Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2015.0545
Security Bulletin: Multiple Vulnerabilities in the IBM Java SDK affect IBM
Notes and Domino (Oracle January 2015 Critical Patch Update)
10 March 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Notes and Domino
Publisher: IBM
Operating System: AIX
Linux variants
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Increased Privileges -- Remote/Unauthenticated
Access Privileged Data -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2015-0412 CVE-2015-0410 CVE-2015-0408
CVE-2015-0407 CVE-2015-0406 CVE-2015-0403
CVE-2015-0400 CVE-2014-8892 CVE-2014-8891
CVE-2014-6593 CVE-2014-6591 CVE-2014-6587
CVE-2014-6585 CVE-2014-6549
Reference: ASB-2015.0009
ESB-2015.0472
ESB-2015.0462
ESB-2015.0441
ESB-2015.0413
ESB-2015.0392
ESB-2015.0390
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21698222
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Multiple Vulnerabilities in the IBM Java SDK affect IBM
Notes and Domino (Oracle January 2015 Critical Patch Update)
Document information
More support for:
IBM Domino
Security
Software version:
8.5, 9.0
Operating system(s):
AIX, Linux, Linux zSeries, Windows, Windows 64bit
Reference #:
1698222
Modified date:
2015-03-06
Security Bulletin
Summary
IBM Notes and Domino 9.0.1 Fix Pack 3 as well as 8.5.3 Fix Packs 5 and 6 fixes
are available for the Java issues disclosed in the Oracle January 2015
Critical Patch Update. See below for links to installers for the standalone
Java patches.
Vulnerability Details
CVE IDs: CVE-2014-6549 CVE-2015-0408 CVE-2015-0412 CVE-2015-0403 CVE-2015-0406
CVE-2015-0410 CVE-2015-0407 CVE-2015-0400 CVE-2014-6587 CVE-2014-6593
CVE-2014-6591 CVE-2014-6585 CVE-2014-8891 and CVE-2014-8892
DESCRIPTION: This bulletin covers the Java SE CVEs published by Oracle as part
of their January 2015 Critical Patch Update that are applicable to IBM Notes
and Domino. For more information, refer to Oracle's January 2015 CPU Advisory
and the X-Force database entries referenced below.
This bulletin also describes two additional vulnerabilities: CVE-2014-8891 and
CVE-2014-8892.
CVEID: CVE-2014-6549
DESCRIPTION: An unspecified vulnerability related to the Libraries component
has complete confidentiality impact, complete integrity impact, and complete
availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100141 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2015-0408
DESCRIPTION: An unspecified vulnerability related to the RMI component has
complete confidentiality impact, complete integrity impact, and complete
availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100142 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2015-0412
DESCRIPTION: An unspecified vulnerability related to the JAX-WS component has
complete confidentiality impact, complete integrity impact, and complete
availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100140 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2015-0403
DESCRIPTION: An unspecified vulnerability related to the Deployment component
has complete confidentiality impact, complete integrity impact, and complete
availability impact.
CVSS Base Score: 6.9
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100145 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2015-0406
DESCRIPTION: An unspecified vulnerability related to the Deployment component
has partial confidentiality impact, no integrity impact, and partial
availability impact.
CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100147 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:P)
CVEID: CVE-2015-0410
DESCRIPTION: An unspecified vulnerability related to the Security component
could allow a remote attacker to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100151 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2015-0407
DESCRIPTION: An unspecified vulnerability related to the Swing component could
allow a remote attacker to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100150 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2015-0400
DESCRIPTION: An unspecified vulnerability related to the Libraries component
could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100149 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2014-6587
DESCRIPTION: An unspecified vulnerability related to the Libraries component
has partial confidentiality impact, partial integrity impact, and partial
availability impact.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100152 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:S/C:P/I:P/A:P)
CVEID: CVE-2014-6593
DESCRIPTION: An unspecified vulnerability related to the JSSE component has
partial confidentiality impact, partial integrity impact, and no availability
impact.
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100153 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)
CVEID: CVE-2014-6591
DESCRIPTION: An unspecified vulnerability related to the 2D component could
allow a remote attacker to obtain sensitive information.
CVSS Base Score: 2.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100155 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)
CVEID: CVE-2014-6585
DESCRIPTION: An unspecified vulnerability related to the 2D component could
allow a remote attacker to obtain sensitive information.
CVSS Base Score: 2.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100154 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)
CVEID: CVE-2014-8891
DESCRIPTION: A vulnerability in the IBM implementation of the Java Virtual
Machine may, under very limited circumstances, allow untrusted code running
under a security manager to escalate its privileges.
CVSS Base Score: 6.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/99010 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVEID: CVE-2014-8892
DESCRIPTION: A vulnerability in the IBM implementation of the Java Virtual
Machine may, under very limited circumstances, allow untrusted code running
under a security manager to bypass permission checks and view sensitive
information.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/99011 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Affected Products and Versions
IBM Notes and Domino 9.0.1 Fix Pack 3 (plus Interim Fixes) and earlier
IBM Notes and Domino 8.5.3 Fix Pack 6 (plus Interim Fixes) and earlier
IBM Notes and Domino 8.5.3 Fix Pack 5 (plus Interim Fixes) and earlier
All 9.0 and 8.5.x releases of IBM Notes and Domino prior to those listed
above.
