Security Bulletin: Buffer Overflow Vulnerability in IBM iNotes (CVE-2013-4068)
IBM iNotes 8.5.3 and 9.0 are at risk from a buffer overflow vulnerability. The fix for this issue is available in IBM Domino 8.5.3 Fix Pack 5 Interim Fix 1 and IBM Domino 9.0 Interim Fix 4.
VULNERABILITY DETAILS: IBM iNotes buffer overflow vulnerability
CVE ID: CVE-2013-4068
DESCRIPTION: IBM iNotes 8.5.3 and 9.0 are at risk from a buffer overflow vulnerability which could allow an authenticated attacker to crash the Domino server, An attacker with detailed knowledge of the code execution environment could gain further access through remote code execution. The fix for this issue is available in IBM Domino 8.5.3 Fix Pack 5 Interim Fix 1 and IBM Domino 9.0 Interim Fix 4.
CVE ID: CVE-2013-4068
CVSS Base Score: 7.1
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86599 for the current score.
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:S/C:C/I:C/A:C)
Access Vector: Network Access Complexity: High
Authentication: Single Confidentiality Impact: Complete
Integrity Impact: Complete Availability Impact: Complete
IBM iNotes 8.5.3 and 9.0
This issue is being tracked through SPR# PTHN9ADPA8. The fix is available in Interim Fix 1 or later for Domino 8.5.3 Fix Pack 5 and Interim Fix 4 or later for Domino 9.0. For download links and more information, see the technotes linked below:
- Interim Fix 2 for Domino 8.5.3 Fix Pack 5 (technote 1653401)
- Latest Interim Fixes for IBM Domino 9.0 (technote 1653364)
- Complete CVSS Guide
- On-line Calculator V2
- X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/86599
This vulnerability was reported to IBM by Thomas Skora of Integralis.
*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.