Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.2049
Security Bulletin: Multiple Vulnerabilities in the IBM SDK
Java Technology Edition affect IBM Domino
29 August 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Domino
Publisher: IBM
Operating System: AIX
Debian GNU/Linux 8
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Modify Arbitrary Files -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2016-3598 CVE-2016-3485
Reference: ASB-2016.0074
ESB-2016.1911
Original Bulletin:
http://www.ibm.com/support/docview.wss?uid=swg21988978
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Multiple Vulnerabilities in the IBM SDK Java Technology
Edition affect IBM Domino
Security Bulletin
Document information
More support for: IBM Domino
Security
Software version: 8.5, 8.5.1, 8.5.1.5, 8.5.2, 8.5.2.4, 8.5.3, 8.5.3.6, 9.0,
9.0.1, 9.0.1.6
Operating system(s): AIX, Linux, Windows
Reference #: 1988978
Modified date: 2016-08-26
Summary
There are multiple vulnerabilities in IBM SDK Java Technology Edition Version
6 SR16FP25 that affect IBM Domino. These issues were disclosed as part of the
IBM Java SDK updates in July 2016, fixed with Version 6 SR16FP30.
Vulnerability Details
CVEID: CVE-2016-3598
DESCRIPTION: An unspecified vulnerability in Oracle Java SE and Java SE
Embedded related to the Libraries component has high confidentiality impact,
high integrity impact, and high availability impact.
CVSS Base Score: 9.6
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/115269 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID: CVE-2016-3485
DESCRIPTION: An unspecified vulnerability in Oracle Java SE and Java SE
Embedded related to the Networking component has no confidentiality impact,
low integrity impact, and no availability impact.
CVSS Base Score: 2.9
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/115273 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
Affected Products and Versions
IBM Domino 9.0.1 through 9.0.1 FP6 IF3
IBM Domino 8.5.3 through 8.5.3 FP6 IF14
All 9.0, 8.5.x and 8.5 releases of IBM Domino prior to those listed above
Remediation/Fixes
IBM Domino - Multiple vulnerabilities in IBM Java 6 SR16FP25 affect IBM Domino
are also tracked as SPR KLYHAC4JS8. Refer to the JVM tab in the technotes
linked below for download links to a single standalone Java patch that
addresses these vulnerabilities.
Interim Fixes & JVM Patches for 9.0.1 Fix Pack 6 versions of IBM Notes, Domino
& iNotes
Interim Fixes & JVM Patches for 8.5.3 Fix Pack 6 versions of IBM Notes, Domino
& iNotes
Customers who remain on the following releases may open a Service Request with
IBM Support and reference SPR KLYHAC4JS8 for a custom hotfix:
IBM Domino 9.0.1 through Domino 9.0.1 FP6 IF3
IBM Domino 9.0.0x
IBM Domino 8.5.3 through Domino 8.5.3 FP6 IF14
IBM Domino 8.5.2x
IBM Domino 8.5.1x
IBM Domino 8.5
Workarounds and Mitigations
For all affected releases, Domino administrators can help to protect their
Domino servers against unauthorized access by strictly limiting the use of
Java functions on the server through careful population of the Programmability
Restrictions section on the Security tab of the Server document. In
particular, IBM recommends prohibiting server access by untrusted code, Java
or otherwise.
Likewise, Notes administrators can use Policies to configure Notes client
Execution Control Lists to limit such attacks against the Notes client.
Get Notified about Future Security Bulletins
Subscribe to My Notifications to be notified of important product support
alerts like this.
References
Complete CVSS v3 Guide
On-line Calculator v3
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
technote 1989049 - Security Bulletin: Multiple Vulnerabilities in the IBM SDK
Java Technology Edition affect IBM Notes
Change History
26 August 2016 - Initial publication
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBV8OJ04x+lLeg9Ub1AQiHExAAhz+Lm2zrrp6nyR/Gwv2BWL3v7rcv8fPl
TKWcDXmiGgHA3bD7v5q3YS6kRZdrgUgXXzlxTZjcafVIzvVLvhOMk+hJEay5D7Xd
Nxox5X9fAlZc1sJTuL+nrR47mdRLp5FutCfiLns0kC0hUP992ijH2Y/+Em6rmRj1
MiTyMYxZhoQq+NcNUfmxTtKf32nsUvr2uz+OcHEpYveII9Hi9VrjRPo7UEJMWNjX
Gj9QXeUHXL6GwVTnvdXzHqu+iFyyi5DYaXLG7RuVu8Cj3qGGL5voq66GnF6bDIsn
Y22rmBk/LRn/E73nvJl8fyH5Dmqtd2cO8l+kdXHMk1aRFpo/V1Uh+tSmqM8llyeJ
3dWFt2cilqLkdS85J8rz938v4W7+PLcBjOcKczpG8abB3l2RW/QN0xYdO2R4mBax
scjujUMiBmYDd5O+ofeB2MkCgwEYEElu1Bi+BSYTkG8JQePVTXuK0SkuUv9ECx5d
QW1/g84xbGZ+Lj1EQ2RUwZ2DcrsQKRvGzmftOtmRl7jyNnjjf8bjbM/aCPkSeBCn
7YBseGGvDMQV/OmV0cQAGplWhs+Zt5VEWUCjghzXsoweDiwr8mA2F7T7bMKchSat
xMJ2BnHWrBHKpmus1UF34H3J2uRSYUh3CawDmtFWf4DSrGne8nO5ZVfX7M25L+cY
4xQlYlC2VNg=
=br0X
-----END PGP SIGNATURE-----