Security Alert (A17-03-09): Multiple Vulnerabilities in IBM Notes

Description:

Multiple vulnerabilities are found in IBM Lotus Notes related to Expat XML Parser. These vulnerabilities are caused by hash data structure flaw, resource leak, memory leak, buffer overflow, optimization settings error and improper bounds checking. A remote attacker could exploit the vulnerabilities by sending specially-crafted HTTP requests or XML data, or enticing a user to open a specially crafted document.

Affected Systems:

• IBM Notes 9.0.1 to IBM Notes 9.0.1 Fix Pack 7
• IBM Notes 9.0 to IBM Notes 9.0 Interim Fix 4
• IBM Notes 8.5.3 to IBM Notes 8.5.3 Fix Pack 6 Interim Fix 13
• IBM Notes 8.5.2 to IBM Notes 8.5.2 Fix Pack 4 Interim Fix 3
• IBM Notes 8.5.1 to IBM Notes 8.5.1 Fix Pack 5 Interim Fix 3
• IBM Notes 8.5 release

Impact:

Depending on the vulnerability exploited, a successful attack could lead to denial of service, arbitrary code execution or application crash on an affected system.

Recommendation:

The vendor has released fixes to address the issues and they can be downloaded at the following URLs:

• Notes 9.0.1 Fix Pack 8
  http://www-01.ibm.com/support/docview.wss?uid=swg24037141
  
  
• Notes 8.5.3 Fix Pack 6 Interim Fix 14
  http://www.ibm.com/support/docview.wss?uid=swg21663874
  
  

More Information:

http://www-01.ibm.com/support/docview.wss?uid=swg21990421
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0876
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1147
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1148
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1283
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2716
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0718
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4472