IBM Support

Fix available for potential security vulnerability in IBM Sametime

Fix readme


Abstract

A fix is available for a security vulnerability that has been identified for IBM Sametime clients. This vulnerability could allow a remote attacker to send commands in a specially crafted way in a Sametime IM chat to a user. The issue exists in both the Sametime rich client (Sametime Connect or embedded Sametime in Notes) and web client.

Content

A fix is available that removes the vulnerability for both the rich client and the web client. SPR# KBIM8T2KWR has been created to report this issue; see also "Security Bulletin: Sametime Client Vulnerability". If you have questions about downloading and applying this fix, you are invited to make use of the IBM Sametime forum to post questions and share tips.
Contents:

  • Affected client types
  • Fix download links
  • Installation instructions


Affected client types




This potential vulnerability affects the following Sametime clients: For specific versions affected, refer to the fix tables below.

The following client types are not affected by this issue:
  • Sametime Mobile clients
  • STLinks integration
  • Sametime version 8.0.1, 8.0.0 or 7.5.1 of all rich clients (Notes embedded and stand-alone)
  • Embedded Sametime in Notes 8.5.3 FP2 client
  • Notes Basic clients
  • Proxy 8.5 SDK clients
  • Clients using Sametime Gateway connecting to a third-party IM gateway

You can use the following technote to identify what embedded version is in use in your Notes environment: "What Sametime client versions are embedded in what Notes client versions?" (1370003).


Fix download links




The fix for this security vulnerability is posted to IBM Fix Central. Refer to the tables below for direct links to the fix by client type and version.

For Sametime Connect client (stand-alone)

Sametime version (shipped in the box) Fix delivery vehicle
8.0.2 8.0.2.0-ST-Client-FP-CDLL-8WG5UB
8.5.1, 8.5.1.1 8.5.1.0-ST-Client-FP-CDLL-8WG6NE
8.5.2, 8.5.2.1 8.5.2.1-ST-Client-FP-CDLL-8WWKB2

For embedded Sametime in Notes (Shipped in the box)

Client Sametime version (shipped in the box) Fix delivery vehicle
Notes 8.5.1 8.0.2 Notes_851FP5IF3_Standard_W32
Notes 8.5.2 8.0.2 Notes_852FP4IF2_Standard_W32
Notes 8.5.3 8.5.1 8.5.3 Fix Pack 2 Incremental Installers

For embedded Sametime in Notes, updated by use of the add-on installer (Not shipped in the box)

Client Sametime version (shipped in the box) Add-on installer Fix delivery vehicle
Notes 8.5.1 8.0.2 Sametime 8.5.1, 8.5.1.1 8.5.1.0-ST-Client-FP-CDLL-8WG6NE
Notes 8.5.2 8.0.2 Sametime 8.5.1, 8.5.1.1
Sametime 8.5.2, 8.5.2.1
8.5.1.0-ST-Client-FP-CDLL-8WG6NE
8.5.2.1-ST-Client-FP-CDLL-8WWKB2
Notes 8.5.3 8.5.1 Sametime 8.5.2, 8.5.2.1 8.5.2.1-ST-Client-FP-CDLL-8WWKB2

For Sametime Proxy Server and Web client

Sametime Proxy Server version Fix delivery vehicle
8.5 8500-ST-Proxy-IF-OOSN-8VHFH6
8.5.1.1 8511-ST-Proxy-IF-OOSN-8VHF6R
8.5.2.1 ST-Proxy-IF-AGRE-94AF9F

For Sametime Gateway to Sametime Gateway connections

To address the vulnerability for Sametime Gateway to Sametime Gateway connections, you apply the fix for the clients that are accessing the Sametime Gateway.


Installation instructions



The steps to apply the fix vary by client type and version, as follows:
  • Sametime Connect 8.0.2
  • Sametime Connect 8.5.1 and embedded Sametime 8.5.1
  • Sametime Connect 8.5.2 and embedded Sametime 8.5.2
  • Lotus Notes 8.5.1, 8.5.2 and 8.5.3
  • Sametime Proxy Server 8.5
  • Sametime Proxy Server 8.5.1.1
  • Sametime Proxy Server 8.5.2 IFR 1



Sametime Connect 8.0.2

Use the following steps to update a single Sametime Connect 8.0.2 client:

1. Unzip "sametime.patches.update.site.20120504.0400.zip" to a local directory.
2. Launch the Sametime Connect client and log in.
3. Select Tools -> Plug-ins > Install Plugins...
4. In the update manager wizard, select "Search for new features to install", then click Next.
5. Select "Add Folder Location...". Navigate to the "updateSite" directory underneath the location where "sametime.patches.update.site.20120504.0400.zip" was unzipped.
6. Click OK to accept the site, and then click Finish to proceed.
7. In the "Select Features to Install" box, check all feature patches.
8. Click Next, complete the license page, and click Finish.
9. Select "Install" on the next page.
10. After the feature is installed, you should be prompted to restart. Select OK.

