IBM Support

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Notes and Domino

Security Bulletin


Summary

There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 6 SR16FP3 that is used by IBM Notes and Domino. These issues were disclosed as part of the IBM Java SDK updates in January 2015, which was released for Notes and Domino as the March 2015 Security Bulletin: Multiple Vulnerabilities in the IBM Java SDK affect IBM Notes and Domino. This bulletin also addresses the “FREAK: Factoring Attack on RSA-EXPORT keys" TLS/SSL client and server vulnerability for IBM Java in Notes and Domino.

Vulnerability Details

CVEID: CVE-2015-0138
DESCRIPTION: A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers.

This vulnerability is also known as the FREAK attack.

CVSS Base Score: 4.3
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)


CVEID: CVE-2014-6549
DESCRIPTION: An unspecified vulnerability related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/100141 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2015-0408
DESCRIPTION: An unspecified vulnerability related to the RMI component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/100142 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVEID: CVE-2015-0412
DESCRIPTION: An unspecified vulnerability related to the JAX-WS component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/100140 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2015-0403
DESCRIPTION: An unspecified vulnerability related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 6.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/100145 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2015-0406
DESCRIPTION: An unspecified vulnerability related to the Deployment component has partial confidentiality impact, no integrity impact, and partial availability impact.
CVSS Base Score: 5.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/100147 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:P)

CVEID: CVE-2015-0410
DESCRIPTION: An unspecified vulnerability related to the Security component could allow a remote attacker to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/100151 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2015-0407
DESCRIPTION: An unspecified vulnerability related to the Swing component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/100150 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2015-0400
DESCRIPTION: An unspecified vulnerability related to the Libraries component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/100149 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2014-6587
DESCRIPTION: An unspecified vulnerability related to the Libraries component has partial confidentiality impact, partial integrity impact, and partial availability impact.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/100152 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:S/C:P/I:P/A:P)

CVEID: CVE-2014-6593
DESCRIPTION: An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/100153 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)

CVEID: CVE-2014-6591
DESCRIPTION: An unspecified vulnerability related to the 2D component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 2.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/100155 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)


CVEID: CVE-2014-6585
DESCRIPTION: An unspecified vulnerability related to the 2D component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 2.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/100154 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)

CVEID: CVE-2014-8891
DESCRIPTION: A vulnerability in the IBM implementation of the Java Virtual Machine may, under very limited circumstances, allow untrusted code running under a security manager to escalate its privileges.
CVSS Base Score: 6.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/99010 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVEID: CVE-2014-8892
DESCRIPTION: A vulnerability in the IBM implementation of the Java Virtual Machine may, under very limited circumstances, allow untrusted code running under a security manager to bypass permission checks and view sensitive information.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/99011 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

    • IBM Notes and Domino 9.0.1 Fix Pack 3 (plus Interim Fixes) and earlier
    • IBM Notes and Domino 8.5.3 Fix Pack 6 (plus Interim Fixes) and earlier
    • IBM Notes and Domino 8.5.3 Fix Pack 5 (plus Interim Fixes) and earlier
    • All 9.0 and 8.5.x releases of IBM Notes and Domino prior to those listed above.

Remediation/Fixes

IBM Notes and Domino - Multiple vulnerabilities in IBM Java (Oracle January 2015 Critical Patch Update) including FREAK are also tracked as SPR KLYH9URMSY. See below for download links for a single standalone Java patch that addresses these vulnerabilities.
These installers also include a fix for a functional regression in Java 1.6SR16 FP2 (Oracle October 2014 Critical Patch Update) where LS2J cannot instantiate a Java object from LotusScript. This issue is tracked as SPR RGAU9T8P4Y.

Note: We do not ship a JVM installer for Mac because we do not bundle the JVM for Mac platforms. We use the JVM on the Mac OS. Therefore, any JVM updates for Mac would need to be obtained directly from Apple.

- 9.0.1 Fix Pack 3. The fix is available for multiple platforms as a single standalone Java patch that covers Notes and Domino version 9.0.1 Fix Pack 3 (plus Interim Fixes) .
- 8.5.3 Fix Packs 5 and 6. The fix is also available for multiple platforms as a single standalone Java patch that covers Notes and Domino version 8.5.3 Fix Packs 5 and 6 (plus Interim Fixes).

Workarounds and Mitigations

Administrators can help to protect their Domino servers against unauthorized access by strictly limiting the use of Java functions on the server through careful population of the Programmability Restrictions section on the Security tab of the Server document. In particular, IBM recommends prohibiting server access of unsigned Java.

Likewise, administrators can use Policies to configure Notes client Execution Control Lists to limit such attacks against the Notes client.

Get Notified about Future Security Bulletins

References

Complete CVSS v2 Guide
On-line Calculator v2

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

CVE-2015-0138 was reported to IBM by Karthikeyan Bhargavan of the PROSECCO team at INRIA

Change History

02-Apr-2015 Draft 0

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Cross reference information
Segment Product Component Platform Version Edition
Messaging Applications IBM Notes

Document information

More support for: IBM Domino

Software version: 9.0.1.2, 9.0.1.3

Operating system(s): AIX, Linux, Windows

Reference #: 1701319

Modified date: 06 April 2015