fix for the Linux platform are provided as Linux RPM and Debian DEB packages. Refer to the standard documentation of installing and managing RPM or DEB packages on Linux.

--------------------
Configuring SSO for Sametime Meetings

If the Sametime Meeting server is not SSO enabled with Community server, configure single sign-on between Sametime Meeting Server and Sametime Community Server following the Sametime information center - http://publib.boulder.ibm.com/infocenter/sametime/v8r5/topic/com.ibm.help.sametime.v851.doc/config/config_st_sec_import_ltpakeys.html

If the Sametime Connect 8.5.1 connects to a meeting server, configure the client to use single sign-on:

1. Backup the <sametime client installed directory>\rcp\ plugin_customization.ini.
2. Modify the plugin_customization.ini file, by adding or updating the following line:
      com.ibm.rtc.meetings.shelf/loginByToken=true

3. Save and close the configuration file.
4. Restart the client.

The alternative way to use single sign-on in client is to upgrade the Sametime client to version 8.5.2.



Installation Instructions Sametime Connect 8.5.2 and embedded Sametime 8.5.2



The Sametime Connect 8.5.2 cumulative fix package is available in the form of install packages for Windows, Mac, and Linux.

The following table outlines the install packages by operating system and client type:
Operating system Client type Package name Description
Windows Sametime Connect 8.5.2 stand-alone sametime.hotfix.win32_20130616-1930.exe Windows self-extracting executable containing the MSI install files to fix stand-alone Sametime Connect 8.5.2
embedded Sametime in Notes 8.5.3 sametime.embedded.addon.win32_20130616-1930.exe Windows self-extracting executable containing MSI install files to fix embedded Sametime in Notes 8.5.3
Mac OSX Sametime Connect 8.5.2 stand-alone sametime.hotfix.macosx_20130616-1930.tar Single TAR compressed file containing the Mac PKG install package to fix stand-alone Sametime Connect
embedded Sametime in Notes 8.5.3 or later sametime.10.8.embedded.addon.macosx_20130616-1930.tar Single TAR compressed file containing the Mac PKG install package to fix embedded Sametime in Notes 8.5.3 or later
Linux Sametime Connect 8.5.2 stand-alone sametime-hotfix-8.5.2-20130616.2230.i586.rpm Linux RPM install package to fix stand-alone Sametime Connect
sametime-hotfix-8.5.2-20130616.2230.i386.deb Linux Debian install package to fix stand-alone Sametime Connect
embedded Sametime in Notes 8.5.3 or later sametime-connect-embedded-8.5.2-20130616.2230.i586.rpm
sametime-connect-embedded-core-8.5.2-20130616.2230.i586.rpm
Linux RPM install packages to fix embedded Sametime in Notes 8.5.3 or later
sametime-connect-embedded-8.5.2-20130616.2230.i386.deb
sametime-connect-embedded-core-8.5.2-20130616.2230.i386.deb
Linux Debian install packages to fix embedded Sametime in Notes 8.5.3 or later


Windows install steps

A Windows user can manually install this update by executing the sametime.hotfix.win32_20130616-1930.exe file.
  1. Close the Sametime client if it is running
  2. Launch the fix install executable: sametime.hotfix.win32_20130616-1930.exe
  3. When the Language dialog appears, select the language and click Next.
  4. The install wizard appears. Click Next to start, read the license agreement, and click Accept if you choose to accept it.
  5. Click Install to begin the installation.
  6. When the install completes, click Finish.

For Notes 8.5.3 or later client, run the sametime.embedded.addon.win32_20130616-1930.exe file. The dialog and steps are similar to those above.

--------------------
Mac OSX install steps

Both the stand-alone and embedded form of the fix for the Mac OSX platform are provided as compressed TAR files consisting of standard PKG files. Uncompress the TAR files to a folder, and you will see the standard PKG set of files.

Refer to the Apple installer Manual page for options and parameters that can be used:
http://developer.apple.com/mac/library/documentation/Darwin/Reference/ManPages/man8/installer.8.html

--------------------
Linux install steps

Both the stand-alone and embedded form of the fix for the Linux platform are provided as Linux RPM and Debian DEB packages. Refer to the standard documentation of installing and managing RPM or DEB packages on Linux.




Installation Instructions Notes 8.5.3 and 9.0




Shut down the Notes client, and double-click the executable fix file. Fixes for Windows only are posted to IBM Fix Central. If you need the fix for Mac or Linux platforms, open a Service Request with IBM Support.

--------------------
Configuring SSO for Sametime Meetings

If the Sametime Meeting server is not SSO enabled with Community server, configure single sign-on between Sametime Meeting Server and Sametime Community Server following the Sametime information center - http://publib.boulder.ibm.com/infocenter/sametime/v8r5/topic/com.ibm.help.sametime.v851.doc/config/config_st_sec_import_ltpakeys.html

If the embedded Sametime 8.5.1 connects to a meeting server, configure the client to use single sign-on:
  1. Backup the <notes client installed directory>\framework\rcp\plugin_customization.ini.
  2. Modify the plugin_customization.ini file, by adding or updating the following line:

    com.ibm.rtc.meetings.shelf/loginByToken=true
  3. Save and close the configuration file.
  4. Restart the client.

The alternative way to use single sign-on in client is to upgrade the Sametime client to version 8.5.2.

Related information

Security Bulletin: Vulnerability in Sametime Clients -

Rate this page:

(0 users)Average rating

Document information


More support for:

IBM Sametime
Security/SSL

Software version:

8.5.1, 8.5.1.1, 8.5.1.2, 8.5.2, 8.5.2.1

Operating system(s):

Linux, Mac OS X, Windows

Reference #:

1639267

Modified date:

2013-06-28

Translate my page

Machine Translation

Content navigation