For deployment to multiple clients, refer to following document about setting up automatic updates: Adding optional features to the client after install



Sametime Connect 8.5.1 and embedded Sametime 8.5.1

The Sametime Connect 8.5.1 cumulative fix package is available in the form of install packages for Windows (windows.zip), Mac (macosx.zip), and Linux (linux.zip).

The following table outlines the install packages by operating system and client type:
Operating system Client type Package name Description
Windows Sametime Connect 8.5.1 stand-alone sametime.hotfix.win32.no.oi_20120414-1745.exe Windows self-extracting executable containing the MSI install files to fix stand-alone Sametime Connect 8.5.1 without OI (Office Integration) features
sametime.hotfix.win32_20120414-1745.exe Windows self-extracting executable containing the MSI install files to fix stand-alone Sametime Connect 8.5.1 with OI (Office Integration) features
embedded Sametime in Notes 8.5.1 Fix Pack 2 or later sametime.embedded.addon.win32_20120414-1745.exe Windows self-extracting executable containing MSI install files to fix embedded Sametime in Notes 8.5.1 Fix Pack 2 or later
Mac OSX Sametime Connect 8.5.1 stand-alone sametime.hotfix.macosx_20120414-1745.tar Single TAR compressed file containing the Mac PKG install package to fix stand-alone Sametime Connect
embedded Sametime in Notes 8.5.1 Fix Pack 2 or later sametime.embedded.addon.macosx_20120414-1745.tar Single TAR compressed file containing the Mac PKG install package to fix embedded Sametime in Notes 8.5.1 Fix Pack 2 or later
Linux Sametime Connect 8.5.1 stand-alone sametime-hotfix-8.5.1-20120414.2015.i586.rpm Linux RPM install package to fix stand-alone Sametime Connect
sametime-hotfix-8.5.1-20120414.2015.i386.deb Linux Debian install package to fix stand-alone Sametime Connect
embedded Sametime in Notes 8.5.1 Fix Pack 2 or later sametime-connect-embedded-8.5.1-20120414.2015.i586.rpm
sametime-connect-embedded-core-8.5.1-20120414.2015.i586.rpm
Two Linux RPM install packages to fix embedded Sametime in Notes 8.5.1 Fix Pack 2 or later
sametime-connect-embedded-8.5.1-20120414.2015.i386.deb
sametime-connect-embedded-core-8.5.1-20120414.2015.i386.deb
Linux Debian install packages to fix embedded Sametime in Notes 8.5.1 Fix Pack 2 or later


Windows install steps

A Windows user can manually install this update by executing the sametime.hotfix.win32.no.oi_20120414-1745.exe file.
1. Close the Sametime client if it is running
2. Launch the fix install executable: sametime.hotfix.win32.no.oi_20120414-1745.exe
3. When the Language dialog appears, select the language and click Next
4. The install wizard appears. Click Next to start, read the license agreement, and click Accept if you choose to accept it
5. Click Install to begin the installation
6. When the install completes, click Finish

For Notes 8.5.1 Fix Pack 2 or later client, run the sametime.embedded.addon.win32_20120414-1745.exe file. The dialog and steps are similar to those above.

--------------------
Mac OSX install steps

Both the stand-alone and embedded form of the fix for the Mac OSX platform are provided as compressed TAR files consisting of standard PKG files. Uncompress the TAR files to a folder, and you will see the standard PKG set of files.

Refer to the Apple installer Manual page for options and parameters that can be used:
http://developer.apple.com/mac/library/documentation/Darwin/Reference/ManPages/man8/installer.8.html

--------------------
Linux install steps

Both the stand-alone and embedded form of the fix for the Linux platform are provided as Linux RPM and Debian DEB packages. Refer to the standard documentation of installing and managing RPM or DEB packages on Linux.



Sametime Connect 8.5.2 and embedded Sametime 8.5.2

The Sametime Connect 8.5.2 cumulative fix package is available in the form of install packages for Windows (windows.zip), Mac (macosx.zip), and Linux (linux.zip).

The following table outlines the install packages by operating system and client type:
Operating system Client type Package name Description
Windows Sametime Connect 8.5.2 stand-alone sametime.hotfix.win32.no.oi_20120803-1300.exe Windows self-extracting executable containing the MSI install files to fix stand-alone Sametime Connect 8.5.2 without OI (Office Integration) features
sametime.hotfix.win32_20120803-1300.exe Windows self-extracting executable containing the MSI install files to fix stand-alone Sametime Connect 8.5.2 with OI (Office Integration) features
embedded Sametime in Notes 8.5.2 sametime.embedded.addon.win32_20120803-1300.exe Windows self-extracting executable containing MSI install files to fix embedded Sametime in Notes 8.5.2
Mac OSX Sametime Connect 8.5.2 stand-alone sametime.hotfix.macosx_20120803-1300.tar Single TAR compressed file containing the Mac PKG install package to fix stand-alone Sametime Connect
embedded Sametime in Notes 8.5.2 or later sametime.embedded.addon.macosx_20120803-1300.tar Single TAR compressed file containing the Mac PKG install package to fix embedded Sametime in Notes 8.5.2 or later
Linux Sametime Connect 8.5.2 stand-alone sametime-hotfix-8.5.2-20120803.1615.i586.rpm Linux RPM install package to fix stand-alone Sametime Connect
sametime-hotfix-8.5.2-20120803.1615.i386.deb Linux Debian install package to fix stand-alone Sametime Connect
embedded Sametime in Notes 8.5.2 or later sametime-connect-embedded-8.5.2-20120803.1615.i586.rpm
sametime-connect-embedded-core-8.5.2-20120803.1615.i586.rpm
Two Linux RPM install packages to fix embedded Sametime in Notes 8.5.2 or later
sametime-connect-embedded-8.5.2-20120803.1615.i386.deb
sametime-connect-embedded-core-8.5.2-20120803.1615.i386.deb
Linux Debian install packages to fix embedded Sametime in Notes 8.5.2 or later


