A user that accepts unsigned Java plugins may be vulnerable to the plugin accessing confidential user information.
CVE ID: CVE-2013-6727
Java plugins can access confidential user information.
CVSS Base Score: 1.9
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/89282 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:P/I:N/A:N)
Sametime Connect Client version 9 and 8.5.2
Fixes are available via the following technotes:
It is possible to mitigate the issue by preventing users from installing unsigned plugins by following the following instructions:
The signed plug-in policy settings are used by the Expeditor Client provisioning system for controlling access to local or remote Eclipse update sites. The end users access the update sites to upgrade their base offerings and custom plug-in applications. Refer to below table:
This preference setting value defines the default behavior for the provisioning system when it encounters a jar file, which is signed, but the certificate used to sign the jar file has expired.
This preference setting value defines the default behavior for the provisioning system when it encounters a jar file that is unsigned.
This setting value defines the default behavior for the provisioning system when it encounters a jar file, which is signed, but the certificate used to sign the jar file is untrusted.
Setting the above policy values to ALLOW or DENY will be interpreted by the provisioning system to allow or deny provisioning of features.
The policy setting of PROMPT will prompt the users to make the necessary trust decisions. To disable unsigned plugin installation, we should set the above policy values to DENY.
TO CONFIGURE THE POLICY SETTINGS
You can use either of the following two methods (A or B) to configure the policy settings:
A. Setup the signed plug-in policy settings in Domino Desktop Policy
You can use the Domino desktop Policy Settings document to configure above preferences for clients running the Sametime embedded client, refer to below documents:
" Pushing Eclipse preference settings" to Notes clients
" Creating a desktop policy settings document"
The brief steps:
- Create a desktop setting (Configuration -> Policies -> Settings), go to the Custom Settings tab, add the policy settings in Managed Settings tab.
- Create a policy (Configuration -> Policies), choose above desktop setting as in Desktop list, go to Policy Assignment tab, assign this policy to selected users/groups. Save and close.
B. Setup the signed plug-in policy settings in Sametime Policy
You can use the Sametime policy to configure the signed plug-in policy settings, refer to the topic
" Automatically updating client preferences with the managed-settings.xml file"
The brief steps:
1. Define the preference in the managed-settings.xml:
<setting name="EXPIRED_SIGNATURE_POLICY" value="DENY"/>
<setting name="UNSIGNED_PLUGIN_POLICY" value="DENY"/>
<setting name="UNTRUSTED_SIGNATURE_POLICY" value="DENY"/>
2. Add a new Sametime policy in Sametime System Console (SSC) or Sametime admin client (if the community server is not registered into SSC). Set the Sametime update site URL to the URL that contains the managed-settings.xml, for example:
3. Assign the users or groups to this policy.
4. Restart the community server to make the new policy take effect.
After a user assigned to this policy logs in, the client receives the policy and updates the relevant preferences.
On-line Calculator V2
The vulnerability was reported to IBM by: Colin Tucker of VoiceRite Inc.
30 January 2014 - Original version published.
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.