-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.0386
 Multiple Vulnerabilities in IBM Java SDK affect IBM Notes Standard Client
                             16 February 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Notes
Publisher:         IBM
Operating System:  Linux variants
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Access Privileged Data          -- Remote/Unauthenticated
                   Modify Arbitrary Files          -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Provide Misleading Information  -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-0494 CVE-2016-0483 CVE-2016-0475
                   CVE-2016-0466 CVE-2016-0448 CVE-2016-0402
                   CVE-2015-8540 CVE-2015-8472 CVE-2015-8126
                   CVE-2015-7981 CVE-2015-7575 CVE-2015-5041

Reference:         ASB-2016.0004

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=swg21976200

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Multiple Vulnerabilities in IBM Java SDK affect IBM Notes 
Standard Client

Document information

More support for:

IBM Notes

Security

Software version:

8.5, 8.5.1, 8.5.1.5, 8.5.2, 8.5.2.4, 8.5.3, 8.5.3.6, 9.0.1, 9.0.1.5

Operating system(s):

Linux, Windows

Reference #:

1976200

Modified date:

2016-02-11

Summary

There are multiple vulnerabilities in IBM SDK Java Technology Edition, Version
6 SR16FP15 that is used by IBM Notes Standard Client. These issues were 
disclosed as part of the IBM Java SDK updates in January 2016 and includes the
vulnerability commonly referred to as SLOTH.

Vulnerability Details

CVEID:

CVE-2016-0494

DESCRIPTION:

An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to
the 2D component has complete confidentiality impact, complete integrity 
impact, and complete availability impact.

CVSS Base Score: 10

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/109944

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID:

CVE-2016-0483

DESCRIPTION:

An unspecified vulnerability in Oracle Java SE Java SE Embedded and Jrockit 
related to the AWT component has complete confidentiality impact, complete 
integrity impact, and complete availability impact.

CVSS Base Score: 10

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/109945

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID:

CVE-2015-8472

DESCRIPTION:

libpng is vulnerable to a buffer overflow, caused by improper bounds checking
by the png_get_PLTE() and png_set_PLTE() functions. By persuading a victim to
open a specially crafted PNG image, a remote attacker could overflow a buffer
and execute arbitrary code on the system or cause the application to crash.

CVSS Base Score: 6.3

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/109392

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)

CVEID:

CVE-2016-0475

DESCRIPTION:

An unspecified vulnerability in Oracle Java SE Java SE Embedded and Jrockit 
related to the Libraries component has partial confidentiality impact, partial
integrity impact, and no availability impact.

CVSS Base Score: 5.8

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/109946

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)

CVEID:

CVE-2016-0466

DESCRIPTION:

An unspecified vulnerability in Oracle Java SE Java SE Embedded and Jrockit 
related to the JAXP component could allow a remote attacker to cause a denial
of service resulting in a partial availability impact using unknown attack 
vectors.

CVSS Base Score: 5

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/109948

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID:

CVE-2016-0402

DESCRIPTION:

An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to
the Networking component has no confidentiality impact, partial integrity 
impact, and no availability impact.

CVSS Base Score: 5

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/109947

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID:

CVE-2015-7575

DESCRIPTION:

The TLS protocol could allow weaker than expected security caused by a 
collision attack when using the MD5 hash function for signing a 
ServerKeyExchange message during a TLS handshake. An attacker could exploit 
this vulnerability using man-in-the-middle techniques to impersonate a TLS 
server and obtain credentials.This vulnerability is commonly referred to as 
SLOTH".

CVSS Base Score: 7.1

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/109415

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N)

CVEID:

CVE-2016-0448

DESCRIPTION:

An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to
the JMX component could allow a remote attacker to obtain sensitive 
information resulting in a partial confidentiality impact using unknown attack
vectors.

CVSS Base Score: 4

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/109949

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)

CVEID:

CVE-2015-5041

DESCRIPTION:

A flaw in the IBM J9 JVM allows code to invoke non-public interface methods 
under these circumstances. Untrusted code could potentially exploit this. This
could lead to sensitive data being exposed to an attacker, or the attacker 
being able to inject bad data.

CVSS Base Score: 4.8

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/106719

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID:

CVE-2015-7981

DESCRIPTION:

libpng could allow a remote attacker to obtain sensitive information, caused 
by an out-of-bounds read in the png_convert_to_rfc1123 function. An attacker 
could exploit this vulnerability to obtain sensitive information.

CVSS Base Score: 5.3

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/107740

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:

CVE-2015-8540

DESCRIPTION:

libpng is vulnerable to a buffer overflow, caused by a read underflow in 
png_check_keyword in pngwutil.c. By sending an overly long argument, a remote
attacker could overflow a buffer and execute arbitrary code on the system or 
cause the application to crash.

