Security Bulletin: For safer administration of IBM Domino server, use Domino Administrator client instead of Domino Web Administrator

Flash (Alert)


Abstract

IBM Domino Web Administrator (webadmin.nsf) has two cross-site scripting vulnerabilities and one cross-site request forgery of low CVSS score. These vulnerabilities do not exist in the Domino Administrator client. To prevent the potential for these attacks, use the Domino Administrator client or mitigations listed below. Domino Web Administrator is deprecated.

Content

IBM Domino Web Administrator (webadmin.nsf) has multiple cross-site scripting vulnerabilities of low CVSS score. These vulnerabilities do not exist in the Domino Administrator client. To prevent the potential for these attacks, migrate away from Domino Web Administrator. Instead use the Domino Administrator client or the mitigations listed below.

Domino Web Administrator is being deprecated. No new functions will be added and IBM Support will not escalate issues reported. Customers are advised to use the fully functional Domino Administrator client.


VULNERABILITY DETAILS: IBM Domino Web Administrator Cross-site Scripting vulnerabilities


    CVE ID: CVE-2013-4051 , CVE-2013-4055

    DESCRIPTION: An authenticated attacker could exploit a security vulnerability in IBM Domino Web Administrator for cross-site scripting

    CVSS:

    CVE ID: CVE-2013-4051
    CVSS Base Score: 3.5
    CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86503 for the current score.
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:M/AU:S/C:N/I:P/A:N)


    CVE ID: CVE-2013-4055
    CVSS Base Score: 3.5
    CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86544 for the current score.
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:M/AU:S/C:N/I:P/A:N)

VULNERABILITY DETAILS: IBM Domino Web Administrator Cross-site Request Forgery vulnerability

    CVE ID: CVE-2013-4050

    DESCRIPTION: An authenticated attacker could exploit a security vulnerability in IBM Domino Web Administrator for cross-site request forgery.

    CVSS:

    CVE ID: CVE-2013-4050
    CVSS Base Score: 3.5
    CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86433 for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:M/AU:S/C:N/I:P/A:N)


AFFECTED PLATFORMS:

IBM Domino Web Administrator 8.5.x, 9.0.x

REMEDIATION:

Fix:

No fixes are planned. IBM Domino Web Administrator is deprecated. Customers are advised to move to the fully functional Domino Administrator client.

Workaround:

Use the fully functional Domino Administrator client for safer management of IBM Domino server.

Mitigation(s):

Access Domino Web Administrator from a browser session which is used only for this purpose. Do not use this session to visit web sites other than the server being administered. Do not use other web applications during this session; for instance, do not read email.



REFERENCES:

RELATED INFORMATION:
ACKNOWLEDGEMENT:
These vulnerabilities were reported to IBM by Alexander Klink of n.runs AG.

*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.


Note:
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Related information

Installing the Domino Administrator client


    Cross reference information
    Segment Product Component Platform Version Edition
    Messaging Applications IBM Notes 9.0, 8.5

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

IBM Domino

Software version:

8.5, 9.0

Operating system(s):

AIX, AIX 64bit, IBM i, Linux, Linux iSeries, Linux xSeries, Linux zSeries, Solaris, Windows, Windows 64bit, i5/OS, z/OS

Reference #:

1652988

Modified date:

2013-11-05

Translate my page

Machine Translation

Content navigation