IBM Domino and IBM iNotes: Multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.2588
Security Bulletin: Multiple Vulnerabilities affect IBM Domino & IBM iNotes
                              3 November 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Domino
                   IBM iNotes
Publisher:         IBM
Operating System:  AIX
                   Linux variants
                   Windows
Impact/Access:     Denial of Service    -- Remote/Unauthenticated
                   Cross-site Scripting -- Existing Account      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-6113 CVE-2016-5884 CVE-2016-5882
                   CVE-2016-5880 CVE-2016-3092 CVE-2016-2939
                   CVE-2016-2938 CVE-2016-0282 

Reference:         ESB-2016.2549
                   ESB-2016.2548
                   ESB-2016.2544
                   ESB-2016.2516
                   ESB-2016.2488

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=swg21992835

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Multiple Vulnerabilities affect IBM Domino & IBM iNotes

Software version: 8.5, 9.0

Operating system(s): AIX, Linux, Windows

Reference #: 1992835

Modified date: 02 November 2016

Security Bulletin

Summary
There are multiple vulnerabilities in IBM Domino and IBM iNotes (shipped as 
part of Domino). Vulnerability Details

CVEID: CVE-2016-3092
DESCRIPTION: Apache Tomcat is vulnerable to a denial of service, caused by an
error in the Apache Commons FileUpload component. By sending file upload 
requests, an attacker could exploit this vulnerability to cause the server to
become unresponsive.
CVSS Base Score: 5.3
CVSS Temporal Score: See 
https://exchange.xforce.ibmcloud.com/vulnerabilities/114336 for the current 
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-0282
DESCRIPTION: IBM iNotes is vulnerable to cross-site scripting, caused by 
improper validation of user-supplied input. A remote attacker could exploit 
this vulnerability using a specially-crafted URL to execute script in a 
victim's Web browser within the security context of the hosting Web site, once
the URL is clicked. An attacker could use this vulnerability to steal the 
victim's cookie-based authentication credentials.
CVSS Base Score: 5.4
CVSS Temporal Score: See 
https://exchange.xforce.ibmcloud.com/vulnerabilities/111228 for the current 
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2016-5880
DESCRIPTION: IBM iNotes is vulnerable to cross-site scripting. This 
vulnerability allows users to embed arbitrary JavaScript code in the Web UI 
thus altering the intended functionality potentially leading to credentials 
disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See 
https://exchange.xforce.ibmcloud.com/vulnerabilities/115075 for the current 
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2016-2939
DESCRIPTION: IBM iNotes is vulnerable to cross-site scripting. This 
vulnerability allows users to embed arbitrary JavaScript code in the Web UI 
thus altering the intended functionality potentially leading to credentials 
disclosure within a trusted session.
CVSS Base Score: 6.1
CVSS Temporal Score: See 
https://exchange.xforce.ibmcloud.com/vulnerabilities/113541 for the current 
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2016-5882
DESCRIPTION: IBM iNotes is vulnerable to cross-site scripting. This 
vulnerability allows users to embed arbitrary JavaScript code in the Web UI 
thus altering the intended functionality potentially leading to credentials 
disclosure within a trusted session.
CVSS Base Score: 6.1
CVSS Temporal Score: See 
https://exchange.xforce.ibmcloud.com/vulnerabilities/115077 for the current 
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2016-6113
DESCRIPTION: IBM iNotes is vulnerable to cross-site scripting. This 
vulnerability allows users to embed arbitrary JavaScript code in the Web UI 
thus altering the intended functionality potentially leading to credentials 
disclosure within a trusted session.
CVSS Base Score: 6.1
CVSS Temporal Score: See 
https://exchange.xforce.ibmcloud.com/vulnerabilities/118283 for the current 
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2016-5884
DESCRIPTION: IBM iNotes is vulnerable to cross-site scripting. This 
vulnerability allows users to embed arbitrary JavaScript code in the Web UI 
thus altering the intended functionality potentially leading to credentials 
disclosure within a trusted session.
CVSS Base Score: 6.1
CVSS Temporal Score: See 
https://exchange.xforce.ibmcloud.com/vulnerabilities/115079 for the current 
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2016-2938
DESCRIPTION: IBM iNotes is vulnerable to cross-site scripting. This 
vulnerability allows users to embed arbitrary JavaScript code in the Web UI 
thus altering the intended functionality potentially leading to credentials 
disclosure within a trusted session.
CVSS Base Score: 6.1
CVSS Temporal Score: See 
https://exchange.xforce.ibmcloud.com/vulnerabilities/113540 for the current 
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2016-2939
DESCRIPTION: IBM iNotes is vulnerable to cross-site scripting. This 
vulnerability allows users to embed arbitrary JavaScript code in the Web UI 
thus altering the intended functionality potentially leading to credentials 
disclosure within a trusted session.
CVSS Base Score: 6.1
CVSS Temporal Score: See 
https://exchange.xforce.ibmcloud.com/vulnerabilities/113541 for the current 
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions
IBM Domino 9.0.1 through 9.0.1 Fix Pack 7 IBM Domino 9.0.0x
IBM Domino 8.5.3 through 8.5.3 Fix Pack 6 Interim Fix 14
IBM Domino 8.5.2x
IBM Domino 8.5.1x