CVSS Base Score: 9.8

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/109219

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:

CVE-2015-8126

DESCRIPTION:

libpng is vulnerable to a buffer overflow, caused by improper bounds checking
by the png_set_PLTE() and png_get_PLTE() functions. By persuading a victim to
open a specially-crafted PNG file, a remote attacker could overflow a buffer 
and execute arbitrary code on the system.

CVSS Base Score: 7.8

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/108010

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM Notes Standard Client 9.0.1 through Notes Standard Client 9.0.1 FP5IF1

IBM Notes Standard Client 8.5.3 through Notes Standard Client 8.5.3 FP6IF8

All 9.0 and 8.5.x releases of IBM Notes Standard Client prior to those listed
above

Remediation/Fixes

IBM Notes Standard Client - Multiple vulnerabilities in IBM Java 6 SR16FP15 
affect IBM Notes Standard Client are also tracked as SPR KLYHA5YRMV. Refer to
the JVM tab in the technotes linked below for download links to a single 
standalone Java patch that addresses these vulnerabilities.

Interim Fixes & JVM Patches for 9.0.1 Fix Pack 5 versions of IBM Notes, Domino
  & iNotes

Interim Fixes & JVM Patches for 8.5.3 Fix Pack 6 versions of IBM Notes, Domino
  & iNotes

Customers who remain on the following releases may open a Service Request with
  IBM Support and reference SPRs KLYHA5YRMV for a custom hotfix:

IBM Notes Standard Client 9.0.1 though Notes Standard Client 9.0.1 FP5 IF1

IBM Notes Standard Client 9.0.0x

IBM Notes Standard Client 8.5.3 through Notes Standard Client 8.5.3 FP6IF8

IBM Notes Standard Client 8.5.2x

IBM Notes Standard Client 8.5.1x

Workarounds and Mitigations

For CVE-2015-7575:

Java 6 requires code changes in the JSSE component in addition to the 
java.security file modifications, so upgrading the JDK is the only solution.

Administrators can help to protect their Domino servers against unauthorized 
access by strictly limiting the use of Java functions on the server through 
careful population of the

Programmability Restrictions

section on the Security tab of the Server document. In particular, IBM 
recommends prohibiting server access by untrusted code, Java or otherwise.

Likewise, administrators can use Policies to configure Notes Standard Client

Execution Control Lists

to limit such attacks against the Notes Standard client.

Get Notified about Future Security Bulletins

Subscribe to

My Notifications

to be notified of important product support alerts like this.

References

Complete CVSS v2 Guide

On-line Calculator v2

Complete CVSS v3 Guide

On-line Calculator v3

Related information

IBM Secure Engineering Web Portal

IBM Product Security Incident Response Blog

Security Bulletin: Multiple Vulnerabilities in IBM Java SDK affect IBM Domino

(technote 1976262)

Acknowledgement

CVE-2015-7575 was reported to IBM by Karthikeyan Bhargavan at INRIA in Paris,
France

*The CVSS Environment Score is customer environment specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the 
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the 
Common Vulnerability Scoring System (CVSS) is an "industry open standard 
designed to convey vulnerability severity and help to determine urgency and 
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY 
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT 
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVsKr8n6ZAP0PgtI9AQIp3Q//bH5b01p/c1kjyloTAumDapQ4AmwnqVtN
kHHauj0SpPhDlOzHAljz2y7BskbvHgkBVGwLA9I3ga1Jr9a+/GNoIKbBoIbjMcNz
wKcJJgB4Jc5EyvR9LrVuxWGeZF7MpZdCazc2Q1LqTR1l7EcNo5BRsxGt354OZtaR
+kmkQ88xovfOVnQ0oDa0/fDZAFs9rkiWRv1VvBvhbRMhMwGKOE3RtUmq0AB/O6RP
4m3IX0EY0PJfJ50Fqq+zcVnH8iSrS67mubF0NzjAxClcyCs2htkSpyhyPxw+EFSo
2wuGuofCc9YJGIxIubsBZqWp3L0t6dNJAOTlp6MFN5kg3EKP7cwdyRLmlNm2O8R6
Ez4pXmjKARxHQlmICtDrFvEpj+pjMK/V+5aZlGhhGav1rj5/5/9G+W+rO98Eyz6+
9d8VG4/DKMYOcPOs1ibZ/bcMDBr5UeU6b7q971SX5tIyODpt3fBrQN7bwxqWV6Uw
dTE6mQ96n7wNKB7rV4GeySFjP7RAsFGaeGWBeVHojRPx+IoXkAOrhjIINLgOHyX5
wB5ugpkvcVxsS/0LgnrcstJIAKCEJJigEwKfT3C2q2MHE/72gev5Q1SIMMd3uHsf
yJ1F5rJNnegcBBOpPOqtNK1KkMberxDlpkioWGLZLWF2p7rk0tdOostxHW4yDdKx
wTOUjVKVz7A=
=gpLb
-----END PGP SIGNATURE-----