Windows install steps

A Windows user can manually install this update by executing the sametime.hotfix.win32.no.oi_20120803-1300.exe file.
1. Close the Sametime client if it is running
2. Launch the fix install executable: sametime.hotfix.win32.no.oi_20120803-1300.exe
3. When the Language dialog appears, select the language and click Next
4. The install wizard appears. Click Next to start, read the license agreement, and click Accept if you choose to accept it
5. Click Install to begin the installation
6. When the install completes, click Finish

For Notes 8.5.2 or later client, run the sametime.embedded.addon.win32_20120803-1300.exe file. The dialog and steps are similar to those above.

--------------------
Mac OSX install steps

Both the stand-alone and embedded form of the fix for the Mac OSX platform are provided as compressed TAR files consisting of standard PKG files. Uncompress the TAR files to a folder, and you will see the standard PKG set of files.

Refer to the Apple installer Manual page for options and parameters that can be used:
http://developer.apple.com/mac/library/documentation/Darwin/Reference/ManPages/man8/installer.8.html

--------------------
Linux install steps

Both the stand-alone and embedded form of the fix for the Linux platform are provided as Linux RPM and Debian DEB packages. Refer to the standard documentation of installing and managing RPM or DEB packages on Linux.



Notes 8.5.1, 8.5.2 and 8.5.3

Shut down the Notes client, and double-click the executable fix file. Fixes for Windows only are posted to IBM Fix Central. If you need the fix for Mac or Linux platforms, open a service request with IBM Support.



Sametime Proxy Server 8.5

1. Download the fix 8500-ST-Proxy-IF-OOSN-8VHFH6 from IBM Fix Central
2. Stop the STProxy Server
3. Create a backup of /IBM/WebSphere/AppServer/profiles/<STProxyProfile>/optionalLibraries/stproxy/stproxyservices.jar
4. Copy stproxyservices.jar to /IBM/WebSphere/AppServer/profiles/<STProxyProfile>/optionalLibraries/stproxy
5. Restart the STProxyServer



Sametime Proxy Server 8.5.1.1

Download the fix 8511-ST-Proxy-IF-OOSN-8VHF6R from IBM Fix Central.

  • STProxyHotfix.zip contains the update to be applied.
  • Instructions are provided in the readme.txt included in the fix package.
  • The STProxy Server needs to be stopped prior to the update being applied.



Sametime Proxy Server 8.5.2 IFR1

There is a newer Cumulative Hotfix available for Sametime Proxy 8.5.2 IFR 1 that contains these fixes. Please refer to technote # 1623979 for the latest information.

Prerequisite: The Sametime System Console must be at version 8.5.2 IFR 1. If not, then you will see a failure message during the fix install noting an incorrect version level. Refer to Installing Sametime 8.5.2 Interim Feature Release 1 on the Sametime System Console to get started.

This fix must be installed on top of a Sametime Proxy Server 8.5.2 Interim Feature Release 1 (IFR 1). If the server is running 8.5.2 (without the IFR 1 fix), then the IFR 1 fix will be automatically installed.

To install this fix on a Sametime Proxy Server node, follow these steps:

1. Download the fix ST-Proxy-IF-AGRE-94AF9F from IBM Fix Central

2. Shut down the Sametime Proxy Server

3. Copy the file you downloaded onto the Sametime Proxy Server

4. Unzip the file on the server file system

5. Apply the fix by running the appropriate update command:

  • If running on the Microsoft Windows operating system, run the update.bat batch file
  • If running on the AIX, Linux or Solaris operating systems, run the update.sh script
  • If running on IBM i, run the IBMi\stii_sp\install_stp.sh script

6. Follow the instructions on screen until the installation completes

If you are running a multi-node (cluster) configuration, then repeat these instructions on each node.

Document information

More support for: Lotus End of Support Products
IBM Sametime

Software version: 8.0.2, 8.5.1, 8.5.1.1, 8.5.2, 8.5.2.1

Operating system(s): Linux, OS X, Windows

Reference #: 1599114

Modified date: 22 August 2017