Security Alert (A16-08-08): Multiple Vulnerabilities in IBM Notes and Domino

Description:

Multiple vulnerabilities are found in IBM Notes and Domino. The bundled Java virtual machine (JVM) is susceptible to different attacks as listed in the Oracle Critical Patch Update Advisories (July 2016) which could be remotely exploited without authentication. A remote attacker could exploit the vulnerabilities by enticing a user to open a specially-crafted file or visit a malicious website.

Affected Systems:

• IBM Notes Standard Client 9.0.1 through Notes Standard Client 9.0.1 Fix Pack 6 and Domino 9.0.1 through 9.0.1 Fix Pack 6 Interim Fix 3
• IBM Notes Standard Client 8.5.3 through Notes Standard Client 8.5.3 Fix Pack 6 Interim Fix 11 and Domino 8.5.3 through 8.5.3 Fix Pack 6 Interim Fix 14
• All 9.0, 8.5.x and 8.5 releases of IBM Notes and Domino prior to those listed above 

Impact:

Depending on the vulnerability exploited, a successful attack could lead to arbitrary code execution, denial of services or information disclosure. 

Recommendation:

The vendor has released fixes to address the issues and they can be downloaded at the following URL:

• JVM Patches for Notes and Domino 9.0.1 Fix Pack 6
  http://www.ibm.com/support/docview.wss?uid=swg21657963
  
  
• JVM Patches for Notes and Domino 8.5.3 Fix Pack 6
  http://www-01.ibm.com/support/docview.wss?uid=swg21663874
  
  

More Information:

http://www-01.ibm.com/support/docview.wss?uid=swg21988978
http://www-01.ibm.com/support/docview.wss?uid=swg21989049
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3458
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3485
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3498
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3500
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3503
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3508