Security Alert (A17-09-01): Multiple Vulnerabilities in IBM Notes

Description:

Multiple vulnerabilities are found in IBM Lotus Notes related to open source libraries and program flaws. These vulnerabilities are caused by NULL pointer dereference, out-of-bounds pointer arithmetic and etc. A remote attacker could exploit the vulnerabilities by enticing a user to open a malicious link or a specially crafted document.

Affected Systems:

• IBM Notes 9.0.1 to IBM Notes 9.0.1 Fix Pack 8 Interim Fix 1
• IBM Notes 9.0 to IBM Notes 9.0 Interim Fix 4
• IBM Notes 8.5.3 to IBM Notes 8.5.3 Fix Pack 6 Interim Fix 13
• IBM Notes 8.5.2 to IBM Notes 8.5.2 Fix Pack 4 Interim Fix 3
• IBM Notes 8.5.1 to IBM Notes 8.5.1 Fix Pack 5 Interim Fix 3
• IBM Notes 8.5 release

Impact:

Depending on the vulnerability exploited, a successful attack could lead to a denial-of-service or an application restart condition.

Recommendation:

The vendor has released fixes to address the issues and they can be downloaded at the following URLs:

• Notes 9.0.1 Fix Pack 9
  https://www.ibm.com/support/docview.wss?uid=swg24037141
  
  
• Notes 8.5.3 Fix Pack 6 Interim Fix 15
  http://www.ibm.com/support/docview.wss?uid=swg21663874
  
  
• Notes 901 64-bit Mac Interim Fix 11
  http://www.ibm.com/support/docview.wss?uid=swg21657963
  
  

More Information:

http://www-01.ibm.com/support/docview.wss?uid=swg21997877
http://www-01.ibm.com/support/docview.wss?uid=swg21999384
http://www-01.ibm.com/support/docview.wss?uid=swg21999385
http://www-01.ibm.com/support/docview.wss?uid=swg22002676
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9840 (to CVE-2016-9843)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10087
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1129
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1130