*Security Bulletin: Unsigned Java Plugins (CVE-2013-6727)

Security Bulletin


Summary

A user that accepts unsigned Java plugins may be vulnerable to the plugin accessing confidential user information.

Vulnerability Details

CVE ID: CVE-2013-6727
DESCRIPTION:

    Java plugins can access confidential user information.

CVSS:

Affected Products

Sametime Connect Client version 9 and 8.5.2

Remediation/Fixes

Fixes are available via the following technotes:

Workarounds/Mitigations

It is possible to mitigate the issue by preventing users from installing unsigned plugins by following the following instructions:
The signed plug-in policy settings are used by the Expeditor Client provisioning system for controlling access to local or remote Eclipse update sites. The end users access the update sites to upgrade their base offerings and custom plug-in applications. Refer to below table:

Eclipse preference
Possible Values
Default Value
com.ibm.rcp.security.update/EXPIRED_SIGNATURE_POLICY PROMPT/ALLOW/DENY PROMPT
com.ibm.rcp.security.update/UNSIGNED_PLUGIN_POLICY PROMPT/ALLOW/DENY PROMPT
com.ibm.rcp.security.update/UNTRUSTED_SIGNATURE_POLICY PROMPT/ALLOW/DENY ALLOW

EXPIRED_SIGNATURE_POLICY
    This preference setting value defines the default behavior for the provisioning system when it encounters a jar file, which is signed, but the certificate used to sign the jar file has expired.

UNSIGNED_PLUGIN_POLICY
    This preference setting value defines the default behavior for the provisioning system when it encounters a jar file that is unsigned.

UNTRUSTED_SIGNATURE_POLICY
    This setting value defines the default behavior for the provisioning system when it encounters a jar file, which is signed, but the certificate used to sign the jar file is untrusted.

Setting the above policy values to ALLOW or DENY will be interpreted by the provisioning system to allow or deny provisioning of features.

The policy setting of PROMPT will prompt the users to make the necessary trust decisions. To disable unsigned plugin installation, we should set the above policy values to DENY.


TO CONFIGURE THE POLICY SETTINGS

You can use either of the following two methods (A or B) to configure the policy settings:

A. Setup the signed plug-in policy settings in Domino Desktop Policy

You can use the Domino desktop Policy Settings document to configure above preferences for clients running the Sametime embedded client, refer to below documents:

" Pushing Eclipse preference settings" to Notes clients

" Creating a desktop policy settings document"

The brief steps:
    1. Create a desktop setting (Configuration -> Policies -> Settings), go to the Custom Settings tab, add the policy settings in Managed Settings tab.
    2. Create a policy (Configuration -> Policies), choose above desktop setting as in Desktop list, go to Policy Assignment tab, assign this policy to selected users/groups. Save and close.

B. Setup the signed plug-in policy settings in Sametime Policy

You can use the Sametime policy to configure the signed plug-in policy settings, refer to the topic

" Automatically updating client preferences with the managed-settings.xml file"

The brief steps:
    1. Define the preference in the managed-settings.xml:
    <settingGroup name=" com.ibm.rcp.security.update">
    <setting name="EXPIRED_SIGNATURE_POLICY" value="DENY"/>
    <setting name="UNSIGNED_PLUGIN_POLICY" value="DENY"/>
    <setting name="UNTRUSTED_SIGNATURE_POLICY" value="DENY"/>
    </settingGroup>
    2. Add a new Sametime policy in Sametime System Console (SSC) or Sametime admin client (if the community server is not registered into SSC). Set the Sametime update site URL to the URL that contains the managed-settings.xml, for example: http://server1.cn.ibm.com/sametime/updates/
    3. Assign the users or groups to this policy.
    4. Restart the community server to make the new policy take effect.

After a user assigned to this policy logs in, the client receives the policy and updates the relevant preferences.

References:

Complete CVSS Guide
On-line Calculator V2
CVE: CVE-2013-6727


CVSS: http://xforce.iss.net/xforce/xfdb/89282

Acknowledgement:

The vulnerability was reported to IBM by: Colin Tucker of VoiceRite Inc.

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

30 January 2014 - Original version published.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Rate this page:

(0 users)Average rating

Document information


More support for:

IBM Sametime
Connect client

Software version:

8.5.2, 8.5.2.1, 9.0, 9.0.0.1

Operating system(s):

AIX, Apple iOS, Google Android, IBM i, Linux, Mac OS X, Windows

Software edition:

Communicate, Complete, Conference, Standard

Reference #:

1662725

Modified date:

2014-01-29

Translate my page

Machine Translation

Content navigation