Security Alert (A15-08-05): Multiple Vulnerabilities in IBM Notes and Domino

Description:

Multiple vulnerabilities are found in IBM Notes and Domino. The bundled Java virtual machine (JVM) is susceptible to different attacks as listed in the Oracle Critical Patch Update Advisories (July 2015) which could be remotely exploited without authentication. A remote attacker could exploit the vulnerabilities by enticing a user to open a specially-crafted file or visit a malicious website.

Affected Systems:

• IBM Notes and Domino 9.0.1 Fix Pack 4 (plus Interim Fixes) and earlier
• IBM Notes and Domino 8.5.3 Fix Pack 6 (plus Interim Fixes) and earlier
• All 9.0 and 8.5.x releases of IBM Notes and Domino prior to those listed above

Impact:

Successful exploitation could lead to retrieval of sensitive information and system crash.

Recommendation:

The vendor has released fixes to address the issue and they can be downloaded at the following URL:

• Java patch installer (SR16FP7) for Notes & Domino 9.0.1 Fix Pack 4 (plus Interim Fix)
  http://www-01.ibm.com/support/docview.wss?uid=swg21657963#5_tab
  
  
• Java patch installer (SR16FP7) for Notes & Domino 8.5.3 Fix Pack 6 (plus Interim Fix)
  http://www-01.ibm.com/support/docview.wss?uid=swg21663874#JVM_tab
  
  

More Information:

http://www-01.ibm.com/support/docview.wss?uid=swg21963812
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1931
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2590
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2601
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2621
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2625
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2632
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2637 (to CVE-2015-2638)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4731 (to CVE-2015-4733)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4760