Remediation/Fixes
CVE-2016-3092 is tracked as SPRs KLYHABSKNX and KLYHABSKDS.
CVE-2016-0282, for release 8.5.x only, is tracked as SPR KLYHAAHNUS.
CVE-2016-5880 is tracked as SPR YGYGA9DDX2.
CVE-2016-2939 is tracked as SPR BCOEA8PQSP
CVE-2016-5882 is tracked as SPR YGYGA9DDTA
CVE-2016-6113 is tracked as SPR MLATAAR5A6
CVE-2016-5884 is tracked as SPR YGYGA9DDH6
CVE-2016-2938 is tracked as SPR BCOEA8PR8G
CVE-2016-2939 is tracked as SPR BCOEA8PQS9

Fixes for the issues described above are introduced in the following releases
    Domino 9.0.1 Fix Pack 7 Interim Fix 1
    Domino 8.5.3 Fix Pack 6 Interim Fix 15

For download links, refer to the following technotes:
    Notes & Domino 9.0.1 FP7 Interim Fixes 
      http://www.ibm.com/support/docview.wss?uid=swg21657963
    Notes & Domino 8.5.3 FP6 Interim Fixes 
      http://www.ibm.com/support/docview.wss?uid=swg21663874

Customers who remain on the following releases may open a Service Request with
IBM Support and reference the relevant SPRs above for a custom hotfix:
    IBM Domino 9.0.1 through 9.0.1 Fix Pack 6
    IBM Domino 9.0.0x
    IBM Domino 8.5.3 through 8.5.3 Fix Pack 6 Interim Fix 14
    IBM Domino 8.5.2x
    IBM Domino 8.5.1x

IBM recommends that you review your entire environment to identify vulnerable
releases of the open-source Apache Commons Collections and take appropriate 
mitigation and remediation actions.

Workarounds and Mitigations
None

Subscribe to My Notifications to be notified of important product support 
alerts like this.

References
Complete CVSS v3 Guide
On-line Calculator v3
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History
Initial Publication 02-Nov-2016

*The CVSS Environment Score is customer environment specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the 
Reference section of this Security Bulletin.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWBqk9ox+lLeg9Ub1AQgM5A/7Bp2/P6iQkZq9JEj2wlojcNjXJ+ioaTRD
AmzqCC9Md8fGrrrd4urs5vUOA00IGPvbcTidSOhXWNrqtNnw2TIa0xDNQ5oublgX
vtSa6QKfncOfHigaH+2BajiE4u6nzAh/+Htf8xbgqoHsPTw5X8s8pbo85Yu/KCJr
i9Fyj5GHx1x81ZABSbZZ312mOeShXSZb7rCQmiKNXgbsyMb55dlSWTYg1BE35VnS
+vodC/coohncn5zGUgsQUmnG1qd0ruTEjrmAmXd33MlHfWzMO6vF7iXZrTxikrAo
2YBcuu8b7dugQICrEtEHoa7tNFCDLRVJBJBhnJlBPZrr78teTFHU7mQcyJgfAq9b
c90Bbb1ZzhkVB0T6dk1hwfQKnmIBcATwtkxsjxStvGSbqieN46RCbHjPIj5CSIxA
qLUDfSjJphDxA5/BTp02/E9o7kr9no0Cdys1wmKvt0bxFgkTtCfVRQjsaAAdTI/3
V456C3FrPERMvlKZxzP1FWb3QCcQsz12OZyu7XTaeNloEx8Hafeb5f0r2wVd0597
giiUi8kabKTzJ3V+GTHix4DDGH8LsscJvd5l7ey4O2WX27K60MKLjvKbaFNilKu9
I8HIvpRTU4o0JW6mn8ojDVJLsFGwKBfPjCauNwI3apMPJCju+3gf/JeOTiDTB6Tt
aSp7/R5+4oY=
=h3oK
-----END PGP SIGNATURE-----