Remediation/Fixes
IBM Notes and Domino - Multiple vulnerabilities in IBM Java (Oracle January
2015 Critical Patch Update) are also tracked as SPR KLYH9TFRGK. See below for
download links for a single standalone Java patch that addresses these
vulnerabilities.
These installers also include a fix for a functional regression in Java
1.6SR16 FP2 (Oracle October 2014 Critical Patch Update) where LS2J cannot
instantiate a Java object from LotusScript. This issue is tracked as SPR
RGAU9T8P4Y.
Note: We do not ship a JVM installer for Mac because we do not bundle the JVM
for Mac platforms. We use the JVM on the Mac OS. Therefore, any JVM updates
for Mac would need to be obtained directly from Apple.
- - 9.0.1 Fix Pack 3. The fix is available for multiple platforms as a single
standalone Java patch that covers Notes and Domino version 9.0.1 Fix Pack 3
(plus Interim Fixes) .
Platform Fix Central ID & Download Link
AIX JVMPatch_SR16FP3_AIX_901.3_Server
AIX64 JVMPatch_SR16FP3_AIX64_901.3_Server
Linux JVMPatch_SR16FP3_Linux_901.3_ClientServer
Linux64 JVMPatch_SR16FP3_Linux64_901.3_Server
Win32 JVMPatch_SR16FP3_W32_901.3_ClientServer
Win64 JVMPatch_SR16FP3_W64_901.3_Server
zLinux64 JVMPatch_SR16FP3_zLinux64_901.3_Server
Solaris n/a
- - 8.5.3 Fix Packs 5 and 6. The fix is also available for multiple platforms as
a single standalone Java patch that covers Notes and Domino version 8.5.3 Fix
Packs 5 and 6 (plus Interim Fixes).
Platform Fix Central ID & Download Link
AIX JVMPatch_SR16FP3_AIX_853.5_853.6_Server
AIX64 JVMPatch_SR16FP3_AIX64_853.5_853.6_Server
Linux JVMPatch_SR16FP3_Linux_853.5_853.6_ClientServer
Linux64 n/a
Win32 JVMPatch_SR16FP3_W32_853.5_853.6_ClientServer
Win64 JVMPatch_SR16FP3_W64_853.5_853.6_Server
zLinux64 JVMPatch_SR16FP3_zLinux64_853.5_853.6_Server
Solaris JVMPatch_SR16FP3_Sol_853.5_853.6_Server
Workarounds and Mitigations
Administrators can help to protect their Domino servers against unauthorized
access by strictly limiting the use of Java functions on the server through
careful population of the Programmability Restrictions section on the Security
tab of the Server document. In particular, IBM recommends prohibiting server
access of unsigned Java.
Likewise, administrators can use Policies to configure Notes client Execution
Control Lists to limit such attacks against the Notes client.
Get Notified about Future Security Bulletins
Subscribe to My Notifications to be notified of important product support
alerts like this.
References
Complete CVSS Guide
On-line Calculator V2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Cross reference information
Segment Product Component Platform Version Edition
Messaging Applications IBM Notes
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVP5M5xLndAQH1ShLAQJ/bhAAteooZertYISxGIIN9z2SYhZ+wpjnV36C
FqZ3+ANpQX/G/nsGdGIyyFAI94QWumgbu5mXbiJpVqDFPMnYZNvNVzbLZebsR+ym
ulhjCB4MiohzPUvYonWFm2+0HwEWFQtxVYLvzmxW4LNbKh0OJZ8SzgDa4EXVGt2l
iSM9i/yvSwUkyGGMvrp+EVfapctzFjlzDpTo8PvePahOqM+VLSDvU5ozJmbe5b3w
WUl0fZ2ZTXUDzaAPgMWdWiv8SoEk5KTHjROOVfxZMsJIRwRB8NAuS3aLRomHtESP
jz+gjqJQx9kLolzzSc+nyhFjWsX7ZJjc62tkMAplhWiEeON7qfIwRuTGZ5enCOdT
zIrc+OYOiu35CMLN1HSemQNEV0QYctISnjTJxrD24U8XcWl+h69nPPvdjx/xNZzN
zPu/eLhk3BA/ZYnrbkvFtd3UMSyloltoAswhIvAf0bF6NsnXqzbITOEe6dA+XV6E
aV/aB/kD1aY+BGEBVVgHZCWVDTvG2uNCVh6DA9+Z5WynntvZr/5vAFmUDEAPksKW
hj7WTuKOtQaCp060RXtLhp/O9NJDGAzpO42CvS1dBEWxA13cIMT+0/+sdJynkWWm
UEfVwsGN9Gwkr6rVBKeqaf+TDVIWGG9R/6as9VTj6u7jcd6zNtrtdhltLQ2oyAXv
/yI13DnKwIc=
=ywfh
-----END PGP SIGNATURE-----