Security Bulletin: Buffer Overflow Vulnerability in IBM iNotes (CVE-2013-4068)

Flash (Alert)


Abstract

IBM iNotes 8.5.3 and 9.0 are at risk from a buffer overflow vulnerability. The fix for this issue is available in IBM Domino 8.5.3 Fix Pack 5 Interim Fix 1 and IBM Domino 9.0 Interim Fix 4.

Content


VULNERABILITY DETAILS: IBM iNotes buffer overflow vulnerability

CVE ID: CVE-2013-4068

DESCRIPTION: IBM iNotes 8.5.3 and 9.0 are at risk from a buffer overflow vulnerability which could allow an authenticated attacker to crash the Domino server, An attacker with detailed knowledge of the code execution environment could gain further access through remote code execution. The fix for this issue is available in IBM Domino 8.5.3 Fix Pack 5 Interim Fix 1 and IBM Domino 9.0 Interim Fix 4.

CVSS:

CVE ID: CVE-2013-4068
CVSS Base Score: 7.1
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86599 for the current score.
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:S/C:C/I:C/A:C)

Access Vector: Network Access Complexity: High
Authentication: Single Confidentiality Impact: Complete
Integrity Impact: Complete Availability Impact: Complete

AFFECTED PLATFORMS:

IBM iNotes 8.5.3 and 9.0

REMEDIATION:

Fix:

This issue is being tracked through SPR# PTHN9ADPA8. The fix is available in Interim Fix 1 for Domino 8.5.3 Fix Pack 5 and Interim Fix 4 for Domino 9.0. For download links and more information, see the technotes linked below:


Workaround:

None

Mitigation(s):

None




REFERENCES:


RELATED INFORMATION:

ACKNOWLEDGEMENT:
This vulnerability was reported to IBM by Thomas Skora of Integralis.

*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.


Note:
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.


Rate this page:

(0 users)Average rating

Document information


More support for:

IBM iNotes
Security

Software version:

8.5.3, 9.0

Operating system(s):

AIX, IBM i, Linux, Linux zSeries, Solaris, Windows

Reference #:

1649476

Modified date:

2013-09-17

Translate my page

Machine Translation

Content navigation