IBM Support

Lotus Domino IMAP buffer overflow vulnerability

Technote (FAQ)


VeriSign iDefense VCP contacted IBM® Lotus® to report a potential buffer overflow vulnerability with the Domino® IMAP server task.

The advisory can be accessed at the following link:


If the IMAP server task is enabled on a Domino server, and an attacker is able to telnet to the server, it is possible for an attacker to execute arbitrary code resulting in a buffer overflow denial of service.

In order for an attacker to successfully exploit this vulnerability, they must accomplish the following:

-- Lotus Domino server must be configured for IMAP
-- Attacker needs to establish a TCP session with IMAP Domino server on TCP port 143
-- Authenticate with valid credentials
-- Execute arbitrary code


This issue was reported to Quality Engineering as SPR# PRAD74LKW5, and has been fixed in Domino releases 6.5.6 Fix Pack 2 (FP2), 7.0.2 Fix Pack 3 (FP3), 7.0.3 and 8.0. Refer to the Upgrade Central site for details on upgrading Notes/Domino.

Employ firewalls to limit access to Domino servers over IMAP. This will mitigate exposure to this vulnerability.

Security Rating using Common Vulnerability Scoring System (CVSS) version 2
CVSS Base Score: < 7.1 >
---- Impact Subscore: < 10 >
---- Exploitability Subscore: < 3.9 >
CVSS Temporal Score: < 5.6 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 5.6 >
Base Score Metrics:
  • Related exploit range/Attack Vector: < Network >
  • Access Complexity: < High >
  • Authentication < Single Instance >
  • Confidentiality Impact: < Complete >
  • Integrity Impact: < Complete >
  • Availability Impact: < Complete >
Temporal Score Metrics:
  • Exploitability: < Proof of Concept >
  • Remediation Level: < Official Fix >
  • Report Confidence: < Confirmed >

*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links.

Document information

More support for: Lotus End of Support Products
Lotus Domino

Software version: 6.5, 7.0

Operating system(s): AIX, Linux, Solaris, Windows

Reference #: 1270623

Modified date: 08 January 2008