IBM Support

Security Bulletin: IBM Lotus Sametime WebPlayer Denial-of-Service (CVE-2013-3986)

Flash (Alert)


An attacker participating in a Sametime Audio Visual (AV) session may be able to crash the IBM Sametime WebPlayer extension session of other users.



CVE ID: CVE-2013-3986

An attacker participating in a Sametime Audio Visual (AV) session may be able to crash the IBM Sametime WebPlayer extension session of other users.

CVSS Base Score: 4.3
CVSS Temporal Score: See for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

IBM Lotus Sametime WebPlayer versions 8.5.2 and


The fix can be downloaded from here: 8521-ST-Meida-IF-AUDT-9D6GKQ


Server side instructions:
    1. Login to the machine where the Sametime Proxy Server is installed.
    2. Navigate to the path --> $WAS_INSTALL_PATH\profiles\<Proxy Server Profile Name>\installedApps\<Cell Name>\SametimeProxy.ear\stwebav.war.
    3. Back up the original "stwebsoftphone.CAB" and "" by copying them to some other location.
    4. Copy the two new files from Fix Central (link above in the "Fix" section of this document) to the location mentioned above in these steps. (Note that: "stwebsoftphone.CAB" is for Windows and "" is for MAC).
    5. Open and Set the "Softphone=
    6. Restart the Sametime Proxy Server.

Client side instructions:

Uninstalling the plugin

Follow the instructions that apply to your operating system and browser to uninstall the Sametime web audio-visual plugin.
    Internet Explorer on Microsoft™ Windows™
      Internet Explorer 6:
        1. Open Explorer and navigate to the folder %WINDIR%\Downloaded Program Files.
        2. Remove the entry “IBM Lotus® Sametime WebPlayer” Control.
      Internet Explorer 7 and 8:
        1. Launch Internet Explorer and navigate to Tools -> Manage Add-ons.
        2. Select Show All Add-ons.
        3. Double-click IBM Lotus Sametime WebPlayer and click Remove.
    Mozilla Firefox on Microsoft Windows and Mac OSX
      1. Launch Firefox and navigate to Tools -> Add-ons.
      2. Open the Extensions Tab
      3. Select IBM Lotus Sametime WebPlayer.
      4. Click Uninstall.
Clean up folders that are no longer needed:
    Windows XP: Delete the folders:
      • %PROGRAMFILES%\IBM\Lotus\Sametime WebPlayer\ and %APPDATA%\IBM\Lotus\Sametime WebPlayer\ .
    Windows 7: Delete the folder:
      • %USERPROFILE%\AppData\LocalLow\ IBM\Lotus\Sametime WebPlayer\.
    Mac OSX: Delete the folder:
      • $HOME/Library/ApplicationSupport/IBM/Lotus/Sametime WebPlayer/.

After uninstall, click the Meeting Server URL and install the web AV plug-in and proceed with the call.

For more details refer to: " Installing and uninstalling the Sametime web audio-visual plugin automatically from a browser"


None available. Please apply the fix.




The vulnerability was reported to IBM by Chris John Riley - R-IT CERT.

CHANGE HISTORY - 7 November 2013: Original Copy Published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Document information

More support for: Lotus End of Support Products
IBM Sametime

Software version: 8.5.2,

Operating system(s): OS X, Windows

Reference #: 1654041

Modified date: 21 September 2014