Security Alert (A16-12-05): Multiple Vulnerabilities in IBM Notes


 

Published on: 15 December 2016

  
  

Description:

Multiple vulnerabilities are found in IBM Lotus Notes related to Apache Struts and Taglibs. These vulnerabilities are caused by a XML External Entity Injection error, memory protection error and improper input validation. A remote attacker could exploit the vulnerabilities by enticing a user to open a specially crafted documents.


Affected Systems:

  • IBM Notes 9.0.1 Fix Pack 7 Interim Fix 1 and earlier release
  • IBM Notes 9.0 Interim Fix 4 and earlier release
  • IBM Notes 8.5.3 Fix Pack 6 Interim Fix 12 and earlier release
  • IBM Notes 8.5.2 Fix Pack 4 Interim Fix 3 and earlier release
  • IBM Notes 8.5.1 Fix Pack 5 Interim Fix 3 and earlier release
  • IBM Notes 8.5 release

 

Impact:

Depending on the vulnerability exploited, a successful attack could lead to arbitrary code execution or security restriction bypass on an affected system.


Recommendation:

The vendor has released fixes to address the issues and they can be downloaded at the following URLs:

  • Notes 9.0.1 Fix Pack 7 Interim Fix 2
    http://www-01.ibm.com/support/docview.wss?uid=swg21657963

  • Notes 8.5.3 Fix Pack 6 Interim Fix 13
    http://www-01.ibm.com/support/docview.wss?uid=swg21663874


More Information:

http://www-01.ibm.com/support/docview.wss?uid=swg21988182
http://www-01.ibm.com/support/docview.wss?uid=swg21989475
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0254
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1181
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1182



Tag: IBM , IBM Notes
Tags