IBM Support

Security Bulletin: Vulnerability in Apache Commons affects IBM Notes and Domino (CVE-2015-7450)

Security Bulletin


Summary

An Apache Commons Collections vulnerability for handling Java object deserialization is addressed by IBM Notes Standard Client versions 9.0.1 FP5 and 8.5.3 FP6 Interim Fix 7 and Domino versions 9.0.1 FP5 and 8.5.3 FP6 Interim Fix 11.

This vulnerability impacts IBM Domino running as web server and/or Notes and Domino running any Java applications (including agents) that use the InvokerTransformer class.

Vulnerability Details


CVEID: CVE-2015-7450
DESCRIPTION:
Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system.

Affected Products and Versions

IBM Domino 9.0.1 through 9.0.1 Fix Pack 4 Interim Fix 3 IBM Domino 9.0.0x
IBM Domino 8.5.3 through 8.5.3 Fix Pack 6 Interim Fix 10
IBM Domino 8.5.2x
IBM Domino 8.5.1x

IBM Notes Standard Client 9.0.1 through 9.0.1 Fix Pack 4 Interim Fix 2
IBM Notes Standard Client 9.0.0x
IBM Notes Standard Client 8.5.3 through 8.5.3 Fix Pack 6 Interim Fix 6
IBM Notes Standard Client 8.5.2x
IBM Notes Standard Client 8.5.1x

The Notes Basic client is not affected.

Remediation/Fixes

The Notes and Domino Apache Commons Collection vulnerability are tracked as SPRs KLYHA46M6C (Notes) and KLYHA46ML7 (Domino). The fix is introduced in the following releases:

    • Notes 9.0.1 Fix Pack 5
    • Notes 8.5.3 Fix Pack 6 Interim Fix 7
    • Domino 9.0.1 Fix Pack 5
    • Domino 8.5.3 FP6 Interim Fix 11

For download links, refer to the following technotes:

Customers who remain on the following releases may open a Service Request with IBM Support and reference either SPR KLYHA46M6C (Notes) or SPR KLYHA46ML7 (Domino) for a custom hotfix:
    • IBM Domino 9.0.1 through 9.0.1 Fix Pack 4 Interim Fix 3
    • IBM Domino 9.0.0x
    • IBM Domino 8.5.3 through 8.5.3 Fix Pack 6 Interim Fix 10
    • IBM Domino 8.5.2x
    • IBM Domino 8.5.1x

    • IBM Notes 9.0.1 through 9.0.1 Fix Pack 4 Interim Fix 2
    • IBM Notes 9.0.0x
    • IBM Notes 8.5.3 through 8.5.3 Fix Pack 6 Interim Fix 6
    • IBM Notes 8.5.2x
    • IBM Notes 8.5.1x


IBM recommends that you review your entire environment to identify vulnerable releases of the open-source Apache Commons Collections and take appropriate mitigation and remediation actions.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

Related information

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Cross reference information
Segment Product Component Platform Version Edition
Messaging Applications IBM Notes

Document information

More support for: IBM Domino
Security

Software version: 8.5, 8.5.1, 8.5.2, 8.5.3, 9.0, 9.0.1

Operating system(s): AIX, IBM i, Linux, Windows

Reference #: 1971751

Modified date: 02 February 2016