IBM Support

Possible Java plug-in vulnerability in Lotus Notes

Technote (FAQ)


David Gloede contacted IBM Lotus to report that the Notes® client was affected by a Java plug-in vulnerability originally documented in an advisory by Jouko Pynnonen. This Java vulnerability involves the execution of JavaScript within a Java applet to gain escalated privileges.

In order for an attacker to successfully exploit this vulnerability in previous releases, the following must be accomplished:

(1) Lotus Notes client must have the "Enable Java access from JavaScript" option enabled within User Preferences.

(2) Attacker must create a Java applet which utilizes JavaScript to execute Java code that will escalate the attackers access privileges.

(3) Attacker must attach the Java applet to an email and send the mail message to a user.

(4) User must open the message.


The Java Virtual Machine (JVM) fix for the vulnerability reported as Sun Alert # 57591/101523 has been incorporated into Notes release 7.0.2. Notes release 8.0 is not affected by this vulnerability.

For Notes releases prior to 7.0.2, it is recommended that you disable the "Enable Java access from JavaScript" preference.

To manage the User Preferences for a all users

Administrators can centrally manage the User Preferences by using a Desktop Policy.

1. Open the Domino Directory and go to the Policy section.

2. Choose the Desktop Policy and navigate to the "Preferences" tab

3. Select the "Miscellaneous" tab.

4. Deselect "Enable Java access from JavaScript".

To learn more about the Desktop Policy and how to manage it, refer to the Domino Administrator Help.

To change the User Preferences for a single user.

1. From the Lotus Notes menu, select File ->Preferences ->User Preferences.

2. Select the Basics tab, and navigate to the Additional Options section.

3. Deselect "Enable Java access from JavaScript".

Security Rating using Common Vulnerability Scoring System (CVSS) v2
CVSS Base Score: < 5.8 >
Impact Subscore: < 4.9 >
Exploitability Subscore: < 8.6 >
CVSS Temporal Score: < 4.5 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 4.5 >
    Base Score Metrics:
    • Related exploit range/Attack Vector: < Network >
    • Access Complexity: < Medium >
    • Authentication < None >
    • Confidentiality Impact: < None >
    • Integrity Impact: < Partial >
    • Availability Impact: < Partial >
    Temporal Score Metrics:
    • Exploitability: < Proof of Concept Code >
    • Remediation Level: < Official Fix >
    • Report Confidence: < Confirmed >

*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links.

Document information

More support for: Lotus End of Support Products
Lotus Notes

Software version: 6.5, 7.0

Operating system(s): Windows

Reference #: 1257249

Modified date: 22 May 2011