Security Bulletin: Vulnerability in Apache Commons affects IBM Notes and Domino (CVE-2015-7450)
An Apache Commons Collections vulnerability for handling Java object deserialization is addressed by IBM Notes Standard Client versions 9.0.1 FP5 and 8.5.3 FP6 Interim Fix 7 and Domino versions 9.0.1 FP5 and 8.5.3 FP6 Interim Fix 11.
This vulnerability impacts IBM Domino running as web server and/or Notes and Domino running any Java applications (including agents) that use the InvokerTransformer class.
DESCRIPTION: Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107918 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
IBM Domino 9.0.1 through 9.0.1 Fix Pack 4 Interim Fix 3 IBM Domino 9.0.0x
IBM Domino 8.5.3 through 8.5.3 Fix Pack 6 Interim Fix 10
IBM Domino 8.5.2x
IBM Domino 8.5.1x
IBM Notes Standard Client 9.0.1 through 9.0.1 Fix Pack 4 Interim Fix 2
IBM Notes Standard Client 9.0.0x
IBM Notes Standard Client 8.5.3 through 8.5.3 Fix Pack 6 Interim Fix 6
IBM Notes Standard Client 8.5.2x
IBM Notes Standard Client 8.5.1x
The Notes Basic client is not affected.
The Notes and Domino Apache Commons Collection vulnerability are tracked as SPRs KLYHA46M6C (Notes) and KLYHA46ML7 (Domino). The fix is introduced in the following releases:
- Notes 9.0.1 Fix Pack 5
- Notes 8.5.3 Fix Pack 6 Interim Fix 7
- Domino 9.0.1 Fix Pack 5
- Domino 8.5.3 FP6 Interim Fix 11
For download links, refer to the following technotes:
- Notes & Domino 9.0.1 Fix Pack 5 http://www.ibm.com/support/docview.wss?uid=swg24037141
- Notes 64-bit (for Mac) 9.0.1 Interim Fix 1 http://www.ibm.com/support/docview.wss?uid=swg21657963
- Notes 9.0.1 Fix Pack 5 Interim Fix 1 (Windows only) http://www.ibm.com/support/docview.wss?uid=swg21657963
- Notes & Domino 8.5.3 Fix Pack 6 Interim Fixes http://www.ibm.com/support/docview.wss?uid=swg21663874
Customers who remain on the following releases may open a Service Request with IBM Support and reference either SPR KLYHA46M6C (Notes) or SPR KLYHA46ML7 (Domino) for a custom hotfix:
- IBM Domino 9.0.1 through 9.0.1 Fix Pack 4 Interim Fix 3
- IBM Domino 9.0.0x
- IBM Domino 8.5.3 through 8.5.3 Fix Pack 6 Interim Fix 10
- IBM Domino 8.5.2x
- IBM Domino 8.5.1x
- IBM Notes 9.0.1 through 9.0.1 Fix Pack 4 Interim Fix 2
- IBM Notes 9.0.0x
- IBM Notes 8.5.3 through 8.5.3 Fix Pack 6 Interim Fix 6
- IBM Notes 8.5.2x
- IBM Notes 8.5.1x
IBM recommends that you review your entire environment to identify vulnerable releases of the open-source Apache Commons Collections and take appropriate mitigation and remediation actions.
Workarounds and Mitigations
Get Notified about Future Security Bulletins
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
|Messaging Applications||IBM Notes|
More support for:
Software version: 8.5, 8.5.1, 8.5.2, 8.5.3, 9.0, 9.0.1
Operating system(s): AIX, IBM i, Linux, Windows
Reference #: 1971751
Modified date: 02 February 2016