IBM Support

*Security Bulletin: Unsigned Java Plugins (CVE-2013-6727)

Security Bulletin


A user that accepts unsigned Java plugins may be vulnerable to the plugin accessing confidential user information.

Vulnerability Details

CVE ID: CVE-2013-6727

    Java plugins can access confidential user information.


Affected Products and Versions

Sametime Connect Client version 9 and 8.5.2


Workarounds and Mitigations

It is possible to mitigate the issue by preventing users from installing unsigned plugins by following the following instructions:
The signed plug-in policy settings are used by the Expeditor Client provisioning system for controlling access to local or remote Eclipse update sites. The end users access the update sites to upgrade their base offerings and custom plug-in applications. Refer to below table:

Eclipse preference
Possible Values

    This preference setting value defines the default behavior for the provisioning system when it encounters a jar file, which is signed, but the certificate used to sign the jar file has expired.

    This preference setting value defines the default behavior for the provisioning system when it encounters a jar file that is unsigned.

    This setting value defines the default behavior for the provisioning system when it encounters a jar file, which is signed, but the certificate used to sign the jar file is untrusted.

Setting the above policy values to ALLOW or DENY will be interpreted by the provisioning system to allow or deny provisioning of features.

The policy setting of PROMPT will prompt the users to make the necessary trust decisions. To disable unsigned plugin installation, we should set the above policy values to DENY.


You can use either of the following two methods (A or B) to configure the policy settings:

A. Setup the signed plug-in policy settings in Domino Desktop Policy

You can use the Domino desktop Policy Settings document to configure above preferences for clients running the Sametime embedded client, refer to below documents:

" Pushing Eclipse preference settings" to Notes clients

" Creating a desktop policy settings document"

The brief steps:
    1. Create a desktop setting (Configuration -> Policies -> Settings), go to the Custom Settings tab, add the policy settings in Managed Settings tab.
    2. Create a policy (Configuration -> Policies), choose above desktop setting as in Desktop list, go to Policy Assignment tab, assign this policy to selected users/groups. Save and close.

B. Setup the signed plug-in policy settings in Sametime Policy

You can use the Sametime policy to configure the signed plug-in policy settings, refer to the topic

" Automatically updating client preferences with the managed-settings.xml file"

The brief steps:
    1. Define the preference in the managed-settings.xml:
    <settingGroup name="">
    <setting name="EXPIRED_SIGNATURE_POLICY" value="DENY"/>
    <setting name="UNSIGNED_PLUGIN_POLICY" value="DENY"/>
    <setting name="UNTRUSTED_SIGNATURE_POLICY" value="DENY"/>
    2. Add a new Sametime policy in Sametime System Console (SSC) or Sametime admin client (if the community server is not registered into SSC). Set the Sametime update site URL to the URL that contains the managed-settings.xml, for example:
    3. Assign the users or groups to this policy.
    4. Restart the community server to make the new policy take effect.

After a user assigned to this policy logs in, the client receives the policy and updates the relevant preferences.

Get Notified about Future Security Bulletins


Complete CVSS v2 Guide
On-line Calculator v2
CVE: CVE-2013-6727



The vulnerability was reported to IBM by: Colin Tucker of VoiceRite Inc.

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

30 January 2014 - Original version published.
09 Septemeber 2015 - Fixed link to client fix.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.


According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Document information

More support for: IBM Sametime
Connect client

Software version: 8.5.2,, 9.0,

Operating system(s): AIX, Android, IBM i, Linux, OS X, Windows, iOS

Software edition: Communicate, Complete, Conference, Standard

Reference #: 1662725

Modified date: 12 February 2015

Translate this page: