Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.0545 Security Bulletin: Multiple Vulnerabilities in the IBM Java SDK affect IBM Notes and Domino (Oracle January 2015 Critical Patch Update) 10 March 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Notes and Domino Publisher: IBM Operating System: AIX Linux variants Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Increased Privileges -- Remote/Unauthenticated Access Privileged Data -- Remote/Unauthenticated Modify Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2015-0412 CVE-2015-0410 CVE-2015-0408 CVE-2015-0407 CVE-2015-0406 CVE-2015-0403 CVE-2015-0400 CVE-2014-8892 CVE-2014-8891 CVE-2014-6593 CVE-2014-6591 CVE-2014-6587 CVE-2014-6585 CVE-2014-6549 Reference: ASB-2015.0009 ESB-2015.0472 ESB-2015.0462 ESB-2015.0441 ESB-2015.0413 ESB-2015.0392 ESB-2015.0390 Original Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21698222 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: Multiple Vulnerabilities in the IBM Java SDK affect IBM Notes and Domino (Oracle January 2015 Critical Patch Update) Document information More support for: IBM Domino Security Software version: 8.5, 9.0 Operating system(s): AIX, Linux, Linux zSeries, Windows, Windows 64bit Reference #: 1698222 Modified date: 2015-03-06 Security Bulletin Summary IBM Notes and Domino 9.0.1 Fix Pack 3 as well as 8.5.3 Fix Packs 5 and 6 fixes are available for the Java issues disclosed in the Oracle January 2015 Critical Patch Update. See below for links to installers for the standalone Java patches. Vulnerability Details CVE IDs: CVE-2014-6549 CVE-2015-0408 CVE-2015-0412 CVE-2015-0403 CVE-2015-0406 CVE-2015-0410 CVE-2015-0407 CVE-2015-0400 CVE-2014-6587 CVE-2014-6593 CVE-2014-6591 CVE-2014-6585 CVE-2014-8891 and CVE-2014-8892 DESCRIPTION: This bulletin covers the Java SE CVEs published by Oracle as part of their January 2015 Critical Patch Update that are applicable to IBM Notes and Domino. For more information, refer to Oracle's January 2015 CPU Advisory and the X-Force database entries referenced below. This bulletin also describes two additional vulnerabilities: CVE-2014-8891 and CVE-2014-8892. CVEID: CVE-2014-6549 DESCRIPTION: An unspecified vulnerability related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact. CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100141 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVEID: CVE-2015-0408 DESCRIPTION: An unspecified vulnerability related to the RMI component has complete confidentiality impact, complete integrity impact, and complete availability impact. CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100142 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVEID: CVE-2015-0412 DESCRIPTION: An unspecified vulnerability related to the JAX-WS component has complete confidentiality impact, complete integrity impact, and complete availability impact. CVSS Base Score: 10 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100140 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVEID: CVE-2015-0403 DESCRIPTION: An unspecified vulnerability related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact. CVSS Base Score: 6.9 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100145 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C) CVEID: CVE-2015-0406 DESCRIPTION: An unspecified vulnerability related to the Deployment component has partial confidentiality impact, no integrity impact, and partial availability impact. CVSS Base Score: 5.8 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100147 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:P) CVEID: CVE-2015-0410 DESCRIPTION: An unspecified vulnerability related to the Security component could allow a remote attacker to cause a denial of service. CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100151 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) CVEID: CVE-2015-0407 DESCRIPTION: An unspecified vulnerability related to the Swing component could allow a remote attacker to obtain sensitive information. CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100150 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) CVEID: CVE-2015-0400 DESCRIPTION: An unspecified vulnerability related to the Libraries component could allow a remote attacker to obtain sensitive information. CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100149 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) CVEID: CVE-2014-6587 DESCRIPTION: An unspecified vulnerability related to the Libraries component has partial confidentiality impact, partial integrity impact, and partial availability impact. CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100152 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:L/AC:L/Au:S/C:P/I:P/A:P) CVEID: CVE-2014-6593 DESCRIPTION: An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact. CVSS Base Score: 4 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100153 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) CVEID: CVE-2014-6591 DESCRIPTION: An unspecified vulnerability related to the 2D component could allow a remote attacker to obtain sensitive information. CVSS Base Score: 2.6 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100155 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) CVEID: CVE-2014-6585 DESCRIPTION: An unspecified vulnerability related to the 2D component could allow a remote attacker to obtain sensitive information. CVSS Base Score: 2.6 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100154 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) CVEID: CVE-2014-8891 DESCRIPTION: A vulnerability in the IBM implementation of the Java Virtual Machine may, under very limited circumstances, allow untrusted code running under a security manager to escalate its privileges. CVSS Base Score: 6.8 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/99010 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P) CVEID: CVE-2014-8892 DESCRIPTION: A vulnerability in the IBM implementation of the Java Virtual Machine may, under very limited circumstances, allow untrusted code running under a security manager to bypass permission checks and view sensitive information. CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/99011 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) Affected Products and Versions IBM Notes and Domino 9.0.1 Fix Pack 3 (plus Interim Fixes) and earlier IBM Notes and Domino 8.5.3 Fix Pack 6 (plus Interim Fixes) and earlier IBM Notes and Domino 8.5.3 Fix Pack 5 (plus Interim Fixes) and earlier All 9.0 and 8.5.x releases of IBM Notes and Domino prior to those listed above. Remediation/Fixes IBM Notes and Domino - Multiple vulnerabilities in IBM Java (Oracle January 2015 Critical Patch Update) are also tracked as SPR KLYH9TFRGK. See below for download links for a single standalone Java patch that addresses these vulnerabilities. These installers also include a fix for a functional regression in Java 1.6SR16 FP2 (Oracle October 2014 Critical Patch Update) where LS2J cannot instantiate a Java object from LotusScript. This issue is tracked as SPR RGAU9T8P4Y. Note: We do not ship a JVM installer for Mac because we do not bundle the JVM for Mac platforms. We use the JVM on the Mac OS. Therefore, any JVM updates for Mac would need to be obtained directly from Apple. - - 9.0.1 Fix Pack 3. The fix is available for multiple platforms as a single standalone Java patch that covers Notes and Domino version 9.0.1 Fix Pack 3 (plus Interim Fixes) . Platform Fix Central ID & Download Link AIX JVMPatch_SR16FP3_AIX_901.3_Server AIX64 JVMPatch_SR16FP3_AIX64_901.3_Server Linux JVMPatch_SR16FP3_Linux_901.3_ClientServer Linux64 JVMPatch_SR16FP3_Linux64_901.3_Server Win32 JVMPatch_SR16FP3_W32_901.3_ClientServer Win64 JVMPatch_SR16FP3_W64_901.3_Server zLinux64 JVMPatch_SR16FP3_zLinux64_901.3_Server Solaris n/a - - 8.5.3 Fix Packs 5 and 6. The fix is also available for multiple platforms as a single standalone Java patch that covers Notes and Domino version 8.5.3 Fix Packs 5 and 6 (plus Interim Fixes). Platform Fix Central ID & Download Link AIX JVMPatch_SR16FP3_AIX_853.5_853.6_Server AIX64 JVMPatch_SR16FP3_AIX64_853.5_853.6_Server Linux JVMPatch_SR16FP3_Linux_853.5_853.6_ClientServer Linux64 n/a Win32 JVMPatch_SR16FP3_W32_853.5_853.6_ClientServer Win64 JVMPatch_SR16FP3_W64_853.5_853.6_Server zLinux64 JVMPatch_SR16FP3_zLinux64_853.5_853.6_Server Solaris JVMPatch_SR16FP3_Sol_853.5_853.6_Server Workarounds and Mitigations Administrators can help to protect their Domino servers against unauthorized access by strictly limiting the use of Java functions on the server through careful population of the Programmability Restrictions section on the Security tab of the Server document. In particular, IBM recommends prohibiting server access of unsigned Java. Likewise, administrators can use Policies to configure Notes client Execution Control Lists to limit such attacks against the Notes client. Get Notified about Future Security Bulletins Subscribe to My Notifications to be notified of important product support alerts like this. References Complete CVSS Guide On-line Calculator V2 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Cross reference information Segment Product Component Platform Version Edition Messaging Applications IBM Notes - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVP5M5xLndAQH1ShLAQJ/bhAAteooZertYISxGIIN9z2SYhZ+wpjnV36C FqZ3+ANpQX/G/nsGdGIyyFAI94QWumgbu5mXbiJpVqDFPMnYZNvNVzbLZebsR+ym ulhjCB4MiohzPUvYonWFm2+0HwEWFQtxVYLvzmxW4LNbKh0OJZ8SzgDa4EXVGt2l iSM9i/yvSwUkyGGMvrp+EVfapctzFjlzDpTo8PvePahOqM+VLSDvU5ozJmbe5b3w WUl0fZ2ZTXUDzaAPgMWdWiv8SoEk5KTHjROOVfxZMsJIRwRB8NAuS3aLRomHtESP jz+gjqJQx9kLolzzSc+nyhFjWsX7ZJjc62tkMAplhWiEeON7qfIwRuTGZ5enCOdT zIrc+OYOiu35CMLN1HSemQNEV0QYctISnjTJxrD24U8XcWl+h69nPPvdjx/xNZzN zPu/eLhk3BA/ZYnrbkvFtd3UMSyloltoAswhIvAf0bF6NsnXqzbITOEe6dA+XV6E aV/aB/kD1aY+BGEBVVgHZCWVDTvG2uNCVh6DA9+Z5WynntvZr/5vAFmUDEAPksKW hj7WTuKOtQaCp060RXtLhp/O9NJDGAzpO42CvS1dBEWxA13cIMT+0/+sdJynkWWm UEfVwsGN9Gwkr6rVBKeqaf+TDVIWGG9R/6as9VTj6u7jcd6zNtrtdhltLQ2oyAXv /yI13DnKwIc= =ywfh -----END PGP SIGNATURE-----