Security Bulletin: IBM Lotus Sametime WebPlayer Denial-of-Service (CVE-2013-3986)

Flash (Alert)


Abstract

An attacker participating in a Sametime Audio Visual (AV) session may be able to crash the IBM Sametime WebPlayer extension session of other users.

Content



VULNERABILITY DETAILS

CVE ID: CVE-2013-3986



DESCRIPTION
An attacker participating in a Sametime Audio Visual (AV) session may be able to crash the IBM Sametime WebPlayer extension session of other users.


CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84969 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)




AFFECTED PRODUCTS
IBM Lotus Sametime WebPlayer versions 8.5.2 and 8.5.2.1



FIX

The fix can be downloaded from here: 8521-ST-Meida-IF-AUDT-9D6GKQ



INSTALLATION INSTRUCTION


Server side instructions:
    1. Login to the machine where the Sametime Proxy Server is installed.
    2. Navigate to the path --> $WAS_INSTALL_PATH\profiles\<Proxy Server Profile Name>\installedApps\<Cell Name>\SametimeProxy.ear\stwebav.war.
    3. Back up the original "stwebsoftphone.CAB" and "stwebsoftphone.zip" by copying them to some other location.
    4. Copy the two new files from Fix Central (link above in the "Fix" section of this document) to the location mentioned above in these steps. (Note that: "stwebsoftphone.CAB" is for Windows and "stwebsoftphone.zip" is for MAC).
    5. Open VersionInfo.properties and Set the "Softphone=8.5.2.19
    6. Restart the Sametime Proxy Server.

Client side instructions:

Uninstalling the plugin

Follow the instructions that apply to your operating system and browser to uninstall the Sametime web audio-visual plugin.
    Internet Explorer on Microsoft™ Windows™
      Internet Explorer 6:
        1. Open Explorer and navigate to the folder %WINDIR%\Downloaded Program Files.
        2. Remove the entry “IBM Lotus® Sametime WebPlayer” Control.
      Internet Explorer 7 and 8:
        1. Launch Internet Explorer and navigate to Tools -> Manage Add-ons.
        2. Select Show All Add-ons.
        3. Double-click IBM Lotus Sametime WebPlayer and click Remove.
    Mozilla Firefox on Microsoft Windows and Mac OSX
      1. Launch Firefox and navigate to Tools -> Add-ons.
      2. Open the Extensions Tab
      3. Select IBM Lotus Sametime WebPlayer.
      4. Click Uninstall.
Clean up folders that are no longer needed:
    Windows XP: Delete the folders:
      • %PROGRAMFILES%\IBM\Lotus\Sametime WebPlayer\ and %APPDATA%\IBM\Lotus\Sametime WebPlayer\ .
    Windows 7: Delete the folder:
      • %USERPROFILE%\AppData\LocalLow\ IBM\Lotus\Sametime WebPlayer\.
    Mac OSX: Delete the folder:
      • $HOME/Library/ApplicationSupport/IBM/Lotus/Sametime WebPlayer/.

After uninstall, click the Meeting Server URL and install the web AV plug-in and proceed with the call.

For more details refer to: " Installing and uninstalling the Sametime web audio-visual plugin automatically from a browser"



WORKAROUND(S) & MITIGATION(S)

None available. Please apply the fix.



REFERENCES




RELATED INFORMATION




ACKNOWLEDGEMENT


The vulnerability was reported to IBM by Chris John Riley - R-IT CERT.



CHANGE HISTORY - 7 November 2013: Original Copy Published


*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Rate this page:

(0 users)Average rating

Document information


More support for:

IBM Sametime
Audio/Voice chat

Software version:

8.5.2, 8.5.2.1

Operating system(s):

Mac OS X, Windows

Reference #:

1654041

Modified date:

2014-09-21

Translate my page

Machine Translation

Content navigation