IBM Support

Security Bulletin: Various Meeting Server Security Fixes

Security Bulletin


Summary

Various security fixes for the IBM Sametime Meeting Server

Vulnerability Details

CVE-ID: CVE-2013-3046
DESCRIPTION:

    The HSTS (HTTP Strict Transport Security) is not used. This header informs supported browsers that the site should only be accessed over an SSL-protected connection (HTTPS).
    This may enable an attacker to utilize the initial HTTP connection and redirection in order to perform a man in the middle attack (MITM).

CVSS:
===================================================

CVE-ID: CVE-2013-3975

DESCRIPTION:
    Unauthenticated users can search and recover information on users that includes the user-name, full-name and email address of a user .

CVSS:
===================================================

CVE-ID: CVE-2013-3977

DESCRIPTION:
    Taking a list of known users it is possible to discover a list of meeting rooms owned by a specific user without authentication.

CVSS:
===================================================

CVE-ID: CVE-2013-3980

DESCRIPTION:
    An attacker could cause a denial of service by flooding a meeting room with bogus users until the meeting becomes unusable.

CVSS:
===================================================

CVE-ID: CVE-2013-3981

DESCRIPTION:
    It is possible for an unauthenticated user to extract photos/avatars of users from the Sametime system.

CVSS:
===================================================

CVE-ID: CVE-2013-3982

DESCRIPTION:
    The application includes a public page that exposes technical information about the system used and the installation details to an unauthorized users.

CVSS:
===================================================

CVE-ID: CVE-2013-3984

DESCRIPTION:
    Cookies are used to transport contents usually used to identify session state or other settings in web applications, therefore should be appropriately secured. Cookies used in secure connections should not be able to be transferred over unencrypted channel and not be readable by client side scripting languages in browsers if not needed.

CVSS:
===================================================

CVE-ID: CVE-2014-0050

DESCRIPTION:
    Apache Commons FileUpload and Tomcat are vulnerable to a denial of service, caused by the improper handling of Content-Type HTTP header for multipart requests.

CVSS:
===================================================

CVE ID: CVE-2014-0906

DESCRIPTION:
    Session cookies remained valid after expiration or invalidation and could be used for certain queries as user search.

CVSS:
===================================================

CVE ID: CVE-2014-3014

DESCRIPTION:
    IBM Lotus Sametime Meeting Server is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

CVSS:

Affected Products and Versions

IBM Sametime Meeting Server version 9 and version 8.5.2.x

Remediation/Fixes

Fixes are available via this technote:
"Security fixes for Sametime Meeting Server" (#1673224)


Security enhancement configurations steps for Sametime Meetings server:

NOTE: Server needs to be restarted for these configurations to take effect.

Admin Console:

1. Go to Servers > Server Types > WebSphere application servers > STMeetingServer > Web container > Custom properties

2. Add a new custom property called com.ibm.ws.webcontainer.HTTPOnlyCookies

3. Set the value to JsessionID, LtpaToken2 (com.ibm.ws.webcontainer.HTTPOnlyCookies=JSESSIONID, LtpaToken2)

4. Select Security > Global Security > Web and SIP security > Single sign-on (SSO)

    • Check the checkbox for "Requires SSL"
    • For version 9 only:
      • Check the checkbox "Set security cookies to HTTPOnly to help prevent cross-site scripting attacks"

5. Select Servers > Server Types > WebSphere application servers > STMeetingServer > Web Container Settings -> Web container > Session management
    • For 8.5.2.x only:
      • Check the checkbox for "Security integration"
    • Click "Enable cookies" and check the checkbox for “Restrict cookies to HTTPS sessions."

Integrated Solutions Console:

1. Click Sametime System Console > Sametime Servers > Sametime Meeting Servers

2. In the Meeting Servers list, click a server with the configuration that you want to change

3. Click the Server Configuration tab

4. Click Edit

5. Change the value for rtc4web.ipLimit to the desired maximum number of connections from a single IP

6. Scroll down to the meetingroom.allowGuestAccess configuration key

7. In the Configuration Value field, type 0 to deny unauthenticated user access to meeting rooms

8. Scroll down to the meetingroomcenter.allowGuestAccess configuration key

9. In the Configuration Value field, type 0 to deny unauthenticated user access to meeting rooms

10. Scroll down to the userInfoAllowAnonymousImageLookup configuration key

11. In the Configuration Value field, type false to deny unauthenticated user access to meeting rooms (Note: Images are cached for up to an hour. Changing this setting may require an hour for the behavior to change.)

12. For version 9 only (related to server side-recording), set the following:
    • recording.capture.meetingServerAddress = <change to https and port>
    • recording.capture.serverAddress = <change to https and port>


Restricting server to accept HTTPS connections only:

1. Use the instructions from: Accept HTTPS Only


Issue with HTTPS and self-signed plugins:

When setting the environment to HTTPS only, there may be an issue with self-signed plugins not being installed.

In order to solve this, it is possible to use plugins that are signed by a real certificate or use the following method in order to set the plugins download only to be done via HTTP:

" Providing an alternate download site for the Sametime web audio-visual plugin"

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

Complete CVSS v2 Guide
On-line Calculator v2

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

The vulnerabilities of CVEs 2013-3046, 2013-3975, 2013-3977, 2013-3980, 2013-3981, 2013-3982 and 2013-3984 were reported to IBM by Chris John Riley of R-IT Cert

Change History

22 May 2014 - Original version published.
03 June 2014 - Removed the sentence regarding 8.0.0.
7 July 2014 - Fixes updated.
18 July 2014 - Fixed configuration steps for Admin Console

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Document information

More support for: IBM Sametime
Meeting Server

Software version: 8.5.2, 8.5.2.1, 9.0, 9.0.0.1

Operating system(s): AIX, IBM i, Linux, Windows

Reference #: 1671201

Modified date: 18 July 2014